Beware of Bluetooth Vulnerability in Popular Smartphones

CVECVE-2023-33092
CVSScvssV3_1: 8.4
SourceCVE-2023-33092

The Bluetooth functionality in many popular smartphone models contains a vulnerability that could allow attackers to execute code remotely.

CVE-2023-33092 has been assigned to a memory corruption issue that arises when processing pin code replies during the Bluetooth pairing process. The pin code received from the phone’s application layer is not properly verified against the expected size, which can be exploited to write memory outside the intended buffer.

An attacker within Bluetooth range could potentially pair with the target phone and send a specially crafted pin reply to trigger the vulnerability. This may allow the execution of arbitrary code with the privileges of the Bluetooth service.

If successful, an attacker would then be able to access data, install programs, create accounts and perform other malicious actions on the affected phone.

In order to reduce risks, users should keep their phone’s Bluetooth turned off when not in use. Applying updates to the latest OS version is also recommended, as patches may have been released to address this vulnerability. Being cautious of unsolicited pairing requests can help prevent exploitation attempts.

References