This blog post covers an interesting vulnerability that was just discovered earlier this year and an open source free tool that was created to automate testing for this vulnerability in Bluetooth devices.
I will preface this with the warning that this is of course done in my personal testing lab environment with my own devices for learning and demonstration purposes. I am in no way encouraging that these tools, snippets of code or techniques be used maliciously as there can be very serious legal consequences for those that use these hacking tricks nefariously. However, in a personal testing lab environment I think this is great for learning and allows someone to quickly be able to confirm or deny if their personal devices are truly standing up to the Bluetooth CVE of CVE-2023-45866.
CVE-2023-45866 is described as an issue where the "Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access". So in the photo above we see a device that has been sent the commands to open a new incognito browser pointing to my website at thejasongardner.com. This as you can see is done with 0-clicks or user interaction and the device is unfortunately vulnerable to the attack just by being in proximity to the attacking Bluetooth device with Bluetooth enabled.
Variations of this attack can affect Android, Linux, MacOS, iOS and Windows. The BlueDucky tool works because "The Bluetooth stacks in multiple operating systems allow an attacker to pair a virtual Bluetooth keyboard without authentication or user confirmation. The attacker can then inject keystrokes to perform actions as the user, so long as those actions do not require password or bio-metric authentication."
So, basically, if you have paired a Bluetooth device such as a keyboard to your tablet, now an attacker can pretend that they are using that same exact keyboard and type in commands into your device. This is a big problem because there are many situations where you may be exposed to this attack and you would have no way of physically stopping the attack from occurring. The best defense is to make sure your devices are patched to the latest versions of their operating systems and if possible try to only enable Bluetooth when you really need to use it. In the example here a browser is opened without the user doing anything and then the phone's browser seems to have someone typing in the URL and then the device opens my website. My website is just used as an example page but a malicious attacker could direct the device to download malware, a virus or anything else a hacker may want which could lead to the device being compromised after it has left the vicinity of the attacker.
To simplify here the issue is that the pairing can be forced and then keystroke injection is possible where an attacker can emulate a device using HID or the Human Interface Device. As discussed more in detail in this article (What Is a Human Interface Device (HID)? (howtogeek.com))"The biggest advantage of HID is being able to simply connect almost any peripheral to your device and have it start working immediately.". So here this universal usage and simplicity is misused when there are three criterium that were covered in the skysafe repo mentioned above and they are that:
- the host is connectable/discoverable
- the host supports pairing without authentication via the
NoInputNoOutputpairing capability - the attacker can connect to L2CAP ports 17 and 19 on the host
So there is some mitigating criteria to begin with and after the device is patched this attack should result in an error and no unauthenticated pairing or injection should occur. I hope you learned a little more about something interesting and can use this information to be a little safer and more secure with your personal devices.
