A newly revealed critical security issue with Bluetooth can potentially allow attackers to take control of Android, Linux, macOS and iOS devices.

Detailed by security researcher Marc Newlin on GitHub this week, the vulnerability, tracked as CVE-2023-45866, is an authentication bypass that lets attackers connect susceptible devices and inject keystrokes to achieve code execution.

The vulnerability is the result of a critical weakness in the Bluetooth protocol, combined with implementation-specific bugs across various operating systems. The vulnerability allows attackers to mimic a Bluetooth keyboard and connect to a device without the user’s confirmation. The process, known as keystroke injection, allows an unauthorized user to perform actions on the victim’s device as long as the actions don’t require a password or biometric authentication.

Across devices, Android is vulnerable to the vulnerability when Bluetooth is enabled. Newlin tested various models such as the Google Pixel series, including on versions of Android as old as version 4.2.2. On Linux, the vulnerability was found on multiple versions of Ubuntu. On Apple devices, the vulnerability was found on various Mac and iPhone models.

Although the vulnerability is deemed critical, Newlin went public with the details only after giving various companies ample time to patch it. Google LLC, Apple Inc. and Canonical Ltd., the company behind Ubuntu, were all informed of the vulnerability in early August. Newlin also provided the details of the vulnerability to the Bluetooth Special Interest Group, the organization that oversees the development of Bluetooth standards, in September.

Google has implemented fixes for the vulnerability in Android versions 11 through 14, with the patch distributed in December and Linux devices have also received a patch that mitigates the issue. However, Apple Inc. has so far not specified any particular patches for the vulnerability.

“In many IoT devices, the communications are set by default to be available – Wi-Fi, Bluetooth, Zigbee and so forth,” John Gallagher, vice president of Viakoo Labs at enterprise internet of things security platform company Viakoo Inc., told SiliconANGLE. “The chipsets they use often have all the standard protocols supported so that they can be used across a wide range of systems. As part of commissioning new devices, organizations should deactivate any protocol not being used.”

Gallagher added that maintaining physical security, with video surveillance and access control, is another way that organizations can protect their infrastructure. “Many cyber-attacks (like this) are made easy if the threat actor can gain physical access,” he said. “This is another reason why physical security systems are often targets of malicious hackers.”

Image: DALL-E 3