A years-old Bluetooth authentication bypass vulnerability allows malicious actors to connect to Apple, Android and Linux devices and inject keystrokes to run arbitrary commands, according to software engineers at drone technology company SkySafe. Marc Newlin, who discovered the vulnerability and reported it to Apple, Google, Canonical, and the Bluetooth SIG, said that the vulnerability, tracked as CVE-2023-45866, does not require any special hardware to be exploited, and the attack can be completed on a Linux machine using an ordinary Bluetooth adapter.

Newlin said he would provide vulnerability details and proof-of-concept code at an upcoming conference, but hoped to hold off until all vulnerabilities have been patched. This attack allows a nearby intruder to inject keystrokes and perform malicious actions on the victim's device, as long as those actions do not require password or biometric verification.

In a GitHub post published on Wednesday, the bug hunter described the security flaw this way:

https://github.com/skysafe/reblog/tree/main/cve-2023-45866

"The vulnerability works by tricking the Bluetooth host state machine into pairing with a fake keyboard without user confirmation. The underlying unverified pairing mechanism is defined in the Bluetooth specification, and an implemented vulnerability would expose this mechanism to an attacker."

Newlin discovered a similar set of Bluetooth vulnerabilities in 2016. Dubbed "MouseJack," the vulnerabilities exploit keystroke injection vulnerabilities in wireless mice and keyboards from 17 different vendors.

However, CVE-2023-45866 predates MouseJack. Newlin said he tested BLUDASH 3.5 running the Android 4.2.2 system released in 2012 and found that it had this vulnerability. In fact, there are no fixes for Android 4.2.2-10.

Google issued the following statement to Newlin: "Fixes for these issues affecting Android 11 through 14 are available to affected OEMs. All currently supported Pixel devices will receive the fix through a December OTA update."

Below are the details published in the Android security advisory, where the vulnerability is rated as highly critical.

https://source.android.com/docs/security/bulletin/2023-12-01

While the issue was fixed in Linux in 2020, Newlin said ChromeOS is the only Linux-based operating system with the fix enabled. Other Linux distributions including Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine disable it by default. It is reported that Ubuntu18.04, 20.04, 22.04 and 23.10 still have vulnerabilities.

The vulnerability also affects macOS and iOS when Bluetooth is enabled and the MagicKeyboard is paired with a vulnerable phone or computer. Crucially, the vulnerability also works in Apple's LockDown mode, which Apple claims protects devices from sophisticated attacks.

Newlin disclosed the problem to Apple back in August. Apple did confirm his report but has not yet shared a timetable for a patch for the vulnerability.