New Tool "BlueDucky" Exploits Bluetooth Vulnerability for 0-Click Code Execution


The emergence of a new tool named BlueDucky signifies a milestone in the automation of exploiting a critical Bluetooth pairing vulnerability, capable of facilitating 0-click code execution on devices lacking patches.

This development follows Marc Newlin's publication in January 2024 of a proof of concept script targeting the Bluetooth vulnerability identified as CVE-2023-45866.

As Newlin detailed, this vulnerability allows attackers to inject keystrokes into any Android and Linux device within Bluetooth range without requiring pairing, effectively impersonating a Bluetooth keyboard.

Initially, Newlin's exploit tool, named "hi_my_name_is_keyboard," aimed to demonstrate the viability of such an attack. The mobile hacker team effectively compromised a variety of devices, including Android smartphones, Google Chromecast TVs, Meta Quest 3, and Linux-based smart TVs.

However, the original script necessitated users to manually discover and input the MAC address of the target Bluetooth device and modify the code to adjust the injected keys.


BlueDucky: Automated Exploitation

Developed by Opabinia and accessible on GitHub, BlueDucky addresses these limitations by automating the entire process. Compatible with a Raspberry Pi 4 running Kali Linux or a rooted Android device with Kali NetHunter, the tool scans nearby Bluetooth devices, enabling users to select targets from a provided list.

Subsequently, it executes a Rubber Ducky script stored in a payload.txt file, removing the need for manual script alterations.

A standout feature of BlueDucky is its potential for genuine automation. Through script editing, it can be configured to continuously discover devices and attempt exploitation, logging outcomes for each endeavour.

Based on the developer's observations, successful script execution on vulnerable devices underscores the critical necessity of patching the CVE-2023-45866 vulnerability to mitigate such threats effectively.

BlueDucky's advent signifies a notable progression in exploiting Bluetooth vulnerabilities, streamlining the process and potentially heightening risks to unpatched devices. Its emergence accentuates the urgency of addressing known vulnerabilities like CVE-2023-45866 to safeguard against automated attacks effectively.