Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This Bluetooth security flaw could be used to hijack Apple and Linux devices

Bluetooth.

Experts have uncovered a way to trick a Bluetooth-enabled device into thinking it has connected to a wireless keyboard when, in fact, it’s connecting to another computer.

This, in turn, would allow the operator to run commands on the device, including running malware, according to cybersecurity researcher Marc Newlin, who discovered the flaw and disclosed it to Bluetooth software vendors last summer. 

The flaw is tracked as CVE-2023-45866 and is described as an authentication bypass. Android, Linux, macOS, and iOS devices, are all susceptible, it was said.

Bluetooth under pressure

"Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," Newlin said. 

If the attacker is physically close enough to the victim endpoint, he can trick it into thinking it is paired with a new Bluetooth keyboard, and then use this new “keyboard” to run apps, arbitrary commands, and more. All it needs is a Linux computer with a regular Bluetooth adapter.

Google recently published a new security advisory to draw Android users’ attention to the flaw, and said that CVE-2023-45866 could lead to remote escalation of privilege “with no additional execution privileges needed.”

Bluetooth has been getting a lot of bad press lately. Just last week, researchers from Eurecom discovered two flaws collectively named BLUFFS, which allow attackers to mount device impersonation or man-in-the-middle attacks. BLUFFS are tracked as CVE-2023-24023, and affect Bluetooth Core Specification from version 4.2 onward. They affect Bluetooth “at a fundamental level”, the researchers said.

Bluetooth has been around for years and is considered a safe, well-established standard for wireless communication. Therefore, these kinds of vulnerabilities could be abused to compromise billions of devices around the world, including laptops, smartphones, different internet-connected sensors, and more.

Technical details about CVE-2023-45866 are to be released at a later date.

Via TheHackerNews

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.