A new tool named BlueDucky has been discovered, automating the exploitation of a critical Bluetooth pairing vulnerability that enables 0-click code execution on unpatched devices. The tool, developed by Opabinia and available on GitHub, automates the process of exploiting the vulnerability known as CVE-2023-45866, first disclosed by Marc Newlin in January 2024. This vulnerability allows attackers to inject keystrokes into Android and Linux devices using a Bluetooth keyboard masquerade. While Newlin’s proof of concept script, “hi_my_name_is_keyboard,” demonstrated the feasibility of such an attack, BlueDucky aims to address its limitations by automating the entire process, making it more accessible to potential attackers.
Furthermore, BlueDucky can be executed on a Raspberry Pi 4 with Kali Linux or a rooted Android device running Kali NetHunter. It scans for nearby Bluetooth devices, allows the user to select a target from a list, and executes a Rubber Ducky script stored in a payload.txt file, eliminating the need for manual script modifications. Notably, one of its standout features is the potential for true automation, as it could be configured to continuously discover devices and attempt exploitation, logging the results of each attempt. This underscores the critical importance of patching the CVE-2023-45866 vulnerability to protect against such attacks.
