Headline
Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS
By Waqas Another day, another Bluetooth vulnerability impacting billions of devices worldwide! This is a post from HackRead.com Read the original post: Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS
Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.
A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as CVE-2023-45866 and disclosed by security researcher Marc Newlin.
It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.
This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols.
In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its reliance on Bluetooth and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning.
Later, unauthenticated Bluetooth keystroke injection vulnerabilities in macOS and iOS were discovered, which were exploitable even when Lockdown Mode was enabled. Similar flaws were identified in Linux and Android, suggesting a broader issue beyond individual implementations. The Bluetooth HID specification analysis revealed a combination of protocol design and implementation bugs.
Newlin explained in his post on GitHub that multiple Bluetooth stacks had authentication bypass vulnerabilities. The attack exploits an “unauthenticated pairing mechanism” defined within the Bluetooth specification, tricking the target device into accepting a fake keyboard.
This deception allows an attacker in close proximity to connect and inject keystrokes, potentially enabling them to install apps and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under specific conditions, such as:
- Android: Bluetooth must be enabled.
- Linux/BlueZ: Bluetooth must be discoverable/connectable.
- iOS/macOS: Bluetooth must be enabled, and a Magic Keyboard must be paired with the device.
These vulnerabilities can be exploited with a standard Bluetooth adapter on a Linux computer. Notably, some vulnerabilities predate “MouseJack“, affecting Android devices as far back as version 4.2.2 (released in 2012).
In a comment to Hackread.com, Ken Dunham, Director of Cyber Threat at Qualys said “The two new Bluetooth vulnerabilities that exist for Android, Linux, MacOS, and iOS enable unauthorized attackers to perform an “unauthenticated pairing”, then possibly enable execution of code and to run arbitrary commands.”
“Bluetooth attacks are limited to close physical proximity. As a workaround, users of vulnerable systems can limit their attack surface and risk until patched by disabling Bluetooth,” Dunham advised.
While a fix for the Linux vulnerability existed since 2020 (CVE-2020-0556), it was surprisingly left disabled by default. Despite announcements by major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this crucial fix by default.
It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”
- BlueRepli attack bypasses Bluetooth authentication on Android
- BleedingTooth Bluetooth vulnerability allows RCE in Linux devices
- Update your devices: New Bluetooth flaw lets attackers monitor traffic
- BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs
- Hackers can crash Google’s Nest Dropcams by exploiting Bluetooth flaws
Related news
Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.
By Waqas Another day, another Apple Security Vulnerability! This is a post from HackRead.com Read the original post: Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!
Gentoo Linux Security Advisory 202401-3 - Multiple vulnerabilities have been discovered in Bluez, the worst of which can lead to privilege escalation. Versions greater than or equal to 5.70-r1 are affected.
Debian Linux Security Advisory 5584-1 - It was reported that the BlueZ's HID profile implementation is not inline with the HID specification which mandates the use of Security Mode 4. The HID profile configuration option ClassicBondedOnly now defaults to "true" to make sure that input connections only come from bonded device connections.
Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.
Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for 12 security vulnerabilities in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in macOS Sonoma 14.2. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
Ubuntu Security Notice 6540-1 - It was discovered that BlueZ did not properly restrict non-bonded devices from injecting HID events into the input subsystem. This could allow a physically proximate attacker to inject keystrokes and execute arbitrary commands whilst the device is discoverable.
A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. "Multiple Bluetooth stacks have authentication bypass
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.