Bluetooth technologies power wireless keyboards, mice, game controllers and other peripherals used by billions of devices worldwide. However new research reveals critical Bluetooth vulnerabilities affecting Android, iOS, Linux, macOS and Windows that could allow remote attackers to pair with devices as a Bluetooth keyboard and inject keystrokes to perform malicious actions.
Security researcher Marc Newlin (@marcnewlin) disclosed the vulnerabilities in a presentation at ShmooCon 2024 and published technical details on his blog. The vulnerabilities, tracked as CVE-2023-45866, CVE-2024-0230 and CVE-2024-21306, take advantage of weak Bluetooth pairing requirements across all major operating systems.
Android, Linux Vulnerable to Zero-Click Keystroke Injection
The Android and Linux Bluetooth implementations allow keyboards to initiate pairing without authentication or user confirmation. An attacker could exploit this to remotely pair as a Bluetooth keyboard and inject keystrokes with no user interaction required.
- Android devices running versions 4.2 to 14 are vulnerable whenever Bluetooth is enabled. Android 11, 12, 13 and 14 were patched in a December 2023 security update.
- Linux systems running BlueZ are vulnerable when Bluetooth settings are open and the device is discoverable. A patch is available in BlueZ.
macOS, iOS, and Windows Require User Interaction
The Bluetooth vulnerabilities in macOS, iOS and Windows can also be exploited for keystroke injection, but require reconnecting to a paired device or user confirmation of a pairing request.
- macOS 12 and 13 are vulnerable when connecting to a paired Magic Keyboard. macOS 14.2 patched the issue.
- iOS 16 is vulnerable when connecting to a paired Magic Keyboard. iOS 17.2 patched the issue.
- Windows 10 and 11 are vulnerable when the user confirms a malicious pairing request. Microsoft patched Windows in January 2024.
Magic Keyboard Link Key Extraction
In addition to forced pairing, vulnerabilities in Apple's Magic Keyboard allow attackers with physical access to extract encryption keys and take control of the keyboard's Bluetooth connection.
The link key used to encrypt the Bluetooth connection can be obtained by:
- Connecting to the Magic Keyboard's Lightning port
- Connecting via Bluetooth when the keyboard is unpaired
- Connecting to the USB port of a paired Mac (if Lockdown Mode is disabled)
Once the link key is obtained, an attacker could pair the Magic Keyboard to a different device under their control.
Apple partially mitigated these issues with firmware updates to the Magic Keyboard in January 2023, but some risks remain if proper protections are not enabled.
Platform | Affected Products | CVE ID | Fix | Remarks |
---|---|---|---|---|
Android | 4.2, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 |
CVE-2023-45866 | v11, 12, 13, 14 | Android 3 and earlier were not tested. Fix for v4.2, 5, 6, 7, 8, 9, 10 is not available. |
Linux (BlueZ) | Ubuntu, Debian, Redhat, Amazon Linux, Fedora, Gentoo, Arch, OpenEmbedded, Yocto, NixOS |
CVE-2023-45866 | BlueZ patch available | Check fix for Affected Distros |
macOS | 12, 13, 14 | CVE-2023-45866 | fixed in macOS 14.2 | macOS 11 and earlier were not tested. No fix available for 12 and 13 |
iOS | 16 and 17 | CVE-2023-45866 | fixed in iOS 17.2 | iOS 15 and earlier were not tested. No fix available for iOS 16 |
Windows | 10, 11, Server 2022 | CVE-2024-21306 | fixed in January 2024 Patch Tuesday |
Earlier versions of Windows were not tested |
CVE-2024-0230: Magic Keyboard Vulnerability
The Magic Keyboard, a popular accessory for Apple devices, is found to have a significant vulnerability labelled CVE-2024-0230. Exploiting this flaw, an attacker can extract the Bluetooth link key from the Magic Keyboard through unauthenticated Bluetooth or the Lightning port.
MacOS keystroke injection |
This vulnerability allows the extraction of the link key in scenarios such as the keyboard being unplugged from its Mac or when connected over USB (if Lockdown Mode is not enabled).
CVE-2023-45866 and CVE-2024-21306: Cross-Platform Bluetooth Vulnerabilities
Newlin's research also exposes cross-platform vulnerabilities (CVE-2023-45866 and CVE-2024-21306) affecting Android, Linux, macOS, iOS, and Windows. These vulnerabilities enable an attacker to pair a virtual Bluetooth keyboard without authentication or user confirmation, subsequently injecting keystrokes as the user. Notably, the severity of the impact varies across different operating systems.
Linux keystroke injection |
Linux Distributions: Patch Information
For Linux users, the research provides a list of affected distributions along with patch information. Users of distributions such as Ubuntu, Debian, Redhat, and others are encouraged to check for and apply relevant patches to mitigate the identified Bluetooth vulnerabilities.
Mitigations for Bluetooth Security Risks
While patches are available for supported operating systems, billions of older Android devices will remain permanently vulnerable. The zero-click risks on Linux create a dangerous scenario where any discoverable system could be compromised.
Users should apply available updates and enable device protections like Lockdown Mode where applicable. But ultimately, these issues highlight inherent risks in how Bluetooth handles authentication. Short of disabling Bluetooth entirely, there is little individuals can do to protect against sophisticated attacks targeting these flaws.
Researcher Marc Newlin suggests Bluetooth may need an overhaul, implementing cryptographic authentication and consent for all pairing attempts.
Without fundamental changes in how Bluetooth connections are established, wireless peripherals will remain prime targets for attackers seeking silent access to phones, laptops, cars and smart home hubs worldwide.