PSA: Bluetooth vulnerability and PS3 Controllers on Linux in 2024
In late 2023 a Bluetooth vulnerability CVE-2023-45866 was discovered and patched in Bluez. By now, this vulnerability should be fixed on all Linux distributions. The fix has one compatibility implication: support for insecure legacy devices is now disabled by default. The Sony PlayStation 3 Controller (AKA DualShock 3 or DS3) is probably the most notable device affected by this change.
What to do if you have a PS3 Controller
The PS3 Controller should still be plug-and-play on Linux when used wired, this change only affects wireless use.
Wireless use is now disabled by default. It should still be possible to use the controller wirelessly with a configuration change, but that will make your PC vulnerable when Bluetooth is in discoverable mode — that’s when you’re pairing a device; in GNOME that’s when you just have the Bluetooth settings open; easy to have on by accident.
It’s painful for me to say this (I own several PS3 Controllers), but the DS3 is reaching its end-of-life, and we should start to consider moving on from it as a gamepad for PC.
How to re-enable Bluetooth support for the PS3 Controller
This is insecure: It will make your PC an easy target for remote code execution attacks from anyone in close proximity whenever your Bluetooth is in pairing/discoverable mode. It’s usually hard to notice when Bluetooth is in discoverable mode, and it’s very easy to accidentally leave it on. You have been warned.
TL;DR: The following commands should do it, tested on Fedora 39:
sudo sed -iE -e 's/^#ClassicBondedOnly=.*/ClassicBondedOnly=false/' /etc/bluetooth/input.conf
sudo systemctl restart bluetooth
Long version: Use the configuration file at /etc/bluetooth/input.conf
, under the [
section, add the option ]ClassicBondedOnly=false
, then restart the bluetooth service or reboot the computer. Your config file should look like the following:
# Configuration file for the input service
# This section contains options which are not specific to any
# particular interface
[General]
# Set idle timeout (in minutes) before the connection will
# be disconnect (defaults to 0 for no timeout)
#IdleTimeout=30
# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true
# Limit HID connections to bonded devices
# The HID Profile does not specify that devices must be bonded, however some
# platforms may want to make sure that input connections only come from bonded
# device connections. Several older mice have been known for not supporting
# pairing/encryption.
# Defaults to true for security.
ClassicBondedOnly=false
# LE upgrade security
# Enables upgrades of security automatically if required.
# Defaults to true to maximize device compatibility.
#LEAutoSecurity=true
I’m posting this PSA on !linux@lemmy.ml and !linux_gaming@lemmy.world. Please forward this message to other interested Linux communities.
The controller itself is insecure, it doesn’t exactly conform to Bluetooth standard. There’s no indication Sony ever planned cross-compatibility, the DualShock 3 was made to be used only on the PS3 console, where the lack of authorization supposedly wouldn’t be a problem.
Of course, you can still use it on a system where you can accept the risk, as well as on the PS3, or wired. The controllers are not e-waste yet.
What is the risk and how can it be exploited?
Anyone in the vicinity can mimic a bluetooth keyboard, mouse, insert keystrokes, click on your screen. “Vicinity” means “anyone in Bluetooth range”, which for a dedicated attacker with an antenna in a Pringles can means up to about 400 meters (437 American yards) depending on how thick your walls are and how well insulated your house is.
Furthermore, any keystrokes from Bluetooth devices can be intercepted (i.e. the passwords you type onto your Bluetooth keyboard), though that’ll be more difficult from a distance.
Bonus “fun” fact: if you have an Android device that hasn’t received December’s security update, that’ll be vulnerable too, going back all the way to Android 4.4.2!
Can you whitelist your controller Mac address and close the vulnerability?
Also maybe filter input events to only what the ds3 should be sending?
Not with Bluez, no. I suppose you could modify the source code to only allow some MAC addresses to force pair like this, but then an attacker could detect the device is connected in an insecure way and spoof the MAC address later.
Filtering HID devices paired in an insecure way to only accept joystick controllers would reduce the risk (assuming you don’t run something like the Steam full screen UI which comes with a controller capable soft keyboard, I guess?) but that’ll require even more complex modification of the Bluez source code.
With enough source code alterations, anything is possible, but out of the box there are no such limitations.
Good to know. Maybe there’s a need for this type of device pairing and filtering in general, like over USB, PCI, and I2C as well. We already carry around device rules for driver assignments, it wouldn’t be too far of a stretch to define expected behavior for device IDs and provide a mode to filter behavior, like SELinux for devices 🙃🤮
udev does a little protection to some extent (locking user sessions out of device access based on rules), and so does Thunderbolt/USB4 because of its DMA properties, but if you want full protection, you’ll need something like Qubes.
Of course, you could always compile your own kernel with just the drivers you need and nothing more.
Definitely for you to decide, but if you’re on a desktop in a single family home you’re probably fine. A laptop that you bring around with you I would highly advise against. I would probably also evaluate what other functions the computer serves. Just gaming or also do you do your job on that machine. What else does that machine have access to?