Critical Bluetooth flaw could take over Android, Apple, Linux devices

A critical Bluetooth security bug that’s reportedly been lurking about for several years can potentially be exploited by attackers to take control of Android, Linux, macOS, and iOS machines.

The flawCVE-2023-45866 — is an authentication bypass that lets attackers connect susceptible devices and inject keystrokes to achieve code execution as the victim.

In a GitHub blog post Dec. 6, SkySafe researcher Marc Newlin said the flaw works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation.”

Newlin went on to write that the underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. He said full vulnerability details and proof-of-concept scripts will be released at an upcoming conference, and he will update the original document with conference details when available. Newlin’s blog also contains available patch information.

Cyware Director Emily Phelps explained that in this exploit, adversaries fool the Bluetooth system of a device into thinking it’s connecting to a fake keyboard — without user confirmation. This issue stems from a part of the Bluetooth rules that let devices connect without needing authentication.

“Exploiting this vulnerability lets malicious hackers remotely control someone’s device,” said Phelps. “They can download apps, send messages, or run various commands depending on the operation system.”

Phelps said if patches are available for this vulnerability, security teams should fix the issue immediately. For devices that are awaiting the fix, security teams should monitor for updates and patches. They should also make staff aware of the issue and offer mitigation recommendations, such as disabling Bluetooth when not in use.

When devices communicate there’s first a “handshake” where the two systems agree to communicate with each other, explained John Gallagher, vice president of Viakoo Labs. What the attacker took advantage of, Gallagher continued, is the many IoT devices, such as Bluetooth keyboards, want to make that handshake as easy as possible, especially since the keyboard can’t be used until the…


Android Users Should Download This Security Update NOW!

Google has started to roll out the security patch for December, and it evidently fixes multiple vulnerabilities affecting Android devices, but the highlight has to be CVE-2023-40088. This vulnerability allows Remote Code Execution or RCE, and an attacker could leverage this to install malicious code or software on a user’s phone without consent.

Google itself has stated that this vulnerability is dangerous. The company notes that it could lead to “remote (proximal/adjacent) code execution with no additional execution privileges needed” and that “user interaction is not needed for exploitation.” In simple terms, this could have made it easy for hackers and bad actors to gain access, snoop around your device, and get access to your valuable data.

Additionally, it’s important to keep in mind that this vulnerability affected a wide range of Android versions, including Android 11, 12, 12L, 13, and 14.

Story continues below advertisement

This security patch includes additional fixes that address vulnerabilities identified in components from various chip makers, such as ARM, Unisoc, Mediatek, and Qualcomm.

That said, the update should roll out to devices as and when manufacturers decide to optimize and release these security packages for their smartphones. Typically, Samsung and Google Pixel devices receive these security patches quickly after their reveal.

Now, if you happen to have an Android device that is eligible for the December security update, you should definitely update to the latest version as soon as possible. The vulnerability is of a ‘critical’ nature, and if an attacker does gain access to your device, the consequences can be severe, especially given the prevalence of financial fraud and scams.

top videos

  • Facebook Shutting Down Accounts But Why?

  • Could Elon Musk’s X Platform Go Bankrupt?

  • iPhone Users Being Warned About This New Feature

  • Millions Watching Videos Online In India but Are They Fake?

  • Safety Tips to avoid major Aadhaar fraud

  • Shaurya SharmaShaurya Sharma, Sub Editor at CNN-News18, specialises in reporting on consumer, …Read More

    first published: December 06, 2023, 08:07 IST

    News18 Join our Whatsapp channel


    Nothing’s iMessage app wasn’t its only security lapse (Update: Statement)

    Nothing Phone 2 Essential Glyph Light On

    C. Scott Brown / Android Authority


    • Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
    • The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
    • Nothing claims it is currently working to resolve the issues.

    Update, December 4, 2023 (12:45 PM ET): Nothing has now provided a comment to Android Authority about the issues. A spokesperson for the company states:

    CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via

    Original article, December 4, 2023 (3:29 AM ET): Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.

    Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.

    Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.

    The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed…


    OnePlus Open’s latest update lets you set a specific exposure value in Photo mode

    The OnePlus Open is receiving a new software update. It doesn’t upgrade the foldable from Android 13 to Android 14 but brings some system and communications improvements. More importantly, it now lets users set a specific exposure value for the camera, but only in the Photo mode.

    The update also bumps up the Android security patch level on the OnePlus Open to November 2023. It has firmware CPH2551_13.2.0.201(EX01) and requires a download of about 510MB. You can check the screenshots below for the update’s changelog.

    OnePlus Open OxygenOS update’s changelog

    It’s worth mentioning that this update is currently only seeding in India, but the rollout should expand to other regions soon.