A significant security vulnerability affecting Bluetooth technology poses risks to Android, Linux, macOS, and iOS devices. Identified as CVE-2023-45866, this flaw allows malicious actors to bypass authentication procedures, enabling unauthorized access to susceptible devices and the capability to execute commands remotely.
According to security researcher Marc Newlin, who disclosed these vulnerabilities to software vendors in August 2023, multiple Bluetooth stacks are susceptible to flaws that permit attackers to connect to discoverable devices without requiring user interaction. The exploit manipulates the device into erroneously believing it is coupled with a Bluetooth keyboard, leveraging a defined “unauthenticated pairing mechanism” in the Bluetooth specification.
This exploitation method could allow an adversary within physical proximity to establish a connection with the targeted device, subsequently injecting keystrokes which might enable the installation of applications or execution of arbitrary commands. The repercussions of such activity underscore the potential for serious misconduct, particularly in environments with sensitive data.
The vulnerability impacts a broad array of devices, including those running Android from version 4.2.2 onward, and extends across macOS and iOS platforms when Bluetooth is enabled, especially if a Magic Keyboard is previously paired. Notably, the issue persists even in Apple’s LockDown Mode, which is designed to counter advanced security threats.
In a recent advisory, Google highlighted that CVE-2023-45866 presents the potential for remote privilege escalation by authorized attackers without necessitating further execution permissions. This underlines the urgency for organizations to review their device security measures, particularly given the ease of attack and the lack of specialized hardware requirement—any Linux machine equipped with a standard Bluetooth adapter could execute the exploit.
As a response to the vulnerability, Apple has deployed fixes in its Magic Keyboard Firmware Update 2.0.6, addressing what it labels as CVE-2024-0230. The update encompasses multiple iterations of the Magic Keyboard, reinforcing security against the identified flaw. Apple further cautioned that an attacker with direct access to the accessory might be capable of extracting its pairing key and surveilling Bluetooth communications.
In a bid to fortify defenses, Microsoft has also addressed this vulnerability in its January 2024 Patch Tuesday updates, categorizing the flaw under CVE-2024-21306 with a CVSS score of 5.7. The swift action taken by both tech giants indicates the critical nature of this vulnerability and its implications for device security.
For businesses operating in an increasingly interconnected environment, awareness of such vulnerabilities is paramount. Employing strategies aligned with the MITRE ATT&CK framework, organizations should focus on enhancing their defenses against initial access and privilege escalation tactics that exploit authentication weaknesses. As further details on this vulnerability emerge, continuous vigilance and prompt response will be essential to mitigate associated risks.
