A severe vulnerability has been found in the implementations of the Bluetooth protocol across several popular operating systems: Android, macOS, iOS, iPadOS, and Linux. This bug potentially allows remote hacking of vulnerable devices without any particular actions required on the part the user. Let’s dive into the details.
The Bluetooth vulnerability allows you to connect a fake keyboard
The essence of the problem is that a vulnerable device can be forced to connect to a fake Bluetooth keyboard without requiring user confirmation — bypassing the operating system’s checks responsible for the Bluetooth protocol. The unauthenticated connection feature is specified in the Bluetooth protocol, and issues with certain implementations of the Bluetooth stack in popular operating systems provide attackers with the opportunity to exploit this mechanism.
The attackers can then use this connection to input commands, allowing them to execute any action as if they were the user — without requiring additional authentication such as a password or biometrics (like a fingerprint or face scan). According to the security researcher Marc Newlin who discovered this vulnerability, no special equipment is needed for a successful attack — just a Linux laptop and a standard Bluetooth adapter.
As you might guess, the attack is inherently limited by the Bluetooth interface: an attacker needs to be in close proximity to the victim. This naturally rules out mass exploitation of the vulnerability in question. However, malicious actors exploiting this vulnerability could still be a worry for specific individuals of special interest to those actors.
Which devices and operating systems are vulnerable?
This vulnerability affects a range of operating systems and several classes of devices based on them — albeit with some variations. Depending on the OS used, devices may be more or less vulnerable.
Android devices were the most thoroughly examined for the presence of the aforementioned vulnerability. Marc Newlin tested seven smartphones with different OS versions — Android 4.2.2, Android 6.0.1, Android 10, Android 11, Android 13, and Android 14 — and found that all of them were vulnerable to the Bluetooth hack. Furthermore, concerning Android, all that’s required for this hack is for Bluetooth to be enabled on the device.
The researcher informed Google of the discovered vulnerability in early August. The company has already released patches for Android versions 11 through 14, and sent them to manufacturers of smartphones and tablets based on this OS. These manufacturers now have the task of creating and distributing the necessary security updates to their customers’ devices.
Of course, these patches must be installed as soon as they become available for devices running on Android 11/12/13/14. Until then, to protect against hacking, it’s advisable to keep Bluetooth turned off. For devices running older Android versions, there’ll be no updates — they’ll remain vulnerable to this attack indefinitely. Thus, the advice to turn Bluetooth off will remain relevant for them until the end of their service life.
MacOS, iPadOS, and iOS
As for Apple’s operating systems, the researcher didn’t have such a wide range of test devices. Nonetheless, he was able to confirm that the vulnerability is present in iOS 16.6, as well as in two versions of macOS — Monterey 12.6.7 (x86) and Ventura 13.3.3 (ARM). It’s safe to assume that in fact a wider range of macOS and iOS versions — as well as related systems like iPadOS, tvOS, and watchOS — are vulnerable to the Bluetooth attack.
Another piece of bad news is that the enhanced security mode introduced by Apple this year — the so-called “Lockdown Mode” — doesn’t protect against attacks exploiting this Bluetooth vulnerability. This applies to both iOS and macOS.
Fortunately, a successful attack on Apple’s operating systems requires an additional condition besides having Bluetooth enabled: the device must be paired with an Apple Magic Keyboard.
This means that Bluetooth attacks primarily pose a threat to Macs and iPads used with a wireless keyboard. The likelihood of an iPhone being hacked through this vulnerability appears to be negligible.
The researcher reported the discovered bug to Apple around the same time as Google, but so far there’s been no information from the company regarding security updates, or a detailed list of vulnerable OS versions.
This attack also works for BlueZ — the Bluetooth stack included in the official Linux kernel. Mark Newlin confirmed the presence of the Bluetooth vulnerability in Ubuntu Linux versions 18.04, 20.04, 22.04, and 23.10. The bug that made the attack possible was discovered and fixed back in 2020 (CVE-2020-0556). However, this fix was, by default, disabled in most popular Linux distributions, and is only enabled in ChromeOS (according to Google).
The Linux vulnerability discovered by the researcher was assigned the number CVE-2023-45866, and a CVSS v3 score of 7.1 out of 10, according to Red Hat. For successful exploitation of this vulnerability, only one condition needs to be met: the Linux device must be discoverable and connectable through Bluetooth.
The good news is that a patch for this vulnerability in Linux is already available, and we recommend installing it as soon as possible.