A significant Bluetooth authentication bypass vulnerability, identified as CVE-2023-45866, has been reported to affect devices across Apple, Android, and Linux platforms. The flaw, which allows unauthorized connection and keystroke injection without specialized hardware, was disclosed by Marc Newlin of SkySafe. Newlin plans to release detailed information and proof-of-concept code at a future conference, once patches are widely implemented.
The vulnerability exploits a weakness in the Bluetooth host state-machine, enabling pairing with a fake keyboard without user consent. This issue, rooted in the Bluetooth specification itself, has been present in devices as old as the BLU DASH 3.5 running Android 4.2.2, released in 2012. While Google has provided fixes for Android versions 11 through 14, older versions remain unpatched.
Linux distributions have been affected differently, with ChromeOS being the only one that has activated a fix. Other popular distributions like Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine have not enabled the patch by default, leaving several versions of Ubuntu vulnerable.
The vulnerability also impacts macOS and iOS devices when paired with a Magic Keyboard and Bluetooth enabled. Notably, the flaw remains exploitable even in Apple’s LockDown mode, which is designed to protect against sophisticated attacks. Apple has acknowledged the issue but has not yet announced a timeline for releasing a patch.