Friday, January 24, 2025
Follow us On Linkedin
Homecyber securityBluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

cyber securityCyber Security News

Published on

By Gurubaran
Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

Free Webinar DevSecOps Hacks

SIEM as a Service

Follow Us on Google News

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered.

This vulnerability can be exploited by tricking the Bluetooth host state machine into pairing with a fake keyboard without authentication.

This vulnerability affects Android devices with Bluetooth enabled, Linux/BlueZ devices with Bluetooth Connectable/Discoverable iOS and macOS with Bluetooth enabled, and Magic Keyboard paired with the phone or computer.

The CVE for this vulnerability has been assigned as CVE-2023-45866.

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection

After pairing with the target phone or computer, a threat actor can exploit this vulnerability from a Linux computer that uses a Standard Bluetooth adapter.

Once paired, the threat actor can inject keystrokes and perform arbitrary actions in the name of the victim, which does not require any authentication.

Affected Devices

Additionally, this vulnerability was successfully reproduced on the devices below.

  • Pixel 7 running Android 14
  • Pixel 6 running Android 13
  • Pixel 4a (5G) running Android 13
  • Pixel 2 running Android 11
  • Pixel 2 running Android 10
  • Nexus 5 running Android 6.0.1
  • BLU DASH 3.5 running Android 4.2.2
  • Ubuntu 18.04, 20.04, 22.04, 23.10
  • 2022 MacBook Pro with MacOS 13.3.3 (M2)
  • 2017 MacBook Air with macOS 12.6.7 (Intel)
  • iPhone SE running iOS 16.6

ChromeOS was not found to be vulnerable to this attack as it was patched perfectly by Google.

The security researcher has not published a fully detailed report about this vulnerability. However, a GitHub repository that explains the impact and details of this vulnerability has been published.

The Linux vulnerability (CVE-2020-0556) has been fixed, but it seems like the fix was left disabled by default, which makes the devices still vulnerable to this attack vector.

BluZ has fixed this vulnerability and enabled the fix by default as of the fix of 2020.

Google will fix the vulnerabilities in currently supported Pixel devices via December OTA updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Attack

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...
Browser

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...
ChatGPT

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...
Cyber Security News

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

Register Now

More like this

ChatGPT

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...
Cyber Security News

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...
cyber security

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved