Safety researcher Marc Newlin has detailed a flaw in Bluetooth implementations on Google’s Android, Apple’s iOS and macOS, and Linux which, at its worst, can permit anybody inside radio vary to silently ship unauthenticated instructions to your system — by pretending to be a keyboard.

“I began with an investigation of wi-fi gaming keyboards, however they proved to be the unsuitable form of dumpster hearth, so I seemed to Apple’s Magic Keyboard for a problem. It had two issues notably absent from my earlier peripheral analysis: Bluetooth and Apple,” Newlin, of drone safety agency SkySafe, explains of his discovery of the vulnerability.

“I had lots to study, however one query led to a different,” Newlin continues, “and I used to be quickly reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS, each exploitable in Lockdown Mode. When I discovered related keystroke-injection vulnerabilities in Linux and Android, it began to look much less like an implementation bug, and extra like a protocol flaw. After studying a few of the Bluetooth HID specification, I found that it was a little bit of each.”

Newlin’s discovery, which builds on his 2016 work on MouseJack assaults in opposition to non-Bluetooth wi-fi peripherals, targets the host-peripheral pairing system inside the Bluetooth protocol. A Linux field with a low-cost off-the-shelf Bluetooth dongle pretends to be a keyboard, and sends a pairing request — however one which is accepted by the goal system silently, with out notification. As soon as paired, the attacker can ship arbitrary keystrokes to the goal system — together with, the place accessible by keyboard, opening purposes and sending instructions.

It is a critical flaw, and one which seems to be widespread. Google’s Android platform was discovered to be essentially the most weak, and could possibly be attacked at any time as long as Bluetooth was enabled. Apple’s desktop macOS and cell iOS have been the second most weak, requiring each that Bluetooth be enabled and {that a} authentic Magic Keyboard had beforehand been paired with the system. The BlueZ stack on Linux was the least weak, falling to the assault solely when configured to be discoverable.

“Full vulnerability particulars and proof-of-concept scripts can be launched at an upcoming convention,” Newlin guarantees. “I am actually unsure what kind of wi-fi keyboard to suggest at this level. In case you are studying this and also you make a safe wi-fi keyboard, please ship me one so I can hack it for you. (I am critical. I desire a problem.)”

A patch for the flaw is already out there for BlueZ on Linux, whereas Google has equipped fixes for Androids 11 via 14 to authentic gear producers (OEMs) and can patch its Pixel {hardware} via the December safety replace — however will go away end-of-life Android 10 gadgets weak. Apple has not commented on the vulnerability nor its plans to patch similar.

Newlin’s write-up of the assault is accessible on the SykSafe GitHub repository; the vulnerability has been assigned CVE-2023-45866 within the Frequent Vulnerabilities and Exposures challenge.