Security researchers have discovered a critical vulnerability in Bluetooth that could allow threat actors to take control of Android, Linux, macOS, and iOS devices. The authentication bypass vulnerability, designated CVE-2023-45866, enables threat actors to connect to affected Bluetooth devices without authentication and inject keystrokes to achieve code execution.
The exploitation works by tricking the target device into thinking that it's connected to a Bluetooth keyboard by leveraging an "unauthenticated pairing mechanism" within the Bluetooth protocol. Threat actors can then use the simulated Bluetooth keyboard to run arbitrary commands and potentially install unwanted apps and malware.
Making matters worse, threat actors can launch the attack using any Linux device (i.e. Raspberry Pi) with a Bluetooth adapter against any discoverable Bluetooth target within range, potentially up to 800 feet away.
The vulnerability applies to devices using version 4.2.2 and prior of Android, as well as Linux. Apple devices that have previously been paired with a Magic Keyboard are also impacted by the flaw, even when Apple’s ‘Lockdown Mode’ is turned on.
While the vulnerability was discovered and responsibly disclosed to the impacted vendors in August 2023, security updates for this issue are not yet available.
It’s difficult to assess the full impact of this threat without further details regarding the complexity of the exploit code required to conduct the attack in the first place. So far, there are no signs that this vulnerability has been exploited in the wild.
However, now that the existence of the flaw is publicly known, threat actors will likely soon develop their own proof-of-concept exploit code to take advantage of the opportunity to conduct close access attacks. For example, a threat actor sitting in a crowded mall, arena, or park could potentially target everyone in attendance from a small, inexpensive Linux device. Additionally, these attacking devices could be covertly left behind at targets of interest (e.g., government offices, companies, etc.) and later retrieved to be debriefed.
Given the potential risk that this threat poses, it’s likely that the affected vendors are currently developing an update that will mitigate the risk without compromising the convenience users have come to expect from Bluetooth-enabled devices.
Since no patch is currently available to address this issue, the best way to mitigate this threat is to turn off the Bluetooth feature when it’s not being used, in crowded environments, and during meetings where sensitive information is discussed.
Field Effect recommends that users enabled the ‘Automatic Update’ feature in their device settings to ensure that security patches are installed as soon as they are available.