0-Click Exploit: PoC Targets Android, Linux, macOS, and iOS Devices via Bluetooth CVE-2023-45866 Flaw

CVE-2023-45866 PoC

Proof-of-concept (PoC) exploit code has been made available for recently disclosed and patched critical flaws (CVE-2023-45866, CVE-2024-21306) impacting Bluetooth.

This flaw affects a broad spectrum of operating systems, including Android, Linux, macOS, iOS, and Windows. The crux of the vulnerability lies in its exploitation of an “unauthenticated pairing mechanism,” a loophole within the Bluetooth specification itself. This oversight allows a malicious entity to masquerade as a Bluetooth keyboard, thereby deceiving the target device into an unconsented connection.

An attacker, lurking within the shadows of proximity, can seamlessly connect to a vulnerable device. With the guise of keystroke commands, they wield the power to install applications and execute arbitrary directives, all without leaving a trace of interaction or alert to the user. Remarkably, this attack demands no specialized equipment—merely a Linux computer equipped with a standard Bluetooth adapter serves as the attacker’s lance.

This vulnerability affects devices operating on Android version 4.2.2 to 14 and spans across iOS, Linux, and macOS systems.

Marc Newlin, who discovered the vulnerabilities, also released proof-of-concept exploitation scripts. Utilizing these scripts enables the injection of keystrokes into any vulnerable Android and Linux device within Bluetooth range by masquerading as a Bluetooth keyboard. This form of Bluetooth keyboard can initiate pairing with a targeted device without requiring any user action or notification, constituting a 0-click exploit.

Today, the security researcher, nicknamed Mobile Hacker, shared how he uses the PoC exploitation scripts for CVE-2023-45866 to take over Android devices without proper Bluetooth pairing.

For devices operating on Android 11 and higher, updating your device with the Android 2023-12-05 security patch is advisable, assuming it has been issued by the OEM.

Unfortunately, for those on Android 10 or earlier, no security patch is available, and as indicated in Marc Newlin’s original announcement, it is unlikely to be provided.

On a positive note, attackers cannot automatically discern the Bluetooth MAC address of Android devices unless set to discoverable mode. If an attacker possesses the MAC address and the device remains unpatched, disabling Bluetooth is the recommended precaution. Microsoft, identifying the issue as CVE-2024-21306 with a CVSS score of 5.7, rectified it in its January 2024 Patch Tuesday updates earlier last week.