Bluetooth hack : Hi, My Name Is Keyboard

Topic

New Reply

https://github.com/skysafe/reblog/tree/main/cve-2023-45866#hi-my-name-is-keyboard

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection in Android, Linux, macOS and iOS

..The vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation. The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. Unpatched devices are vulnerable under the following conditions:

Android devices are vulnerable whenever Bluetooth is enabled
Linux/BlueZ requires that Bluetooth is discoverable/connectable
iOS and macOS are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer
The vulnerabilities can be exploited from a Linux computer using a standard Bluetooth adapter. Once the attacker has paired with the target phone or computer, they can inject keystrokes to perform arbitrary actions as the victim, provided those actions don’t require a password or biometric authentication…

Some of the vulnerabilities predate MouseJack, and I was able to reproduce keystroke-injection on Android back to version 4.2.2, which was released in 2012. The Linux vulnerability was fixed in 2020 (CVE-2020-0556), but the fix was left disabled by default. ChromeOS is the only Linux-based OS known to have enabled the fix, even though it was announced by Ubuntu, Debian, Fedora, Gentoo, Arch and Alpine. The BlueZ patch for CVE-2023-45866 enables the 2020 fix by default…

What is the vulnerability?

Multiple Bluetooth stacks have authentication-bypass vulnerabilities that permit an attacker to connect to a discoverable host without user-confirmation and inject keystrokes.

What is the impact?

A nearby attacker can connect to a vulnerable device over unauthenticated Bluetooth and inject keystrokes to eg. install apps, run arbitrary commands, forward messages, etc.

What hardware is required exploit the vulnerability?

The attack does not require specialized hardware, and can be performed from a Linux computer using a normal Bluetooth adapter. ..

Reply | Quote

Replies

I can’t type properly when I can see the screen, never mind when I can’t!

Reply | Quote

If you’re in an environment where Bluetooth is discoverable, turn it off.

MacOS iPadOS and sometimes SOS

Reply | Quote

Myst wrote:

If you’re in an environment where Bluetooth is discoverable, turn it off.

BT is discoverable everywhere like with smartwatches, ear/headphones, Airtag, Tile…

Reply | Quote

Smash-and-grab car breakins are often the result of thieves with BT scanners looking for cellphones, laptops, etc. in locked cars. They can rapidly go thru a parking lot looking for high value targets.

1 user thanked author for this post.

Alex5723

Reply | Quote

Zig wrote:

cellphones, laptops, etc. in locked cars.

I would say people leaving cellphones, laptops, etc in cars take the risks.

Reply | Quote

Those who do believe the device is hidden out of sight.

Reply | Quote

Bluetooth range is around 10 meters/30 feet. If you turn Bluetooth off when you leave the house, you should be safe.

Sucks for the phones that have gotten rid of microphone ports, so make that a consideration when you get a phone if you are addicted to things like AirPods.

Reply | Quote

johnf wrote:

If you turn Bluetooth off when you leave the house, you should be safe.

So how will my Apple Watch, Air Pods, BT headphones, Air Tag… work ?

How will my iPhone / Apple Watch notify me that I have left the other device at home / Office / Restaurant / Cab…?

Reply | Quote

I turned my Bluetooth off on my phone, and also on the laptop.

If one does not have any use for it, what is the advantage for it to be on?

Any words of wisdom? Thanks!

Win 10 Home 22H2

Reply | Quote

Win7and10 wrote:

If one does not have any use for it, what is the advantage for it to be on?

None.

If you don’t use a device or your car has no Infotainment system, you don’t need BT.

Reply | Quote