A critical Bluetooth security bug that’s reportedly been lurking about for several years can potentially be exploited by attackers to take control of Android, Linux, macOS, and iOS machines.
The flaw — CVE-2023-45866 — is an authentication bypass that lets attackers connect susceptible devices and inject keystrokes to achieve code execution as the victim.
In a GitHub blog post Dec. 6, SkySafe researcher Marc Newlin said the flaw works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation."
Newlin went on to write that the underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. He said full vulnerability details and proof-of-concept scripts will be released at an upcoming conference, and he will update the original document with conference details when available. Newlin’s blog also contains available patch information.
Cyware Director Emily Phelps explained that in this exploit, adversaries fool the Bluetooth system of a device into thinking it's connecting to a fake keyboard — without user confirmation. This issue stems from a part of the Bluetooth rules that let devices connect without needing authentication.
“Exploiting this vulnerability lets malicious hackers remotely control someone's device,” said Phelps. “They can download apps, send messages, or run various commands depending on the operation system."
Phelps said if patches are available for this vulnerability, security teams should fix the issue immediately. For devices that are awaiting the fix, security teams should monitor for updates and patches. They should also make staff aware of the issue and offer mitigation recommendations, such as disabling Bluetooth when not in use.
When devices communicate there’s first a “handshake” where the two systems agree to communicate with each other, explained John Gallagher, vice president of Viakoo Labs. What the attacker took advantage of, Gallagher continued, is the many IoT devices, such as Bluetooth keyboards, want to make that handshake as easy as possible, especially since the keyboard can’t be used until the handshake is completed. So, in the exploit discovered by Newlin, Gallagher said the handshake was minimal: “I see you are a keyboard, so let me let you talk to me.”
“In many IoT devices, the communications are set by default to be available — Wi-Fi, Bluetooth, and Zigbee,” said Gallagher. “The chipsets they use often have all the standard protocols supported so that they can be used across a wide range of systems. As part of commissioning new devices, organizations should deactivate any protocol not being used.”
Gallagher also pointed out that maintaining physical security, with video surveillance and access control, is another way that organizations can protect their infrastructure, adding that many cyberattacks like this one are made easy if the threat actor can gain physical access.
“This is another reason why physical security systems are often targets of malicious hackers,” said Gallagher.
