Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing
CVE-2023-45866 vulnerability also affects unpatched Android and Linux based Smart TVs that have Bluetooth interface. This applies for devices running Linux based webOS or Google Chromecast TV version 3. By exploiting unpatched Chromecast, it is possible to turn on the TV via Chromecast dongle and inject keystrokes. Smart TV running webOS after running PoC exploit displayed pop-up with the name of connected device and allowed keystroke injection. Most likely there are also affected outdated Fire TVs running Android and other Android TV boxes. Based on my tests, if the PoC script wont crash, then target is vulnerable.
It is also important to note that an attacker needs to know Bluetooth MAC address to perform exploitation. Chromecast broadcasts Bluetooth MAC address only if it is in paring mode. Television running webOS broadcasts Bluetooth MAC address all the time when TV is turned on, so it isn’t necessary to be in pairing mode. This means it is easier to obtain the MAC and take over TV in the vicinity. You can see the demonstration in the video below.
A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request. These vulnerabilities affect Android, Linux, macOS, iOS, and Windows operating systems, making it a serious threat to users across different platforms. The vulnerabilities were discovered by Marc Newlin, that also published prove-of-concept exploitation scripts. Using these scripts, it is possible to inject keystrokes to any unpatched Android and Linux device in Bluetooth proximity by impersonating Bluetooth keyboard. Such Bluetooth keyboard will force pairing a targeted device without any user interaction or notification, making this 0-click exploit. In this blog, I will focus on exploiting unpatched Android device using Android smartphone. I will not cover another mobile platform – iOS – since exploitation scenario is difficult and requires Magic Keyboard and exact timing. In this case, timing is a specific moment when an attacker needs to connect to iOS at the time when iOS user tries to connect to Magic Keyboard. Attacker can also connect to iOS by spoofing Magic Keyboard, however keyboard needs to be out of Bluetooth range and attacker still needs to know MAC address of Bluetooth Magic Keyboard, which in real case scenario will be challenging. If you are interested in more details of this vulnerabilities that target Linux, macOS, iOS and Windows, I advise you to read the original blog.
