With the discovery of two new vulnerabilities that put iPhones, Android smartphones, Macs and other devices at risk of attack, it may seem like a reasonable idea to turn Bluetooth off completely when in public

The first vulnerability, known as BLUFFS, allows an attacker to impersonate your device; the second vulnerability can be exploited by hackers to gain full control of your device as if it were paired with a Bluetooth keyboard

As reported by Dark Reading, this newly discovered critical Bluetooth vulnerability (tracked as CVE-2022-45866) is a keystroke injection flaw Worse yet, this fake keyboard can connect to your device without your confirmation

The flaw itself was discovered by Marc Newlin of SkySafe, who detailed his findings in a blog post He explained that he encountered the flaw while investigating Apple's Magic Keyboard Newlin soon realized that the flaw is also exploitable in iOS and macOS lockdown modes, but Android and Linux devices are vulnerable as well

Once an attacker pairs an emulated Bluetooth keyboard with a smartphone or computer, they can perform any action that does not require a password or fingerprint From installing new apps to forwarding emails and text messages, there are many things someone can do without direct access to your device

Unlike the recently discovered flaw in the Bluetooth protocol, this flaw has existed for at least a decade According to Newlin, the reason it went undetected for so long is that it was a relatively simple flaw that was hidden in plain sight

While other security researchers are looking for weaknesses in Bluetooth's encryption scheme, few have thought to look for bugs in such a simple authentication bypass

As for the best Android phones, they have been vulnerable to this flaw since 2012, when Android 422 was released At the same time, however, the flaw was patched in the Linux kernel in 202 For some reason, however, based on Newlin's research on the issue, the fix was left disabled by default

Since his discovery, Newlin has informed Apple, Google, and the Bluetooth SIG about the flaw Most of the affected devices have been patched, but some devices, including many of the top-of-the-line MacBooks, iPhones, and Android smartphones, are still vulnerable

As for malware and malicious apps, the best antivirus software and the best Android antivirus apps can protect devices from potential attacks Unfortunately, the same cannot be said for attacks that exploit Bluetooth flaws

The only option is to disable Bluetooth in public, which is a real inconvenience for those using wireless earphones or the best smartwatches, and especially so for those wearing Bluetooth hearing aids This is because an attacker would need to be in close proximity to you and your device in order to exploit this flaw

Thankfully, this is a critical vulnerability that Apple, Google, other hardware manufacturers, and the Bluetooth SIG have already been notified of As such, it is recommended that new security updates for smartphones and computers be installed as soon as they become available

We will update this article as we learn more about this vulnerability and how companies plan to address it