Bluetooth Keystroke Injection

Summary

Excerpt From Bluetooth Vulnerabilities (Part 2) Webinar
Watch This Brief Video to Learn More About Bluetooth Keystroke Injections
A recent fundamental vulnerability in Bluetooth Classic illustrates how a device impersonating a HID device could request to pair with a host over Bluetooth Classic without bonding, evading the need for user notification and approval. In order to prevent unwanted access to keystrokes, this enabled unauthenticated connections or attempts to pair without encryption. Patches for Linux, Windows, and Android devices have been made available, however as of January, Apple products added extra protection by filtering based on trusted Bluetooth addresses. It was found that impersonating trusted device addresses continued to grant access to Mac OS computers, highlighting how crucial it is to maintain devices updated with the most recent security patches to reduce security concerns. Impersonating trusted device addresses continued to grant access to Mac OS computers, highlighting how crucial it is to maintain devices updated with the most recent security patches to reduce security threats.

Video Transcript

The the one that was more recent was a fundamental flaw in Bluetooth classic. And basically what this meant was, a friend of ours who used to actually work at Best Deal discovered these and share with us these mechanisms with so what's interesting is you can, as an hid device, or any device posing as an hid device, you can request to pair with a host over Bluetooth classic, you can do this without bonding.

That would have triggered user notification and approval requirements So I can either just unauthenticated connect or I can attempt to pair and establish a a key and that device starts to accept my key strokes without authentication, and potentially without encryption. And this works for Windows Android Linux. These have all been patched by the way, but as of January, that's when the disclosure occurred.

So you haven't patched those devices in a while, please do update your device. For for Apple, interestingly enough, Apple did something that the spec didn't require, they filtered on the Bluetooth address of the devices that they know and love. So if you weren't one of those devices, they wouldn't accept your quest no matter what, which was a good move.

But it turned out that, we could spoof the device anyway. If we could hear the connection events sorry. I shouldn't say connection events. If we could hear that connection process and discover the the address of the device that's trusted, we can then later spoof that device and and get the same kind of access to and for to the host system and starting ejecting keystrokes on a Mac OS as well.