A longstanding Bluetooth authentication bypass vulnerability, traced back to at least 2012, has been found to present a security risk to Apple, Android and some Linux devices, The Register is reporting.
According to SkySafe software engineer Marc Newlin, the vulnerability doesn’t necessitate special hardware and can be exploited from a Linux machine using a regular Bluetooth adapter.
Newlin, who discovered the flaw, notified Apple, Google, Canonical, and Bluetooth SIG about the issue.
Dubbed CVE-2023-45866, the exploit permits nearby intruders to inject keystrokes and perform malicious actions on devices lacking password or biometric authentication requirements.
Describing the flaw in a GitHub post, Newlin explained it as exploiting the Bluetooth host state-machine by tricking it into pairing with a fake keyboard without user confirmation.
This vulnerability predates even MouseJack, an earlier Bluetooth flaw uncovered by Newlin in 2016.
Testing on an Android 4.2.2 device revealed its susceptibility, and unfortunately, there’s no fix available for this issue on Android 4.2.2-10.
Google addressed the problem for Android 11 through 14, ensuring fixes are available for impacted OEMs and supported Pixel devices via December OTA updates.
Apple devices with enabled Bluetooth, especially when paired with a Magic Keyboard, are affected. The vulnerability even works in Apple’s LockDown mode, claimed to safeguard devices against advanced attacks.
Although Linux addressed the issue in 2020, ChromeOS remains the sole Linux-based OS implementing the fix.
Other distributions such as Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine have left the fix disabled by default, rendering several Ubuntu versions vulnerable.
