Bluetooth Vulnerabilities Enable Keystroke Injection Across Platforms
A security researcher has uncovered critical Bluetooth vulnerabilities affecting Android, Linux, macOS and iOS devices that could allow attackers to remotely inject keystrokes and take control of devices.
The vulnerabilities, tracked as CVE-2023-45866, take advantage of flaws in how various Bluetooth protocol stacks handle pairing to enable unauthenticated connections. Once connected, attackers can sendHID (human interface device) commands to inject keystrokes and execute malicious actions.
The vulnerabilities were discovered by security researcher Marc Newlin, who previously made waves in 2016 with his MouseJack research into wireless mice and keyboards. At the time, Newlin focused on the insecure custom protocols used by wireless peripherals and did not thoroughly investigate potential risks from Bluetooth.
"I was intimidated by Bluetooth at the time, and just sort of assumed it was secure," wrote Newlin. "It never occurred to me that Bluetooth would have trivial keystroke-injection vulnerabilities like the MouseJack protocols, so I never looked."
Earlier this year, Newlin set out to find new research to present at an upcoming conference. After hitting dead ends with wireless gaming keyboards, he turned his attention to Bluetooth devices, including Apple's Magic Keyboard.
Unauthenticated Pairing Enables Keystroke Injection
Through his research across various platforms, Newlin discovered Bluetooth authentication bypass issues that could be exploited to connect to devices without user confirmation. Once connected, attackers can remotely inject keystrokes.
"The vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation," Newlin explained. "The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker."
Based on his testing, the attack works under the following conditions:
- Android devices are vulnerable whenever Bluetooth is enabled
- Linux/BlueZ requires that Bluetooth is discoverable/connectable
- iOS and macOS are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired
The only hardware required for attackers is a Linux computer with a Bluetooth adapter. No special equipment is necessary.
Longstanding Issues Across Android, Apple Devices
According to Newlin, some of the vulnerabilities significantly predate public discovery. He was able to reproduce keystroke injection attacks against Android 4.2.2, originally released in 2012.
On the Apple side, Newlin reported being able "to reproduce keystroke-injection on macOS and iOS with Bluetooth enabled and a Magic Keyboard paired." He did not disclose further timeline details or confirm if other Bluetooth devices were also vulnerable vectors.
In both cases, the vulnerabilities allow attackers within Bluetooth range to remotely control devices without passwords or biometrics getting in the way. While Lockdown Mode on iOS and macOS is intended to block unsigned code execution and configuration changes, it does not protect against these Bluetooth flaws.
Patching Varies Across Platforms
In Android 11-14, the vulnerabilities are addressed in the December 2023 security patch level. However, devices running Android 4.2.2-10 remain unpatched.
In an advisory released this month, Google said CVE-2023-45866 "could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed."
For Linux and BlueZ, a patch was issued in 2020 but left disabled by default. Outside of ChromeOS, few distributions have enabled protections. A new BlueZ patch explicitly enabling the fix was released alongside public disclosure.
On Apple platforms, Newlin provided no details regarding patches or mitigations, only that he initially reported the issues in August 2023.
Full technical details and proof-of-concept exploit code are expected to be demonstrated at an upcoming conference, with specifics to be shared once finalized. For now, Newlin advises using wired keyboards given the prevalence of vulnerabilities across wireless options.