Safety researcher Marc Newlin has detailed a flaw in Bluetooth implementations on Google’s Android, Apple’s iOS and macOS, and Linux which, at its worst, can permit anybody inside radio vary to silently ship unauthenticated instructions to your machine — by pretending to be a keyboard.
“I began with an investigation of wi-fi gaming keyboards, however they proved to be the fallacious type of dumpster fireplace, so I appeared to Apple’s Magic Keyboard for a problem. It had two issues notably absent from my earlier peripheral analysis: Bluetooth and Apple,” Newlin, of drone safety agency SkySafe, explains of his discovery of the vulnerability.
An investigation into Apple’s Magic Keyboard has unveiled a severe safety vulnerability in widespread Bluetooth stacks. (📷: Apple)
“I had quite a bit to study, however one query led to a different,” Newlin continues, “and I used to be quickly reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS, each exploitable in Lockdown Mode. When I discovered comparable keystroke-injection vulnerabilities in Linux and Android, it began to look much less like an implementation bug, and extra like a protocol flaw. After studying among the Bluetooth HID specification, I found that it was a little bit of each.”
Newlin’s discovery, which builds on his 2016 work on MouseJack assaults in opposition to non-Bluetooth wi-fi peripherals, targets the host-peripheral pairing system inside the Bluetooth protocol. A Linux field with a low-cost off-the-shelf Bluetooth dongle pretends to be a keyboard, and sends a pairing request — however one which is accepted by the goal system silently, with out notification. As soon as paired, the attacker can ship arbitrary keystrokes to the goal machine — together with, the place accessible by keyboard, opening purposes and sending instructions.
It is a severe flaw, and one which seems to be widespread. Google’s Android platform was discovered to be probably the most weak, and could possibly be attacked at any time as long as Bluetooth was enabled. Apple’s desktop macOS and cell iOS have been the second most weak, requiring each that Bluetooth be enabled and {that a} authentic Magic Keyboard had beforehand been paired with the machine. The BlueZ stack on Linux was the least weak, falling to the assault solely when configured to be discoverable.
Google has confirmed patches for its Pixel vary are included within the December safety replace. (📷: Google)
“Full vulnerability particulars and proof-of-concept scripts will likely be launched at an upcoming convention,” Newlin guarantees. “I am actually undecided what kind of wi-fi keyboard to suggest at this level. In case you are studying this and also you make a safe wi-fi keyboard, please ship me one so I can hack it for you. (I am severe. I need a problem.)”
A patch for the flaw is already out there for BlueZ on Linux, whereas Google has equipped fixes for Androids 11 by 14 to unique tools producers (OEMs) and can patch its Pixel {hardware} by the December safety replace — however will depart end-of-life Android 10 gadgets weak. Apple has not commented on the vulnerability nor its plans to patch identical.
Newlin’s write-up of the assault is out there on the SykSafe GitHub repository; the vulnerability has been assigned CVE-2023-45866 within the Frequent Vulnerabilities and Exposures undertaking.
