Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Guide
Tom’s Guide
Technology
Anthony Spadafora

This critical Bluetooth flaw can let hackers control your devices — what you need to know

A hacker typing quickly on a keyboard.

Turning off Bluetooth entirely when out in public might seem like a reasonable idea following the discovery of two new vulnerabilities that put iPhones, Android smartphones, Macs and other devices at risk of attack.

While the first vulnerability, known as BLUFFS, could allow an attacker to impersonate your devices. The second could be exploited by hackers to take full control of your devices, as if they were paired to a Bluetooth keyboard.

As reported by Dark Reading, this newly discovered critical Bluetooth vulnerability (tracked as CVE-2022-45866) is a keystroke injection flaw that works by tricking your smartphone or computer into pairing with a fake keyboard. To make matters worse, this fake keyboard can connect to your devices without confirmation from you.

The flaw itself was discovered by SkySafe’s Marc Newlin, who detailed his findings in a blog post. He explained that he stumbled upon it when investigating Apple’s Magic Keyboard. Newlin soon realized that the flaw is even exploitable in Lockdown Mode on both iOS and macOS, though Android and Linux devices are vulnerable as well.

Once an attacker has paired an emulated Bluetooth keyboard with your smartphone or computer, they can then perform any action that doesn’t require a password or your fingerprint. From installing new apps to forwarding emails or text messages, there’s a lot someone can do, even without direct access to your devices.

A simple flaw that’s gone undetected for a decade

Unlike the recently discovered flaw in the Bluetooth protocol, this one has been around for at least 10 years. The reason it has gone undetected for so long, according to Newlin, is that it’s a relatively simple flaw hidden in plain sight.

While other security researchers have been looking for weaknesses in Bluetooth’s encryption schemes, few have thought to search for simple authentication-bypass bugs like this one.

When it comes to the best Android phones, they have been vulnerable to this flaw since 2012 when Android 4.2.2 was released. At the same time, though, this flaw was patched in the Linux kernel in 202. But for some reason, the fix was left disabled by default based on Newlin’s research into the matter.

Since his discovery, Newlin has informed Apple, Google and Bluetooth SIG about the flaw. While there are patches for most of the impacted devices, some still remain vulnerable including many of the best MacBooks as well as several iPhones and Android smartphones.

How to stay safe from Bluetooth attacks

(Image credit: Shutterstock)

When it comes to malware and malicious apps, the best antivirus software or one of the best Android antivirus apps can help protect your devices from potential attacks. Unfortunately, the same can’t be said for attacks that exploit Bluetooth flaws.

Your only option is to disable Bluetooth when out in public, which can be really inconvenient for those who use wireless earbuds, one of the best smartwatches and especially so for people who wear a Bluetooth hearing aid. The reason why is that an attacker would need to be in close proximity to you and your devices to exploit this flaw.

Thankfully, this is a critical vulnerability that Apple, Google and other hardware makers as well as Bluetooth SIG have already been informed about, so if your device hasn’t been patched yet, a fix will likely arrive soon. As such, you're going to want to install any new security updates for your smartphone or computer as soon as they become available.

We’ll update this story as we learn more about this vulnerability and how companies are planning on addressing it.

More from Tom's Guide

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.