CVE-2023-45866: BlueDucky Bluetooth Exploit Explained – Wireless HID Injection Attacks Using DuckyScript
A security researcher walks into a crowded airport carrying what looks like an ordinary backpack.
Inside the bag is a Raspberry Pi quietly scanning nearby Bluetooth devices.
No phishing email.
No malicious APK.
No USB drop attack.
Just Bluetooth.
Within seconds, vulnerable devices nearby begin responding to unauthorized Bluetooth HID requests. A smartphone suddenly opens a browser window by itself. Commands begin typing automatically on the screen.
This is the real-world danger behind CVE-2023-45866 and tools like BlueDucky.
The vulnerability exposed how insecure Bluetooth HID implementations could allow attackers to impersonate trusted keyboards and inject commands into nearby devices without proper authentication.
For SOC analysts, red teams, penetration testers, DFIR investigators, and enterprise defenders, this attack demonstrates why Bluetooth security is becoming one of the most overlooked attack surfaces in modern cybersecurity.
Table of Contents
- CVE-2023-45866 Overview
- What is BlueDucky?
- How the Attack Works
- Real-World Attack Scenario
- System Requirements
- Debian-Based Installation
- Arch Linux Installation
- Running BlueDucky
- Command Breakdown
- Understanding Payload.txt
- Detection & SOC Monitoring
- Mitigation & Prevention
- Expert Security Tips
- FAQ
- Conclusion
CVE-2023-45866 Overview
CVE-2023-45866 is a Bluetooth HID vulnerability that may allow attackers to perform unauthorized keyboard injection attacks against nearby vulnerable devices.
The issue occurs because some Bluetooth stacks improperly validate HID pairing requests, allowing malicious devices to impersonate trusted keyboards.
Attackers can potentially:
- Inject keystrokes remotely
- Execute commands
- Open malicious websites
- Launch applications
- Trigger malware downloads
- Manipulate mobile devices
The attack is especially dangerous because operating systems generally trust HID devices like keyboards and mice.
What is BlueDucky?
BlueDucky is a proof-of-concept offensive security tool created to demonstrate Bluetooth HID injection attacks using DuckyScript payloads.
The tool supports:
- Bluetooth device scanning
- Saving discovered devices
- Reconnecting to previously known devices
- HID keyboard emulation
- DuckyScript payload execution
The tool gained significant attention because it could operate using low-cost hardware such as a Raspberry Pi 4.
How the Attack Works?
Step 1 — Bluetooth Discovery
The attacker scans for nearby Bluetooth-enabled devices.
Step 2 — HID Device Emulation
The attacker impersonates a Bluetooth keyboard.
Step 3 — Unauthorized Pairing
Vulnerable devices improperly accept the HID connection.
Step 4 — Payload Execution
DuckyScript commands execute automatically.
Real-World Attack Scenario
During a wireless red team assessment inside a corporate office, a security tester used a Raspberry Pi hidden inside a messenger bag.
The device continuously scanned nearby Bluetooth-enabled smartphones.
One vulnerable Android device accepted the malicious HID request.
Moments later:
- The browser opened automatically
- A phishing URL was typed
- Commands executed without user interaction
- The victim believed the phone was malfunctioning
Meanwhile, SOC analysts only saw unusual outbound traffic and had no visibility into the Bluetooth activity that initiated the compromise.
System Requirements
- Raspberry Pi 4 or Linux system
- Bluetooth adapter
- Python 3
- BlueZ Bluetooth stack
- Bluetooth-enabled target devices
Debian-Based Installation
1. Update System Packages
sudo apt-get update What it does:
- Refreshes package repositories
- Downloads latest package indexes
When to use:
- Before installing dependencies
2. Upgrade Installed Packages
sudo apt-get -y upgrade What it does:
- Updates installed packages to latest versions
Expected Output:
- System packages upgrade automatically
3. Install Bluetooth Dependencies
sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev \ git gcc python3-pip python3-setuptools python3-pydbus What it does:
- Installs Bluetooth utilities
- Installs Python dependencies
- Installs Bluetooth development libraries
Important Packages:
| Package | Purpose |
| bluez-tools | Bluetooth management tools |
| bluez-hcidump | Bluetooth packet capture |
| libbluetooth-dev | Bluetooth development libraries |
| python3-pydbus | Python D-Bus Bluetooth communication |
4. Clone PyBluez Repository
git clone https://github.com/pybluez/pybluez.git What it does:
- Downloads PyBluez Bluetooth Python library source code
5. Navigate Into PyBluez Directory
cd pybluez What it does:
- Changes current working directory
6. Install PyBluez
sudo python3 setup.py install What it does:
- Builds and installs Python Bluetooth library
7. Clone BlueZ Source Code
cd ~/ git clone --depth=1 https://github.com/bluez/bluez.git What it does:
- Downloads BlueZ Bluetooth stack source code
8. Build bdaddr Utility
gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth What it does:
- Compiles Bluetooth MAC address utility
9. Install bdaddr
sudo cp bdaddr /usr/local/bin/ What it does:
- Copies utility into executable system path
Arch Linux Installation
1. Update Arch Packages
sudo pacman -Syyu 2. Install Dependencies
sudo pacman -S bluez-tools bluez-utils bluez-deprecated-tools \ python-setuptools python-pydbus python-dbus \ git gcc python-pip 3. Clone PyBluez
git clone https://github.com/pybluez/pybluez.git 4. Enter Directory
cd pybluez 5. Install PyBluez
sudo python3 setup.py install 6. Download BlueZ Source
cd ~/ git clone --depth=1 https://github.com/bluez/bluez.git 7. Compile bdaddr
gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth 8. Install bdaddr Binary
sudo cp bdaddr /usr/local/bin/ Running BlueDucky
1. Clone BlueDucky Repository
git clone https://github.com/pentestfunctions/BlueDucky.git Purpose:
- Downloads BlueDucky source code
2. Enter BlueDucky Directory
cd BlueDucky 3. Enable Bluetooth Interface
sudo hciconfig hci0 up Purpose:
- Activates Bluetooth adapter
Expected Result:
- Bluetooth interface becomes operational
4. Execute BlueDucky
python3 BlueDucky.py Purpose:
- Starts Bluetooth scanning
- Loads known devices
- Initiates HID interactions
5. Alternative Dependency Installation
pip3 install -r requirements.txt Purpose:
- Installs Python package dependencies automatically
Command Breakdown
| Command | Purpose |
| hciconfig hci0 up | Enable Bluetooth adapter |
| python3 BlueDucky.py | Run BlueDucky tool |
| pip3 install -r requirements.txt | Install Python dependencies |
| git clone | Download repositories |
| gcc -o bdaddr | Compile Bluetooth utility |
Understanding Payload.txt
BlueDucky executes commands using a payload.txt file.
The file contains DuckyScript instructions that simulate keyboard actions.
Typical benign testing actions include:
- Opening a text editor
- Typing awareness messages
- Launching harmless URLs
- Demonstrating unauthorized keyboard control
Organizations should only test these techniques inside authorized lab environments or approved penetration tests.
Detection & SOC Monitoring
Potential Indicators of Compromise
| IOC | Description |
| Unexpected Bluetooth Pairing | Unknown HID devices connecting |
| Ghost Typing | Automated keyboard behavior |
| Unexpected Browser Activity | Browser launching automatically |
| Terminal Launches | PowerShell or shell opening unexpectedly |
| Bluetooth Service Logs | Unauthorized HID registrations |
Linux Bluetooth Logs
journalctl -u bluetooth cat /var/log/syslog | grep bluetooth Mitigation & Prevention
Apply Security Patches
Update Bluetooth stacks immediately.
Disable Bluetooth When Unused
This remains one of the strongest defenses.
Restrict HID Pairing
Enterprise MDM solutions should enforce Bluetooth restrictions.
Monitor Wireless Threats
Bluetooth telemetry should become part of SOC monitoring pipelines.
User Awareness
Employees should report:
- Unexpected typing behavior
- Unknown Bluetooth prompts
- Strange mobile activity
Expert Security Tips
For SOC Teams
- Include Bluetooth in threat models
- Monitor HID registrations
- Correlate Bluetooth activity with process execution
For Red Teams
- Use non-destructive payloads
- Operate only with authorization
- Document all wireless testing activities
For Enterprises
- Audit Bluetooth usage
- Restrict unmanaged wireless devices
- Perform wireless penetration testing regularly
Related Cybersecurity Topics You Should Explore
- Hackers Hate This Windows Telemetry Engine — Enable Maximum Logging for SOC & DFIR
- This Windows Logging Script Can Catch Attackers Before Ransomware Starts
- Hackers Hate This Windows Logging Script: Enable Every Critical Log for SOC & DFIR
- Enable These Windows Logs Right Now to Detect Hidden Cyber Attacks
- Hackers Hate This Windows Firewall Log: How pfirewall.log Reveals Silent Attacks
Frequently Asked Questions
Is CVE-2023-45866 dangerous?
Yes. The vulnerability can allow unauthorized Bluetooth HID injection attacks.
Can attackers execute commands remotely?
Attackers within Bluetooth range may inject keyboard input into vulnerable devices.
Why are HID attacks effective?
Operating systems inherently trust keyboards and mice.
Can EDR tools detect BlueDucky?
Sometimes indirectly through suspicious process execution or abnormal user activity.
Why is Raspberry Pi commonly used?
It is portable, inexpensive, and supports Linux Bluetooth tooling.
Conclusion
BlueDucky and CVE-2023-45866 revealed a dangerous blind spot in enterprise cybersecurity: Bluetooth security.
While organizations spend millions protecting email, cloud infrastructure, and endpoints, many completely ignore nearby wireless attack surfaces.
Bluetooth HID attacks prove that proximity-based threats are becoming increasingly realistic.
For defenders, the lesson is clear:
Wireless security visibility must improve.
Because the next compromise may not arrive through phishing.
It may arrive silently over Bluetooth.