Apple and some Linux distros are open to Bluetooth attack

Trending 2 months ago

A years-old Bluetooth affidavit bypass vulnerability allows miscreants to affix to Apple, Android and Linux accessories and inject keystrokes to run approximate commands, according to a software architect at bombinate technology close SkySafe.

The bug, tracked as CVE-2023-45866, doesn't crave any appropriate accouterments to exploit, and the advance can be pulled off from a Linux apparatus application a approved Bluetooth adapter, says Marc Newlin, who begin the blemish and appear it to Apple, Google, Canonical, and Bluetooth SIG.

Newlin says he'll accommodate vulnerability capacity and proof-of-concept cipher at an accessible appointment but wants to authority off until aggregate is patched. The advance allows a adjacent burglar to inject keystrokes and assassinate awful accomplishments on victims' devices, as continued as they don't crave a countersign or biometric authentication. 

In a GitHub post appear on Wednesday, the bug hunter describes the aegis blemish thus:

Regulars readers may bethink Newlin from a agnate set of Bluetooth flaws he baldheaded in 2016. These, dubbed MouseJack, exploited keystroke-injection vulnerabilities in wireless mice and keyboards from 17 altered vendors.

CVE-2023-45866, however, is alike earlier than MouseJack. Newlin says he activated a BLU DASH 3.5 active Android 4.2.2, which was appear in 2012, and begin it accessible to the flaw. In fact, there is no fix for Android 4.2.2-10 issue.

Google issued the afterward account to Newlin: "Fixes for these issues that affect Android 11 through 14 are accessible to impacted OEMs. All currently-supported Pixel accessories will accept this fix via December OTA updates." Here's the capacity appear in the Android security bulletin, with the blemish rated aerial severity.

  • Hijack wireless mice, keyboards, with $15 of kit and 15 curve of code
  • Weak affair keys let snoops booty a byte out of your Bluetooth traffic
  • A year on, CISA realizes debunked vuln absolutely a dud and removes it from must-patch list
  • Atlassian aegis advising reveals four beginning analytical flaws – in mail with asleep links

While the affair was anchored in Linux in 2020, Newlin says ChromeOS is the alone Linux-based operating arrangement that enabled the fix. Other Linux distros including Ubuntu, Debian, Fedora, Gentoo, Arch and Alpine larboard it disabled by default. Ubuntu 18.04, 20.04, 22.04, 23.10 abide vulnerable, we're told.

This patch mitigates the blemish in BlueZ.

The bug additionally affects macOS and iOS back Bluetooth is enabled and a Magic Keyboard has been commutual with the accessible buzz or computer. Critically, it works in Apple's LockDown mode, which the bell-ringer claims can assure accessories adjoin adult attacks.

Newlin appear the affair to Apple aback in August. He told The Register that Apple did affirm his report, but hasn't aggregate a application timeline for the vulnerability.

Apple did not acknowledge to The Register's inquiries. ®