CVE-2014-4428

Vulnerability

Bluetooth on Apple OS X prior to version 10.10 and iOS prior to version 8.1 does not require encryption for Human Interface Device (HID) class Bluetooth Low Energy (BLE) accessories. If a device had previously paired with a legitimate BLE HID accessory, an attacker can spoof that accessory by leveraging the prior pairing state, as the connection is established without encryption. [1][2]

Exploitation

An attacker must be within Bluetooth range of the target device and spoof the identity of a previously paired Bluetooth Low Energy HID device. No authentication or user interaction is required at the time of attack, as the target device accepts the connection based on the previous pairing record without enforcing an encrypted session. [2]

Impact

A successful attack allows the remote attacker to impersonate the legitimate HID device, potentially injecting keystrokes or other input commands on the target system, leading to arbitrary code execution or disclosure of sensitive information. The attacker effectively bypasses the normal Bluetooth pairing authentication. [2]

Mitigation

Apple addressed this vulnerability in OS X Yosemite v10.10 and iOS 8.1, released on October 16, 2014 and October 20, 2014 respectively. Users should upgrade to the latest available versions. No workaround is provided for unpatched systems. [1][2]