Home 零对冲(ZeroHedge)每日HackerNews

Android、Linux、macOS 和 iOS 中的蓝牙击键注入
Bluetooth keystroke-injection in Android, Linux, macOS and iOS

原始链接: https://github.com/skysafe/reblog/tree/main/cve-2023-45866

这是一个 100 字的摘要: 键盘专家 Kevin Fu(以其在线绰号“Skysafe”而闻名)最近暴露了多个蓝牙堆栈漏洞,允许攻击者在未经确认的情况下与发现主机配对并注入击键。 这些攻击可以使用通用蓝牙适配器从标准 Linux 计算机上执行,并且可以导致任意系统操作,就好像受害者实际出现在键盘前一样。 除了在包括 Android 和 iOS 在内的各种平台上曝光这些蓝牙漏洞外,Fu 还强调了 Linux/BlueZ 和 macOS 中的类似缺陷,揭示了它们在初始蓝牙 HID 配对尝试期间无法验证真实性,从而使这种人为之。中路拦截。 通过连接到受害者的蓝牙接口,攻击者可能会安装恶意软件、执行任意命令、转发敏感消息等,而无需任何特殊设备。 这一最新漏洞是 Fu 在 2016 年所做调查结果的后续,当时他发现了众多鼠标和键盘品牌采用的自定义无线协议中存在击键注入错误,导致科技巨头罗技、微软、惠普召回重大产品、戴尔、联想、东芝、富士通、Kensington、贝尔金、Anker 和 Avantree。 尽管 Android 平台自 2012 年发布以来就被发现存在漏洞,但这些弱点最终导致推出新一轮固件补丁来解决该问题。 然而,尽管 Ubuntu 系统现在具有修补内核(作为 Git 提交配置文件/输入的一部分,ID 25a471a83e02e1 efffb15d5a488b3f0085eaeb675),但许多 Linux 设备仍然容易受到影响。 截至 2022 年 9 月,Google Pixel 系列已确认包含受影响的型号,包括 Pixel 7、6 和 4a(5G); 而其他平台可能无法完全消除由于锁定模式机制带来的限制而带来的风险,特别是在配备 macOS 12.6.7 的 iPhone SE 和 2017 款 MacBook Air 电脑上。 资料来源:Skysafe

相关文章
原文

{"payload":{"allShortcutsEnabled":false,"path":"cve-2023-45866","repo":{"id":242890111,"defaultBranch":"main","name":"reblog","ownerLogin":"skysafe","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2020-02-25T02:22:47.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/15267783?v=4","public":true,"private":false,"isOrgOwned":true},"currentUser":null,"refInfo":{"name":"main","listCacheKey":"v0:1652286907.89082","canEdit":false,"refType":"branch","currentOid":"bbb8ad8657519c04d79a602c3e87b99027327de2"},"tree":{"items":[{"name":"README.md","path":"cve-2023-45866/README.md","contentType":"file"}],"templateDirectorySuggestionUrl":null,"readme":{"displayName":"README.md","richText":"

\n

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection in Android, Linux, macOS and iOS

\n

In 2016, I published keystroke-injection vulnerabilities in wireless mice and keyboards from from 17 vendors. Branded as MouseJack, my research focused on the custom wireless protocols used by non-Bluetooth peripherals.

\n

I was intimidated by Bluetooth at the time, and just sort of assumed it was secure. I didn't try to hack any Bluetooth devices, and I recommended Bluetooth as a secure alternative to the plethora of custom protocols. It never occurred to me that Bluetooth would have trivial keystroke-injection vulnerabilities like the MouseJack protocols, so I never looked.

\n

Fast-forward to 2023, and I decided that I needed more hacker conferences in my life after having a blast at Hardwear.io. For me, conferences are synonymous with presenting research, so I set out to do some stunt-hacking.

\n

I started with an investigation of wireless gaming keyboards, but they proved to be the wrong kind of dumpster fire, so I looked to Apple's Magic Keyboard for a challenge. It had two things notably absent from my earlier peripheral research: Bluetooth and Apple.

\n

Research got off to a humbling start when I realized that I knew next to nothing about Bluetooth, macOS or iOS. I had a lot to learn, but one question led to another, and I was soon reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS, both exploitable in Lockdown Mode. At this point, I still thought Bluetooth was probably okay-ish, but the mirage of Apple security was starting to fade.

\n

When I found similar keystroke-injection vulnerabilities in Linux and Android, it started to look less like an implementation bug, and more like a protocol flaw. After reading some of the Bluetooth HID specification, I discovered that it was a bit of both.

\n

The vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation. The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. Unpatched devices are vulnerable under the following conditions:

\n
    \n
  • Android devices are vulnerable whenever Bluetooth is enabled
    • \n
  • Linux/BlueZ requires that Bluetooth is discoverable/connectable
    • \n
  • iOS and macOS are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer
    • \n
\n

The vulnerabilities can be exploited from a Linux computer using a standard Bluetooth adapter. Once the attacker has paired with the target phone or computer, they can inject keystrokes to perform arbitrary actions as the victim, provided those actions don't require a password or biometric authentication.

\n

Some of the vulnerabilities predate MouseJack, and I was able to reproduce keystroke-injection on Android back to version 4.2.2, which was released in 2012. The Linux vulnerability was fixed in 2020 (CVE-2020-0556), but the fix was left disabled by default. ChromeOS is the only Linux-based OS known to have enabled the fix, even though it was announced by Ubuntu, Debian, Fedora, Gentoo, Arch and Alpine. The BlueZ patch for CVE-2023-45866 enables the 2020 fix by default.

\n

I only tested recent versions of macOS and iOS, and am not privy to the full scope or history of the Apple vulnerabilities.

\n

Full vulnerability details and proof-of-concept scripts will be released at an upcoming conference, and I will update this document with conference details when available.

\n

I'm really not sure what sort of wireless keyboard to recommend at this point. If you are reading this and you make a secure wireless keyboard, please send me one so I can hack it for you. (I'm serious. I want a challenge.)

\n

Anyway, this rabbit-hole kept going, so stay tuned for Part 2: More Vulnerabilities.

\n

Happy Hacking!

\n

Vulnerability Details

\n

What is the vulnerability?

\n

Multiple Bluetooth stacks have authentication-bypass vulnerabilities that permit an attacker to connect to a discoverable host without user-confirmation and inject keystrokes.

\n

What is the impact?

\n

A nearby attacker can connect to a vulnerable device over unauthenticated Bluetooth and inject keystrokes to eg. install apps, run arbitrary commands, forward messages, etc.

\n

What hardware is required exploit the vulnerability?

\n

The attack does not require specialized hardware, and can be performed from a Linux computer using a normal Bluetooth adapter. Full exploit details and proof-of-concept scripts will be released at an upcoming conference.

\n

Android

\n
    \n
  • The following devices were tested and found vulnerable:\n
      \n
    • Pixel 7 running Android 14
      • \n
    • Pixel 6 running Android 13
      • \n
    • Pixel 4a (5G) running Android 13
      • \n
    • Pixel 2 running Android 11
      • \n
    • Pixel 2 running Android 10
      • \n
    • Nexus 5 running Android 6.0.1
      • \n
    • BLU DASH 3.5 running Android 4.2.2
      • \n
    \n
    • \n
  • Security patch level 2023-12-05 mitigates the vulnerability in Android 11-14, and there is no fix available for Android 4.2.2-10.
    • \n
  • Disclosure Timeline\n
      \n
    • 2023-08-05 - vulnerability reported to Google
      • \n
    • 2023-12-06 - public disclosure
      • \n
    \n
    • \n
\n

Linux/BlueZ

\n
    \n
  • The following Ubuntu versions were tested and found vulnerable.\n
      \n
    • Ubuntu 18.04, 20.04, 22.04, 23.10
      • \n
    \n
    • \n
  • Per Google, ChromeOS is not vulnerable. I did not test ChromeOS, but their BlueZ configuration does appear to mitigate the vulnerability
    • \n
  • The following patch mitigates the vulnerability in BlueZ: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
    • \n
  • Disclosure Timeline\n
      \n
    • 2023-08-10 - vulnerability reported to Canonical
      • \n
    • 2023-09-25 - vulnerability reported to Bluetooth SIG
      • \n
    • 2023-10-02 - case opened with CERT/CC
      • \n
    • 2023-12-06 - public disclosure
      • \n
    \n
    • \n
\n

macOS

\n
    \n
  • The following devices were tested and found vulnerable:\n
      \n
    • 2022 MacBook Pro with MacOS 13.3.3 (M2)
      • \n
    • 2017 MacBook Air with macOS 12.6.7 (Intel)
      • \n
    \n
    • \n
  • Lockdown Mode does not prevent the attack
    • \n
  • Disclosure Timeline\n
      \n
    • 2023-08-01 - vulnerability reported to Apple
      • \n
    • 2023-12-06 - public disclosure
      • \n
    \n
    • \n
\n
iOS
\n
    \n
  • The following devices were tested and found vulnerable:\n
      \n
    • iPhone SE running iOS 16.6
      • \n
    \n
    • \n
  • Lockdown Mode does not prevent the attack
    • \n
  • Disclosure Timeline\n
      \n
    • 2023-08-04 - vulnerability reported to Apple
      • \n
    • 2023-12-06 - public disclosure
      • \n
    \n
    • \n
\n

Vendor Statements

\n\n\n\n\n\n\n\n\n\n\n\n\n\n
VendorStatement
GoogleFixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.
\n
","errorMessage":null,"headerInfo":{"toc":[{"level":1,"text":"Hi, My Name Is Keyboard","anchor":"hi-my-name-is-keyboard","htmlText":"Hi, My Name Is Keyboard"},{"level":2,"text":"Vulnerability Details","anchor":"vulnerability-details","htmlText":"Vulnerability Details"},{"level":4,"text":"What is the vulnerability?","anchor":"what-is-the-vulnerability","htmlText":"What is the vulnerability?"},{"level":4,"text":"What is the impact?","anchor":"what-is-the-impact","htmlText":"What is the impact?"},{"level":4,"text":"What hardware is required exploit the vulnerability?","anchor":"what-hardware-is-required-exploit-the-vulnerability","htmlText":"What hardware is required exploit the vulnerability?"},{"level":4,"text":"Android","anchor":"android","htmlText":"Android"},{"level":4,"text":"Linux/BlueZ","anchor":"linuxbluez","htmlText":"Linux/BlueZ"},{"level":4,"text":"macOS","anchor":"macos","htmlText":"macOS"},{"level":5,"text":"iOS","anchor":"ios","htmlText":"iOS"},{"level":2,"text":"Vendor Statements","anchor":"vendor-statements","htmlText":"Vendor Statements"}],"siteNavLoginPath":"/login?return_to=https%3A%2F%2Fgithub.com%2Fskysafe%2Freblog%2Ftree%2Fmain%2Fcve-2023-45866"}},"totalCount":1,"showBranchInfobar":false},"fileTree":{"":{"items":[{"name":"0000-defeating-a-laptops-bios-password","path":"0000-defeating-a-laptops-bios-password","contentType":"directory"},{"name":"cve-2023-45866","path":"cve-2023-45866","contentType":"directory"}],"totalCount":2}},"fileTreeProcessingTime":1.57581,"foldersToFetch":[],"treeExpanded":true,"symbolsExpanded":false,"csrf_tokens":{"/skysafe/reblog/branches":{"post":"0GoAqiWPk2zw2XmFcPv_8wppvzB2ww7wRt5Zrp5RwHdlplbIVEnGj4NOr3QFhQcbEQAcmpNpxot-GMflRcU4TQ"},"/skysafe/reblog/branches/fetch_and_merge/main":{"post":"1GTJT5tmUMgXBuIZQWnheH6piK_F_08zV7jkpzkwL8J4PynLmdZ4EHMlC3xe9bK35K5fmEHbO-bAtVATebB5iw"},"/skysafe/reblog/branches/fetch_and_merge/main?discard_changes=true":{"post":"NVtM--y5-6A0IfcF5s8diYzGiyabP6fprsPmtgNT_XKZAKx_7gnTeFACHmD5U05GFsFcER8b0zw5zlICQ9OrOw"}}},"title":"reblog/cve-2023-45866 at main · skysafe/reblog"}

联系我们 contact @ memedata.com