Bluetooth Vulnerability: Privacy Risks on Linux & macOS

Key Things to Know:

• CVE-2024-21306 Unveiled: A new Bluetooth vulnerability affecting Linux and macOS systems, enabling unauthorised device pairing without user interaction.
• Security at Risk: This flaw could allow hackers to inject keystrokes, compromising privacy and data security without the user's knowledge.
• Historical Context: Reflects the evolving nature of cybersecurity threats, reminiscent of the 2016 MouseJack vulnerabilities.
• User Vigilance: Importance of staying informed about security updates and practicing robust digital security measures.

Introduction

Vulnerabilities in computer systems are found on a daily basis, and while most of these get minimal attention, some can hit the news. Recently, a new Bluetooth vulnerability has been discovered, which allows hackers to pair HID devices to Linux and macOS machines without any user interaction. What exactly is the new vulnerability, how does it pose a threat, and what can we learn from this?

New Bluetooth Vulnerability – CVE-2024-21306

Vulnerabilities in computing systems are not unusual, with many being discovered on a daily basis. In fact, considering how complex modern computing systems are, creating a system that is entirely secure is a literal impossibility. 

Thankfully, many modern technology platforms allow for updates to be pushed, meaning that when such vulnerabilities are discovered, they can be quickly patched. Furthermore, there are plenty of white hat hackers who constantly look for these flaws so that they can find fixes (and, deservedly, get some monetary reward).

However, there are times when a discovered vulnerability is so significant that it can make the news. One excellent case of this was Heartbleed, whereby hackers could utilise buffer overflows to extract data from server RAM (such memory contents often contain sensitive information such as passwords and keys). 

In December 2023, a new Bluetooth vulnerability was discovered, which very nearly hit mainstream media due to the significant risk that it poses. But how does it work, and what makes it such a threat?

The CVE-2024-21306 vulnerability mirrors past security concerns in wireless communication protocols, reminiscent of the 2016 MouseJack vulnerabilities that exposed weaknesses in non-Bluetooth wireless peripherals. This historical context underscores the evolving nature of cybersecurity threats and the continuous need for vigilance in digital security practices. The recent discovery highlights a critical oversight in the Bluetooth protocol itself, allowing attackers to bypass authentication mechanisms and pair with devices surreptitiously.

Under normal circumstances, Bluetooth devices being paired require a user to not only initiate the pairing but also provide additional security prompts (such as passkeys). For example, a user that wants to connect a keyboard to a computer would first set their Bluetooth to discoverable on their keyboard, find the device in the OS, initiate a connection, and then provide a passkey to confirm. 

Breaking the Norm: The CVE-2024-21306 Threat

However, the new vulnerability, which has been assigned the CVE identifier CVE-2024-21306, allows a hacker to connect a Bluetooth HID (such as a keyboard) to a Linux or macOS machine without any user interaction whatsoever. Furthermore, this connection doesn’t even require a passkey, meaning that such devices could connect with no awareness from the user whatsoever. 

In order for this vulnerability to work, the host machine requires that it is connectable and discoverable, that it supports pairing without authentication, and that the attacker can connect to L2CAP ports 17 and 19. According to the researchers who discovered the vulnerability, these settings are mostly common amongst Unix-based machines such as Linux and macOS, meaning that the vast majority of Windows environments are unaffected (unless they use Broadcom chips for Bluetooth).

This vulnerability's exploitation method involves tricking the Bluetooth host's state machine into pairing with a malicious keyboard without user confirmation. This technique leverages the unauthenticated pairing mechanism defined in the Bluetooth specification, combined with implementation-specific bugs, making unpatched devices susceptible under certain conditions. Such vulnerabilities highlight the intricate balance between functionality and security in protocol design and the importance of rigorous security standards in technology development.

How does this vulnerability pose a threat?

Once a hacker has a Bluetooth connection formed, they are able to pass keystrokes to the host machine, allowing for the execution of commands, browsing through files, and causing general grief. Thankfully, any privileged task or action still requires a password, but there are still plenty of tasks that can be done without it. Furthermore, a hacker who gets access to the password would then have full control over the machine. 

The fact that the user has no indication that a new device has been added also means that the attack goes completely unnoticed. The only way that an individual could see if they were attacked would be to view currently connected Bluetooth devices, something which most users rarely do.

The implications of CVE-2024-21306 extend beyond mere unauthorised access, posing significant risks to user privacy and data security. The ability for attackers to inject keystrokes remotely opens up a plethora of malicious activities, from installing unwanted software to commandeering the device for further exploits. This scenario underscores the critical need for robust security measures and timely patching of known vulnerabilities to safeguard against such invasive attacks.

Additionally, as this attack utilises Bluetooth, it allows a hacker to perform this attack remotely, and because the attacking device only needs to appear as a Bluetooth HID, it could be designed into anything, including a USB drive, keychain, or even a calculator (utilising a small SoC such as the ESP32). In fact, if combined with a cellular modem, it could be possible for an attacker to slip a miniaturised device into a user’s bag or coat and have remote access to their devices via a cellular network.

What can we learn from this attack?

Unfortunately, due to the extreme complexity of modern devices, there will always be bugs and vulnerabilities that can only be patched when discovered. In the case of this Bluetooth vulnerability, it is surprising that any system would allow devices to connect with no user input.

Going forward, when engineers utilise connectivity solutions, it is important to consider what those options can do at their worst and whether they support automatic connections without user input. For example, having an IoT server allowing new devices to connect so long as they have a password is bad practice; instead, devices requesting to connect should go through a human verification process first.

Furthermore, this new vulnerability also highlights that while platforms such as Linux and macOS are generally considered secure (compared to Windows), they are not without their faults. Thankfully, the nature of open source and the tens of thousands who contribute to these projects have managed to identify a vulnerability and provide a patch, but that may not be the case for the major vulnerability discovered. 

The threat from this vulnerability is moderate, but certainly, not severe, so most users can continue with their day-to-day lives. However, can the same be said for the next one discovered? Only time will tell.

In light of CVE-2024-21306, it's imperative for users and administrators to stay informed about the latest security patches and updates for their devices. The collaborative efforts within the cybersecurity community, including researchers, developers, and users, play a pivotal role in identifying vulnerabilities and fortifying the digital ecosystem against emerging threats. This collective vigilance is the cornerstone of maintaining trust and security in an increasingly connected world.