New Bluetooth vulnerability allows takeover of iOS, Android, Linux, and MacOS devices
News Analysis
Jan 17, 20246 mins
Mobile SecurityVulnerabilities
Security researcher Marc Newlin shared how he discovered the Bluetooth bug that leaves keyboards vulnerable to injection attacks that can allow attackers to take over user devices.
Credit: Shutterstock
Over the past six weeks, Google, Microsoft, Linux (BlueZ), and Apple have rolled out fixes for a Bluetooth security flaw that, among other things, tricks the Bluetooth host machine into pairing with a fake keyboard without user confirmation, allowing threat actors to take control of Android, Linux, macOS, and iOS devices.
The flaw tracked as CVE-2023-45866 (CVE-2024-0230 for Apple and CVE-2024-21306 for Microsoft) leaves Android devices vulnerable whenever Bluetooth is enabled, while Linux devices require Bluetooth to be discoverable or connectable. iOS and macOS devices become vulnerable to the flaw when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.
At this year’s penultimate annual Shmoocon conference in Washington, DC, Marc Newlin, principal reverse engineer at SkySafe, was able to take the wraps off his research that led to his discovery of the flaw given that Apple was the last company to release its fixes on January 11. In his presentation entitled My Name Is Keyboard, Newlin explained how he arrived at his discovery.
Extracting Bluetooth link keys and pairing with different hosts
“If a device has a radio, I have to hack it,” Newlin said during his talk. “I can’t own something with a radio and not know how it works and how it’s broken.”
0 seconds of 29 secondsVolume 0%
Newlin has disclosed wirelessly exploitable vulnerabilities for several vendors, most notably in 2016 when he helped discover a class of security vulnerabilities called MouseJack that allowed keystroke injection into wireless mice. “I figured that in eight years, maybe the public shaming that I gave those vendors would’ve caused them to prove their security standards or their security posture,” Newlin said.
In search of a “stunt hacking project,” Newlin “noticed that this current generation of gaming keyboards has addressable LEDs, and I like projects with blinky lights. So, I figured I would buy some of these flagship gaming keyboards for the peripheral vendors and see if they were any better than the MouseJack era. Unfortunately, they weren’t.”
After making headway on fuzzing Dell’s AW920K keyboard but meeting obstacles, Newlin moved on. Apple keyboards didn’t seem the most likely candidates for his next area of research. “I fell victim to Apple’s marketing and all this common wisdom that says these ubiquitous protocols like Bluetooth that everyone uses are inherently secure because if they weren’t, somebody would’ve found the bugs,” he said.
“I just assumed that Apple was going to be beyond my ability, but now eight years have passed since MouseTrack. What I’ve loved about my skillset [is that I’ve] gotten a lot more comfortable with failure. And so, I decided it was finally time to look at Apple and Bluetooth and see what I could find.”
Newlin bought the least expensive Apple Magic Keyboard model that can function as a USB or Bluetooth keyboard and discovered that vulnerabilities in the Magic Keyboard could be exploited to extract the Bluetooth link key via the Lightning port or unauthenticated Bluetooth. He also found that if Lockdown Mode is not enabled, the link key can be read from the paired Mac over a lightning cable or USB.
How this happens is complex, but essentially, the vulnerabilities can be exploited to extract the Bluetooth link key from a Magic Keyboard or its paired Mac through out-of-band pairing, unauthenticated Bluetooth human interface devices (HIDs), extracting the key from the lightning port or USB port on the Mac, or pairing the Magic Keyboard to a different host.
Bluetooth vulnerability extends to other platforms
After discovering the Apple vulnerabilities, Newlin expanded his scope to other platforms, starting with Android. “Sure enough, it worked. I was able to pair anti-keystrokes into the Android device,” he said. “The user does not have to have a keyboard paired with their phone already. And as long as Bluetooth is enabled on the Android device, at any time the phone is on them, and Bluetooth is on, the attacker can then force pair an emulated keyboard with the Android device and inject keystrokes, including at the lock screen.”
Newlin then turned to Linux. “It turns out that the Linux attack is very, very similar,” he said. “On Linux, as long as the host is discoverable and connectable over Bluetooth, the attacker can force-pair a keyboard and inject keystrokes without the user’s confirmation. And so, this is distinct from Android in that the device has to be not only connectable but also discoverable and connectable on Linux for the attack.” Linux fixed this bug in 2020 but left the fix disabled by default.
The hacker community should continue probing Bluetooth flaws
“I think it’s easy to blame the vendors or blame the Bluetooth team, but I think there’s shared responsibility here. I think the vendors definitely dropped the ball by missing these bugs. Some of them have been around for more than a decade. I think we, as the hacker community, dropped the ball by not finding these.”
Newlin received $1,000 from Microsoft and $15,000 from Google in bug bounties for his efforts. Apple, however, is still reviewing whether or how much it will pay Newlin. “I’m not sure where that’ll land,” Newlin said. “And I’m also not sure if my bugs will be eligible for the Apple Bounty program because they don’t fit neatly into any of their bug bounty categories.”
Newlin encourages security researchers to continue probing Bluetooth flaws. “I think it’ll probably be a while [before the full extent of Bluetooth flaws is known] because it will take the community actually fleshing these out and identifying all these additional effective systems beyond what I’ve seen myself,” he said.
“I think there are other types of Bluetooth vulnerabilities that might be possible with these same attack vectors, but I don’t have enough knowledge about Bluetooth at this point to really understand where that will go,” Newlin tells CSO. “I have seen a lot of excitement from some friends with whom I’ve shared the proof-of-concept code, and so I’m encouraged that people are excited to dig into this.”
Related content
- [
News analysis
Over 178,000 SonicWall firewalls still vulnerable to old flaws
Denial of service and remote code execution possible if organizations don’t upgrade their SonicWall firmware.
By Lucian Constantin
Jan 17, 2024 4 mins
Network SecurityVulnerabilities
](Over 178,000 SonicWall firewalls still vulnerable to old flaws | CSO Online)
- [
News analysis
London internet attack highlights confusing hacktivism movement
Anonymous Sudan has claimed responsibility for the failed attack on the London Internet Exchange, but questions remain.
By Jon Gold
Jan 17, 2024 4 mins
DDoSHacker GroupsCyberattacks
](London internet attack highlights confusing hacktivism movement | CSO Online)
- [
Opinion
A tougher balancing act in 2024, the year of the CISO
While CISOs are mostly satisfied, their jobs are increasingly stressful. Corporate executives and boards must take steps to address these challenges.
By Jon Oltsik
Jan 17, 2024 6 mins
CSO and CISOCareers
](A tougher balancing act in 2024, the year of the CISO | CSO Online)
- [
News
SoftwareProjects exposes substantial customer and affiliate data
Thousands of SoftwareProjects customer and affiliate personally identifiable information were exposed publicly through non-password protected database.
By Shweta Sharma
Jan 17, 2024 3 mins
Data PrivacyData and Information SecurityVulnerabilities
](SoftwareProjects exposes substantial customer and affiliate data | CSO Online)
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Contributing Writer
Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. She runs a cybersecurity news destination site, Metacurity.com, consults with companies through her firm DCT-Associates, and is the author of the book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.
More from this author
Most popular authors
Senior Writer
Contributor
Contributing Writer
Show me more
PopularArticlesPodcastsVideos
[
News
Citrix NetScaler devices face active zero-day exploitations
By Shweta Sharma
Jan 17, 20243 mins
Zero-day vulnerability
](Citrix NetScaler devices face active zero-day exploitations | CSO Online)
[
Podcast
CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison
Nov 20, 202315 mins
CSO and CISO
](CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison | CSO Online)
[
Video
Reaping the Benefits of Security Metrics
Dec 21, 202321 mins
CSO and CISO
](Reaping the Benefits of Security Metrics | CSO Online)
Sponsored Links
- This IDC report explores how to shift resources from day-to-day tactics over to strategic outcomes
- Simplify complexity and make better decisions to secure your enterprise. Speak to a specialist to get the details on Cisco Cloud Protection.
- Empower workers with a safer, smarter, and more sustainable workspace with a single cloud platform that marries applications and data. Try Cisco Spaces for 30 Days, On Us.
- Hybrid work isn’t one size fits all. Whatever your workforce model, we have you covered – today, tomorrow, and into the future. Sign up for a 30-minute, zero-commitment demo to get your questions answered, learn how to get started, and explore a range of solutions.
- Take the guess work out of modernizing your workplace and creating the optimal work environment. Register to access our Design Guides.
- Streamline security. Talk to a Cisco expert to learn about the benefits of breach protection.
- Don’t let budget hold you back. Get more predictive insights from Cisco Full-Stack Observability to resolve issues quicker and optimize user experiences. Schedule a personalized consultation today!
- Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.
- Protect your business from sophisticated threats by accelerating responses and simplifying experiences with data-backed and AI-powered Cisco Breach Protection. Sign up for a free demo.
- Firewalls are designed to protect your security. Speak to a specialist to set up a trial or a demo of Cisco Firewall solutions.
About
Policies
- Privacy Policy
- Cookie Policy
- Copyright Notice
- Member Preferences
- About AdChoices
- E-commerce Links
- Your California Privacy Rights
- Privacy Settings
Our Network