A recently discovered vulnerability in Bluetooth, CVE-2023-45866, opens the door to a hostile takeover of Android, Apple and Linux devices. Security researcher Marc Newlin made the discovery.
In a posting on GitHub, Newlin recently disclosed the Bluetooth vulnerability CVE-2023-45866. By exploiting this vulnerability, hackers can bypass authentication to connect to affected devices. They can inject keystrokes to run code and subsequently even take over the devices.
Bluetooth vulnerability details
The vulnerability is in the Bluetooth protocol. When combined with specific bugs for different operating systems, Marc Newlin discovered that this flaw allows hackers to impersonate a Bluetooth keyboard and connect to a Bluetooth device without users’ consent. This is also known as keystroke injection.
The Bluetooth vulnerability affects multiple operating systems, specifically Android, Apple’s macOS and Linux. Android is vulnerable even as of version 4.2.2 for all versions if Bluetooth is enabled.
As for Apple devices, the vulnerability affects multiple Mac and iPhone models. For Linux, several Ubuntu versions, among others, are vulnerable.
Patches implemented
Several vendors have since been able to release patches before the publication of this important vulnerability. For example, Google has since released fixes for Android versions 11 through 14, and Canonical, the vendor of Ubuntu, has also implemented a patch.
Only Apple has yet to release specific patches for the Bluetooth vulnerability.
Also read: Apple releases iOS updates for two exploited zero-day vulnerabilities
1 day ago
