In a GitHub blog post Dec. 6, SkySafe researcher Marc Newlin said the flaw works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation.”
Newlin went on to write that the underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. He said full vulnerability details and proof-of-concept scripts will be released at an upcoming conference, and he will update the original document with conference details when available. Newlin’s blog also contains available patch information.
Cyware Director Emily Phelps explained that in this exploit, adversaries fool the Bluetooth system of a device into thinking it’s connecting to a fake keyboard — without user confirmation. This issue stems from a part of the Bluetooth rules that let devices connect without needing authentication.
“Exploiting this vulnerability lets malicious hackers remotely control someone’s device,” said Phelps. “They can download apps, send messages, or run various commands depending on the operation system.”
Phelps said if patches are available for this vulnerability, security teams should fix the issue immediately. For devices that are awaiting the fix, security teams should monitor for updates and patches. They should also make staff aware of the issue and offer mitigation recommendations, such as disabling Bluetooth when not in use.
When devices communicate there’s first a “handshake” where the two systems agree to communicate with each other, explained John Gallagher, vice president of Viakoo Labs. What the attacker took advantage of, Gallagher continued, is the many IoT devices, such as Bluetooth keyboards, want to make that handshake as easy as possible, especially since the keyboard can’t be used until the…