Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.
A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as CVE-2023-45866 and disclosed by security researcher Marc Newlin.
It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.
This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols.
In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its reliance on Bluetooth and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning.
Later, unauthenticated Bluetooth keystroke injection vulnerabilities in macOS and iOS were discovered, which were exploitable even when Lockdown Mode was enabled. Similar flaws were identified in Linux and Android, suggesting a broader issue beyond individual implementations. The Bluetooth HID specification analysis revealed a combination of protocol design and implementation bugs.
Newlin explained in his post on GitHub that multiple Bluetooth stacks had authentication bypass vulnerabilities. The attack exploits an “unauthenticated pairing mechanism” defined within the Bluetooth specification, tricking the target device into accepting a fake keyboard.
This deception allows an attacker in close proximity to connect and inject keystrokes, potentially enabling them to install apps and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under specific conditions, such as:
- Android: Bluetooth must be enabled.
- Linux/BlueZ: Bluetooth must be discoverable/connectable.
- iOS/macOS: Bluetooth must be enabled, and a Magic Keyboard must be paired with the device.
These vulnerabilities can be exploited with a standard Bluetooth adapter on a Linux computer. Notably, some vulnerabilities predate “MouseJack“, affecting Android devices as far back as version 4.2.2 (released in 2012).
In a comment to Hackread.com, Ken Dunham, Director of Cyber Threat at Qualys said “The two new Bluetooth vulnerabilities that exist for Android, Linux, MacOS, and iOS enable unauthorized attackers to perform an “unauthenticated pairing”, then possibly enable execution of code and to run arbitrary commands.”
“Bluetooth attacks are limited to close physical proximity. As a workaround, users of vulnerable systems can limit their attack surface and risk until patched by disabling Bluetooth,” Dunham advised.
While a fix for the Linux vulnerability existed since 2020 (CVE-2020-0556), it was surprisingly left disabled by default. Despite announcements by major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this crucial fix by default.
It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”
- BlueRepli attack bypasses Bluetooth authentication on Android
- BleedingTooth Bluetooth vulnerability allows RCE in Linux devices
- Update your devices: New Bluetooth flaw lets attackers monitor traffic
- BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs
- Hackers can crash Google’s Nest Dropcams by exploiting Bluetooth flaws