Tuesday, February 11, 2025
Follow us On Linkedin
Homecyber securityBluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

cyber securityCyber Security News

Published on

By Gurubaran
Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered.

This vulnerability can be exploited by tricking the Bluetooth host state machine into pairing with a fake keyboard without authentication.

This vulnerability affects Android devices with Bluetooth enabled, Linux/BlueZ devices with Bluetooth Connectable/Discoverable iOS and macOS with Bluetooth enabled, and Magic Keyboard paired with the phone or computer.

The CVE for this vulnerability has been assigned as CVE-2023-45866.

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection

After pairing with the target phone or computer, a threat actor can exploit this vulnerability from a Linux computer that uses a Standard Bluetooth adapter.

Once paired, the threat actor can inject keystrokes and perform arbitrary actions in the name of the victim, which does not require any authentication.

Affected Devices

Additionally, this vulnerability was successfully reproduced on the devices below.

  • Pixel 7 running Android 14
  • Pixel 6 running Android 13
  • Pixel 4a (5G) running Android 13
  • Pixel 2 running Android 11
  • Pixel 2 running Android 10
  • Nexus 5 running Android 6.0.1
  • BLU DASH 3.5 running Android 4.2.2
  • Ubuntu 18.04, 20.04, 22.04, 23.10
  • 2022 MacBook Pro with MacOS 13.3.3 (M2)
  • 2017 MacBook Air with macOS 12.6.7 (Intel)
  • iPhone SE running iOS 16.6

ChromeOS was not found to be vulnerable to this attack as it was patched perfectly by Google.

The security researcher has not published a fully detailed report about this vulnerability. However, a GitHub repository that explains the impact and details of this vulnerability has been published.

The Linux vulnerability (CVE-2020-0556) has been fixed, but it seems like the fix was left disabled by default, which makes the devices still vulnerable to this attack vector.

BluZ has fixed this vulnerability and enabled the fix by default as of the fix of 2020.

Google will fix the vulnerabilities in currently supported Pixel devices via December OTA updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Security News

Authorities Seize 8Base Ransomware Dark Web Site, Arrest Four Key Operators

Thai authorities arrested four European hackers in Phuket on February 10, 2025, for their...
Cyber Security News

12,000+ KerioControl Firewalls Exposed to 1-Click RCE Attack

Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and...
Apple

Apple iOS 0-day Vulnerability Exploited Wild in Extremely Sophisticated Attack

Apple has released emergency security updates to address a zero-day vulnerability, CVE-2025-24200, that has...
Cyber Attack

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

Cyber Security News

Authorities Seize 8Base Ransomware Dark Web Site, Arrest Four Key Operators

Thai authorities arrested four European hackers in Phuket on February 10, 2025, for their...
Cyber Security News

12,000+ KerioControl Firewalls Exposed to 1-Click RCE Attack

Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and...
Apple

Apple iOS 0-day Vulnerability Exploited Wild in Extremely Sophisticated Attack

Apple has released emergency security updates to address a zero-day vulnerability, CVE-2025-24200, that has...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved