Safety researcher Marc Newlin has detailed a flaw in Bluetooth implementations on Google’s Android, Apple’s iOS and macOS, and Linux which, at its worst, can enable anybody inside radio vary to silently ship unauthenticated instructions to your machine — by pretending to be a keyboard.
“I began with an investigation of wi-fi gaming keyboards, however they proved to be the incorrect sort of dumpster fireplace, so I seemed to Apple’s Magic Keyboard for a problem. It had two issues notably absent from my earlier peripheral analysis: Bluetooth and Apple,” Newlin, of drone safety agency SkySafe, explains of his discovery of the vulnerability.
An investigation into Apple’s Magic Keyboard has unveiled a critical safety vulnerability in widespread Bluetooth stacks. (📷: Apple)
“I had rather a lot to study, however one query led to a different,” Newlin continues, “and I used to be quickly reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS, each exploitable in Lockdown Mode. When I discovered related keystroke-injection vulnerabilities in Linux and Android, it began to look much less like an implementation bug, and extra like a protocol flaw. After studying among the Bluetooth HID specification, I found that it was a little bit of each.”
Newlin’s discovery, which builds on his 2016 work on MouseJack assaults towards non-Bluetooth wi-fi peripherals, targets the host-peripheral pairing system throughout the Bluetooth protocol. A Linux field with a low-cost off-the-shelf Bluetooth dongle pretends to be a keyboard, and sends a pairing request — however one which is accepted by the goal system silently, with out notification. As soon as paired, the attacker can ship arbitrary keystrokes to the goal machine — together with, the place accessible by keyboard, opening purposes and sending instructions.
It is a critical flaw, and one which seems to be widespread. Google’s Android platform was discovered to be probably the most susceptible, and may very well be attacked at any time as long as Bluetooth was enabled. Apple’s desktop macOS and cellular iOS have been the second most susceptible, requiring each that Bluetooth be enabled and {that a} authentic Magic Keyboard had beforehand been paired with the machine. The BlueZ stack on Linux was the least susceptible, falling to the assault solely when configured to be discoverable.
Google has confirmed patches for its Pixel vary are included within the December safety replace. (📷: Google)
“Full vulnerability particulars and proof-of-concept scripts might be launched at an upcoming convention,” Newlin guarantees. “I am actually unsure what kind of wi-fi keyboard to advocate at this level. If you’re studying this and also you make a safe wi-fi keyboard, please ship me one so I can hack it for you. (I am critical. I need a problem.)”
A patch for the flaw is already accessible for BlueZ on Linux, whereas Google has equipped fixes for Androids 11 by way of 14 to unique tools producers (OEMs) and can patch its Pixel {hardware} by way of the December safety replace — however will depart end-of-life Android 10 gadgets susceptible. Apple has not commented on the vulnerability nor its plans to patch identical.
Newlin’s write-up of the assault is offered on the SykSafe GitHub repository; the vulnerability has been assigned CVE-2023-45866 within the Frequent Vulnerabilities and Exposures challenge.