{"id":27034,"date":"2023-12-11T08:22:47","date_gmt":"2023-12-11T13:22:47","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/27034\/"},"modified":"2023-12-11T16:08:09","modified_gmt":"2023-12-11T16:08:09","slug":"bluetooth-vulnerability-android-ios-macos-linux","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/27034\/","title":{"rendered":"Hacking Android, macOS, iOS, and Linux through a Bluetooth vulnerability"},"content":{"rendered":"

A severe vulnerability has been found<\/a> in the implementations of the Bluetooth protocol across several popular operating systems: Android, macOS, iOS, iPadOS, and Linux. This bug potentially allows remote hacking of vulnerable devices without any particular actions required on the part the user. Let\u2019s dive into the details.\n<\/p>\n

The Bluetooth vulnerability allows you to connect a fake keyboard<\/h2>\n

\nThe essence of the problem is that a vulnerable device can be forced to connect to a fake Bluetooth keyboard without requiring user confirmation \u2014 bypassing the operating system\u2019s checks responsible for the Bluetooth protocol. The unauthenticated connection feature is specified in the Bluetooth protocol, and issues with certain implementations of the Bluetooth stack in popular operating systems provide attackers with the opportunity to exploit this mechanism.<\/p>\n

The attackers can then use this connection to input commands, allowing them to execute any action as if they were the user \u2014 without requiring additional authentication such as a password or biometrics (like a fingerprint or face scan). According to the security researcher Marc Newlin who discovered this vulnerability, no special equipment is needed<\/a> for a successful attack \u2014 just a Linux laptop and a standard Bluetooth adapter.<\/p>\n

As you might guess, the attack is inherently limited by the Bluetooth interface: an attacker needs to be in close proximity to the victim. This naturally rules out mass exploitation of the vulnerability in question. However, malicious actors exploiting this vulnerability could still be a worry for specific individuals of special interest to those actors.<\/p>\n\n

Which devices and operating systems are vulnerable?<\/h2>\n

\nThis vulnerability affects a range of operating systems and several classes of devices based on them \u2014 albeit with some variations. Depending on the OS used, devices may be more or less vulnerable.\n<\/p>\n

Android<\/h3>\n

\nAndroid devices were the most thoroughly examined for the presence of the aforementioned vulnerability. Marc Newlin tested seven smartphones with different OS versions \u2014 Android 4.2.2, Android 6.0.1, Android 10, Android 11, Android 13, and Android 14 \u2014 and found that all of them were vulnerable to the Bluetooth hack. Furthermore, concerning Android, all that\u2019s required for this hack is for Bluetooth to be enabled on the device.<\/p>\n

The researcher informed Google of the discovered vulnerability in early August. The company has already released patches for Android versions 11 through 14, and sent them to manufacturers of smartphones and tablets based on this OS. These manufacturers now have the task of creating and distributing the necessary security updates to their customers\u2019 devices.<\/p>\n

Of course, these patches must be installed as soon as they become available for devices running on Android 11\/12\/13\/14. Until then, to protect against hacking, it\u2019s advisable to keep Bluetooth turned off. For devices running older Android versions, there\u2019ll be no updates \u2014 they\u2019ll remain vulnerable to this attack indefinitely. Thus, the advice to turn Bluetooth off will remain relevant for them until the end of their service life.\n<\/p>\n

MacOS, iPadOS, and iOS<\/h3>\n

\nAs for Apple\u2019s operating systems, the researcher didn\u2019t have such a wide range of test devices. Nonetheless, he was able to confirm that the vulnerability is present in iOS 16.6, as well as in two versions of macOS \u2014 Monterey 12.6.7 (x86) and Ventura 13.3.3 (ARM). It\u2019s safe to assume that in fact a wider range of macOS and iOS versions \u2014 as well as related systems like iPadOS, tvOS, and watchOS \u2014 are vulnerable to the Bluetooth attack.<\/p>\n

Another piece of bad news is that the enhanced security mode introduced by Apple this year \u2014 the so-called \u201cLockdown Mode\u201d \u2014 doesn\u2019t protect against attacks exploiting this Bluetooth vulnerability. This applies to both iOS and macOS.<\/p>\n

\"How<\/a>

Just in case, we remind you how to properly turn off Bluetooth in iOS and iPadOS: this should be done not through the Control Center but through the Settings<\/p><\/div>\n

Fortunately, a successful attack on Apple\u2019s operating systems requires an additional condition besides having Bluetooth enabled: the device must be paired with an Apple Magic Keyboard.<\/p>\n

This means that Bluetooth attacks primarily pose a threat to Macs and iPads used with a wireless keyboard. The likelihood of an iPhone being hacked through this vulnerability appears to be negligible.<\/p>\n

The researcher reported the discovered bug to Apple around the same time as Google, but so far there\u2019s been no information from the company regarding security updates, or a detailed list of vulnerable OS versions.\n<\/p>\n

Linux<\/h3>\n

\nThis attack also works for BlueZ \u2014 the Bluetooth stack included in the official Linux kernel. Mark Newlin confirmed the presence of the Bluetooth vulnerability in Ubuntu Linux versions 18.04, 20.04, 22.04, and 23.10. The bug that made the attack possible was discovered and fixed back in 2020 (CVE-2020-0556<\/a>). However, this fix was, by default, disabled<\/em> in most popular Linux distributions, and is only enabled in ChromeOS (according to Google).<\/p>\n

The Linux vulnerability discovered by the researcher was assigned the number CVE-2023-45866<\/a>, and a CVSS v3 score of 7.1 out of 10<\/a>, according to Red Hat. For successful exploitation of this vulnerability, only one condition needs to be met: the Linux device must be discoverable and connectable through Bluetooth.<\/p>\n

The good news is that a patch for this vulnerability in Linux is already available<\/a>, and we recommend installing it as soon as possible.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

A researcher has discovered a vulnerability in the Bluetooth protocol implementations for Android, macOS, iOS, and Linux, allowing devices to be hacked remotely.<\/p>\n","protected":false},"author":2706,"featured_media":27037,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2026],"tags":[105,14,381,22,82,1150,3348,543,527,97,529,268],"class_list":{"0":"post-27034","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-android","9":"tag-apple","10":"tag-bluetooth","11":"tag-google","12":"tag-hacking","13":"tag-ios","14":"tag-ipados","15":"tag-linux","16":"tag-macos","17":"tag-security-2","18":"tag-threats","19":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/27034\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/26766\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/22180\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/11286\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/29517\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/26907\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/29478\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/28308\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/36694\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/50038\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/21299\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/22087\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/30750\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/bluetooth-vulnerability-android-ios-macos-linux\/35410\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/bluetooth-vulnerability-android-ios-macos-linux\/27276\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/33050\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bluetooth-vulnerability-android-ios-macos-linux\/32673\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/27034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=27034"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/27034\/revisions"}],"predecessor-version":[{"id":27039,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/27034\/revisions\/27039"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/27037"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=27034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=27034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=27034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}