Media Talks About Android, Linux, macOS Security Issues While Microsoft Blames Windows Holes on "Russia"

posted by Roy Schestowitz on Dec 09, 2023,
updated Dec 10, 2023

• CyberRisk Alliance LLC ☛ Critical Bluetooth flaw could take over Android, Apple, Linux devices [Ed: The media goes on and on about it while Microsoft blames "Russia" for Windows having loads of severe holes in it. Silicon Angle ☛ Microsoft-sponsored media does this a lot.]

  A critical Bluetooth security bug that’s reportedly been lurking about for several years can potentially be exploited by attackers to take control of Android, Linux, macOS, and iOS machines.

• Critical Bluetooth flaw exposes Android, Apple & Linux devices to takeover [Ed: Complexity breeds insecurity]

  Attackers can exploit a critical Bluetooth security vulnerability that’s been lurking largely unnoticed for years on macOS, iOS, Android, and Linux device platforms. The keystroke injection vulnerability allows an attacker to control the targeted device as if they were attached by a Bluetooth keyboard, performing various functions remotely depending on the endpoint.

  Tracked as CVE-2023-45866, the flaw exists in how in the Bluetooth protocol is implemented on various platforms. It works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation,” Marc Newlin, principal reverse engineer at SkySafe, revealed in a blog post published Dec. 6.

• Hacker News ☛ New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices

  Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.

An update

Some more chaff:

• Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

  Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.

• Android, Linux, Apple Devices Exposed to Bluetooth Keystroke Injection Attacks

  The Bluetooth protocol suffers from an authentication bypass flaw, CVE-2023-45866, allowing attackers within Bluetooth range to connect to vulnerable devices without user confirmation. This flaw, discovered by software engineer Marc Newlin, permits the injection of keystrokes, potentially enabling unauthorized actions like app installations or message forwarding. Newlin observed this issue in macOS, iOS, Android, and Linux systems, originating from a combination of implementation faults and protocol vulnerabilities. Google has addressed the vulnerability in Android security updates from December 2023, providing patches for devices running Android 11 to 14. Linux distributions have also released fixes, although the patch remains disabled by default in some platforms, except for ChromeOS. Notably, even Lockdown Mode in macOS and iOS doesn’t prevent this attack if Bluetooth is enabled and a Magic Keyboard is paired.

• Bluetooth Vulnerability Exposes macOS, iOS, Linux, and Android Devices

  A high-severity Bluetooth vulnerability has been found by a software engineer at drone tech firm SkySafe. The security flaw allows malicious actors to make unauthorized connections to Linux, Android, and Apple devices to run arbitrary commands. The flaw has been reported to Google, Apple, and Bluetooth SIG.

  Known as CVE-2023-45866, the vulnerability bypasses the authentication system of Bluetooth systems. It connects to any discoverable host to easily inject keystrokes on the infiltrated device with the help of a standard Bluetooth adapter. Essentially, the flaw fools the targeted device into believing it is connected to a Bluetooth keyboard through an unauthenticated pairing mechanism.

• This Bluetooth security flaw could be used to hijack Apple and Linux devices [Ed: This helps the Microsoft-sponsored distract from Windows and Exchange being massively cracked at a huge scale at the moment]

  Experts have uncovered a way to trick a Bluetooth-enabled device into thinking it has connected to a wireless keyboard when, in fact, it’s connecting to another computer.

• An 11-year-old bug could render your Android device prone to an attack

  If you’re adamant about ensuring all of your devices are as secure as possible, you might assume you’re safe through means, such as two-factor authentication. There are several ways to manage your sensitive information these days, and these precautions can reduce the chances of a breach. However, some of your devices might be flawed through no fault of your own, and it’s these bugs that pose a threat. Now, a bug that has been around since at least 2012 could be rendering your Android device vulnerable.

• Marc Newlin's Keyboard Spoofing Attack Sends Arbitrary Commands to Android, iOS, macOS, and Linux

  Security researcher Marc Newlin has detailed a flaw in Bluetooth implementations on Google's Android, Apple's iOS and macOS, and Linux which, at its worst, can allow anyone within radio range to silently send unauthenticated commands to your device — by pretending to be a keyboard.

  "I started with an investigation of wireless gaming keyboards, but they proved to be the wrong kind of dumpster fire, so I looked to Apple's Magic Keyboard for a challenge. It had two things notably absent from my earlier peripheral research: Bluetooth and Apple," Newlin, of drone security firm SkySafe, explains of his discovery of the vulnerability.