Highlights:
- The method, referred to as keystroke injection, permits an unauthorized user to execute actions on the victim’s device as long as those actions do not necessitate a password or biometric authentication.
- The vulnerability affects Android devices when Bluetooth is enabled, encompassing various models, including the Google Pixel series.
A recently disclosed critical security vulnerability in Bluetooth has the potential to enable attackers to seize control of devices running Android, Linux, macOS, and iOS.
As elaborated by security researcher Marc Newlin on GitHub this week, the vulnerability, identified as CVE-2023-45866, constitutes an authentication bypass, allowing attackers to connect to vulnerable devices and inject keystrokes, thereby achieving code execution.
This vulnerability stems from a critical flaw in the Bluetooth protocol, compounded by implementation-specific bugs across different operating systems. This vulnerability enables attackers to emulate a Bluetooth keyboard and establish a connection with a device without requiring user confirmation. The method, referred to as keystroke injection, permits an unauthorized user to execute actions on the victim’s device as long as those actions do not necessitate a password or biometric authentication.
The vulnerability affects Android devices when Bluetooth is enabled, encompassing various models, including the Google Pixel series. Newlin conducted tests on different versions of Android, with susceptibility observed in versions as old as 4.2.2. Linux systems, specifically multiple versions of Ubuntu, exhibit the vulnerability, while Apple devices, including various Mac and iPhone models, are also susceptible to the identified security issue.
Despite the critical nature of the vulnerability, Newlin disclosed the specifics only after providing numerous companies with sufficient time to implement patches. Early in August, Google LLC, Apple Inc., and Canonical Ltd., the developer of Ubuntu, were all notified regarding the susceptibility. In September, Newlin additionally furnished the Bluetooth Special Interest Group, the governing body responsible for Bluetooth standards development, with comprehensive information regarding the vulnerability.
A remedy mitigating the vulnerability has been implemented by Google for Android versions 11 through 14, which was distributed in December. Linux devices have also been updated with the patch. Apple Inc. has not, nevertheless, designated any specific remedies to address the vulnerability as of yet.
Vice President John Gallagher of Viakoo Labs at enterprise internet of things security platform company Viakoo Inc. said, “In many IoT devices, the communications are set by default to be available – Wi-Fi, Bluetooth, Zigbee, and so forth. The chipsets they use often have all the standard protocols supported so that they can be used across a wide range of systems. As part of commissioning new devices, organizations should deactivate any protocol not being used.”
Gallagher emphasized that organizations can bolster infrastructure security by ensuring physical security measures, including video surveillance and access control. He added, “Many cyber-attacks (like this) are made easy if the threat actor can gain physical access. This is another reason why physical security systems are often targets of malicious hackers.”