An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered.
This vulnerability can be exploited by tricking the Bluetooth host state machine into pairing with a fake keyboard without authentication.
This vulnerability affects Android devices with Bluetooth enabled, Linux/BlueZ devices with Bluetooth Connectable/Discoverable iOS and macOS with Bluetooth enabled, and Magic Keyboard paired with the phone or computer.
The CVE for this vulnerability has been assigned as CVE-2023-45866 .
CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection
After pairing with the target phone or computer, a threat actor can exploit this vulnerability from a Linux computer that uses a Standard Bluetooth adapter.
Once paired, the threat actor can inject keystrokes and perform arbitrary actions in the name of the victim, which does not require any authentication .
Affected Devices
Additionally, this vulnerability was successfully reproduced on the devices below.
Pixel 7 running Android 14
Pixel 6 running Android 13
Pixel 4a (5G) running Android 13
Pixel 2 running Android 11
Pixel 2 running Android 10
Nexus 5 running Android 6.0.1
BLU DASH 3.5 running Android 4.2.2
Ubuntu 18.04, 20.04, 22.04, 23.10
2022 MacBook Pro with MacOS 13.3.3 (M2)
2017 MacBook Air with macOS 12.6.7 (Intel)
iPhone SE running iOS 16.6
ChromeOS was not found to be vulnerable to this attack as it was patched perfectly by Google.
The security researcher has not published a fully detailed report about this vulnerability. However, a GitHub repository that explains the impact and details of this vulnerability has been published.
The Linux vulnerability (CVE-2020-0556) has been fixed, but it seems like the fix was left disabled by default, which makes the devices still vulnerable to this attack vector.
BluZ has fixed this vulnerability and enabled the fix by default as of the fix of 2020.
Google will fix the vulnerabilities in currently supported Pixel devices via December OTA updates.
The post Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Related News
Top News
-
![]()
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in SpainLaw enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
![]()
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh viDù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
![]()
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mớiXuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
![]()
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-UsersHackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
![]()
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máySleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...
