According to The Hacker News , security researcher Marc Newlin reported the vulnerability to software vendors in August 2023. He said Bluetooth technology has an authentication bypass vulnerability, allowing attackers to connect to devices in the area without user confirmation and performing operations.

The bug, tracked as CVE-2023-45866, describes an authentication bypass that allows a threat actor to connect to devices and execute keystrokes to execute code as the victim. The attack tricks the target device into thinking it is connected to a Bluetooth keyboard by exploiting the unauthenticated pairing mechanism defined in the Bluetooth specification.

Successful exploitation of the vulnerability could allow an attacker within range of a Bluetooth connection to transmit keystrokes to install applications and run arbitrary commands. Notably, the attack does not require any specialized hardware and can be performed from a Linux computer using a standard Bluetooth adapter. Technical details of the vulnerability are expected to be released in the future.

The Bluetooth vulnerability affects a wide range of devices running Android since version 4.2.2, iOS, Linux, and macOS. The vulnerability affects macOS and iOS when Bluetooth is enabled and an Apple Magic Keyboard is paired with the vulnerable device. It also works in LockDown Mode, Apple's digital threat protection mode. Google says the bug, CVE-2023-45866, can lead to device privilege escalation in close proximity without requiring additional execution privileges.