Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

Cyber Security Threat Summary:
A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as CVE-2023-45866 and disclosed by security researcher Marc Newlin.

It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.

Security Officer Comments:
This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols. In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its reliance on Bluetooth and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning.

Suggested Correction(s):
It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”