A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices.
Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.
"Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher Marc Newlin, who disclosed the flaws to the software vendors in August 2023.
Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification.
Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and transmit keystrokes to install apps and run arbitrary commands.
It's worth pointing out that the attack does not require any specialized hardware, and can be performed from a Linux computer using a regular Bluetooth adapter. Additional technical details of the flaw are expected to be released in the future.
The vulnerability affects a wide range of devices running Android (going back to version 4.2.2, which was released in November 2012), iOS, Linux, and macOS.
Further, the bug affects macOS and iOS when Bluetooth is enabled and a Magic Keyboard has been paired with the vulnerable device. It also works in Apple's LockDown Mode, which is meant to secure against sophisticated digital threats.
In an advisory released this month, Google said CVE-2023-45866 "could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed."