CVE-2023-45866 Overview
CVE-2023-45866 is an authentication bypass vulnerability affecting Bluetooth HID (Human Interface Device) Hosts in BlueZ and multiple operating systems. The flaw allows an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection with vulnerable hosts, enabling the injection of HID keyboard reports without requiring user interaction or authorization from the Central role device.
This vulnerability represents a significant security concern for wireless device security, as it enables attackers within Bluetooth range to inject keystrokes into target devices, potentially executing arbitrary commands or facilitating further compromise.
Critical Impact
Attackers within Bluetooth radio range can pair a rogue HID device and inject keystrokes without user consent, potentially enabling command execution and system compromise across Android, iOS, macOS, Linux, and other affected platforms.
Affected Products
- Google Android (versions 4.2.2 through 14.0)
- Apple macOS (versions 12.6.7, 13.3.3, and others)
- Apple iOS and iPadOS (version 16.6 and others)
- Canonical Ubuntu Linux (18.04 LTS, 20.04, 22.04 LTS, 23.10)
- Fedora (38, 39)
- Debian Linux (10.0)
- Google Pixel devices (Pixel 2, Pixel 4a, Pixel 6, Pixel 7)
- Apple MacBook Air (2017) and MacBook Pro (M2)
Discovery Timeline
- December 8, 2023 - CVE-2023-45866 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2023-45866
Vulnerability Analysis
This vulnerability exploits a fundamental weakness in the Bluetooth HID protocol implementation across multiple operating systems and the BlueZ Bluetooth stack. The issue lies in how Bluetooth HID Hosts handle incoming connection requests from Peripheral role HID devices. Under normal circumstances, Bluetooth pairing requires explicit user authorization before a device can establish a trusted connection. However, affected implementations fail to properly enforce this authentication requirement.
When a malicious device presents itself as a Bluetooth HID peripheral (such as a keyboard), vulnerable hosts accept the connection and begin processing HID reports without verifying that the user has authorized the pairing. This allows an attacker to inject arbitrary keyboard input into the target system, effectively gaining the ability to type commands as if they had physical access to the keyboard.
The vulnerability has a particularly wide attack surface because it affects multiple operating systems from different vendors, including Google Android, Apple macOS/iOS, and various Linux distributions using the BlueZ Bluetooth stack.
Root Cause
The root cause of CVE-2023-45866 is improper authentication validation (CWE-287) in the Bluetooth HID Host implementation. Specifically, the affected systems do not properly verify that user authorization has been granted before accepting HID keyboard reports from a newly connected Peripheral device. The BlueZ stack, as well as proprietary Bluetooth implementations in Android and Apple devices, failed to require explicit user confirmation when an HID device initiated a connection, allowing unauthenticated pairing and subsequent HID message injection.
This is related to a previous vulnerability, CVE-2020-0556, and in some cases, mitigations for that issue would have also addressed this vulnerability.
Attack Vector
The attack requires the attacker to be within Bluetooth radio range of the target device (typically up to 10 meters for Class 2 devices, or up to 100 meters for Class 1 devices). The attacker uses a specially configured Bluetooth device or software-defined radio to:
- Scan for vulnerable Bluetooth hosts with HID profile support enabled
- Initiate a connection as a Peripheral role HID device (keyboard)
- Establish an encrypted connection without user authorization
- Inject arbitrary HID keyboard reports to execute commands on the target
The attack is particularly dangerous because it requires no user interaction on the target device and can be executed silently. Once keystrokes can be injected, an attacker could open a terminal, execute malicious commands, download and run malware, or exfiltrate sensitive data.
The adjacent network attack vector means physical proximity is required, but in environments such as offices, coffee shops, conferences, or public transit, this proximity requirement is easily met.
Detection Methods for CVE-2023-45866
Indicators of Compromise
- Unexpected Bluetooth pairing notifications or paired devices appearing in the Bluetooth device list
- Unusual keyboard activity or commands executing without user input
- New Bluetooth HID devices appearing in system logs without user-initiated pairing
- Suspicious process execution or terminal activity coinciding with Bluetooth connection events
Detection Strategies
- Monitor Bluetooth connection logs for unexpected HID device pairings, particularly keyboards appearing without user authorization
- Implement endpoint detection rules to alert on Bluetooth pairing events followed by rapid command execution
- Use SentinelOne's behavioral AI to detect anomalous input patterns that may indicate keystroke injection attacks
- Review system logs for BlueZ or Bluetooth daemon entries indicating HID profile connections from unknown devices
Monitoring Recommendations
- Enable verbose Bluetooth logging on critical systems to capture connection and pairing events
- Configure alerts for new Bluetooth device pairings on sensitive endpoints
- Monitor for the execution of shell commands or administrative tools immediately following Bluetooth connection events
- Regularly audit the list of paired Bluetooth devices and remove any unauthorized entries
How to Mitigate CVE-2023-45866
Immediate Actions Required
- Update BlueZ to the patched version containing commit 25a471a83e02e1effb15d5a488b3f0085eaeb675
- Apply vendor security patches for affected operating systems (Apple HT214035, HT214036; Debian DSA-5584; Gentoo GLSA 202401-03)
- Disable Bluetooth on systems where it is not required, particularly in high-security environments
- Configure devices to require explicit user confirmation for all Bluetooth pairing attempts
Patch Information
Multiple vendors have released patches addressing CVE-2023-45866:
- BlueZ: The fix is available in the BlueZ Git repository (commit 25a471a)
- Apple: Security updates documented in HT214035 and HT214036
- Debian: Patched via DSA-5584 and LTS announcement
- Fedora: Updates available through Fedora package announcements
- Gentoo: Security advisory GLSA 202401-03
- Ubuntu: Patched in BlueZ package updates; see Ubuntu Changelog
Workarounds
- Disable Bluetooth entirely on systems that do not require wireless HID connectivity
- Set Bluetooth to non-discoverable mode when not actively pairing devices
- Remove or unpair any unknown Bluetooth HID devices from the system
- Implement physical security controls in environments where Bluetooth attacks may be attempted
- Consider using wired keyboards and mice for sensitive workstations
# Disable Bluetooth on Linux systems using systemctl
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
# Alternatively, block Bluetooth kernel module
echo "blacklist btusb" | sudo tee /etc/modprobe.d/bluetooth-blacklist.conf
echo "blacklist bluetooth" | sudo tee -a /etc/modprobe.d/bluetooth-blacklist.conf
# On macOS, disable Bluetooth from command line
sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
