A critical Bluetooth flaw [1] [2], known as CVE-2023-45866 [1], has been discovered that affects Apple [1] [2], Android [1] [2], and Linux devices [1] [2]. This flaw allows attackers to connect to these devices and inject keystrokes to run arbitrary commands.


The flaw has existed unnoticed for years and can be exploited from a Linux machine using a regular Bluetooth adapter, without requiring any special hardware [1]. It tricks the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation [1] [2]. While the issue was fixed in Linux in 2020 [1], ChromeOS is the only Linux-based operating system that has enabled the fix [1]. Patches have been released for most affected devices [2], but some [2], including Apple devices [2], remain vulnerable [2]. The researcher who discovered the flaw plans to provide more details and proof-of-concept code at an upcoming conference once the vulnerabilities have been patched [1]. The researcher has informed Apple [2], Google [2], and Canonical [2], as well as Bluetooth SIG [2], of the flaw [2]. Currently, there are no known active exploitations in the wild [2].


It is crucial for users of Apple, Android [1] [2], and Linux devices to be aware of this Bluetooth flaw and take necessary precautions. While patches have been released for most affected devices [2], it is important to ensure that all devices are updated to protect against potential attacks. The researcher’s efforts to inform relevant parties and provide more information will contribute to the development of effective mitigations. This discovery highlights the need for ongoing vigilance and prompt action to address vulnerabilities in technology.


[1] https://cyber.vumetric.com/security-news/2023/12/06/apple-and-some-linux-distros-are-open-to-bluetooth-attack/
[2] https://www.darkreading.com/vulnerabilities-threats/critical-bluetooth-flaw-exposes-android-apple-and-linux-devices-to-keystroke-injection-attack