A critical Bluetooth security flaw could be exploited by threat actors to consider manage of Android, Linux, macOS and iOS gadgets.
Tracked as CVE-2023-45866, the issue relates to a circumstance of authentication bypass that permits attackers to link to susceptible units and inject keystrokes to accomplish code execution as the sufferer.
“Many Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to hook up to a discoverable host without the need of consumer confirmation and inject keystrokes,” mentioned security researcher Marc Newlin, who disclosed the flaws to the application vendors in August 2023.
Specifically, the attack deceives the goal product into considering that it is connected to a Bluetooth keyboard by having edge of an “unauthenticated pairing mechanism” which is described in the Bluetooth specification.
Prosperous exploitation of the flaw could allow an adversary in shut bodily proximity to hook up to a vulnerable machine and transmit keystrokes to put in apps and run arbitrary commands.
It truly is worthy of pointing out that the attack does not need any specialised components, and can be performed from a Linux pc using a typical Bluetooth adapter. Extra complex facts of the flaw are predicted to be introduced in the upcoming.
The vulnerability affects a extensive selection of products working Android (heading back to edition 4.2.2, which was produced in November 2012), iOS, Linux, and macOS.
Additional, the bug influences macOS and iOS when Bluetooth is enabled and a Magic Keyboard has been paired with the vulnerable machine. It also will work in Apple’s LockDown Method, which is intended to protected from complex electronic threats.
In an advisory introduced this thirty day period, Google mentioned CVE-2023-45866 “could direct to distant (proximal/adjacent) escalation of privilege with no additional execution privileges essential.”
Discovered this write-up exciting? Follow us on Twitter and LinkedIn to examine extra exceptional material we publish.
Some parts of this article are sourced from:
thehackernews.com