PSA: Bluetooth vulnerability and PS3 Controllers on Linux in 2024

In late 2023 a Bluetooth vulnerability CVE-2023-45866 was discovered and patched in Bluez. By now, this vulnerability should be fixed on all Linux distributions. The fix has one compatibility implication: support for insecure legacy devices is now disabled by default. The Sony PlayStation 3 Controller (AKA DualShock 3 or DS3) is probably the most notable device affected by this change.

What to do if you have a PS3 Controller

The PS3 Controller should still be plug-and-play on Linux when used wired, this change only affects wireless use.

Wireless use is now disabled by default. It should still be possible to use the controller wirelessly with a configuration change, but that will make your PC vulnerable when Bluetooth is in discoverable mode — that’s when you’re pairing a device; in GNOME that’s when you just have the Bluetooth settings open; easy to have on by accident.

It’s painful for me to say this (I own several PS3 Controllers), but the DS3 is reaching its end-of-life, and we should start to consider moving on from it as a gamepad for PC.

How to re-enable Bluetooth support for the PS3 Controller

This is insecure: It will make your PC an easy target for remote code execution attacks from anyone in close proximity whenever your Bluetooth is in pairing/discoverable mode. It’s usually hard to notice when Bluetooth is in discoverable mode, and it’s very easy to accidentally leave it on. You have been warned.

TL;DR: The following commands should do it, tested on Fedora 39:

sudo sed -Ei~ -e 's/^#ClassicBondedOnly=.*/ClassicBondedOnly=false/' /etc/bluetooth/input.conf
sudo systemctl restart bluetooth

Long version: Use the configuration file at /etc/bluetooth/input.conf, under the [General] section, add the option ClassicBondedOnly=false, then restart the bluetooth service or reboot the computer. Your config file should look like the following:

# Configuration file for the input service

# This section contains options which are not specific to any
# particular interface
[General]

# Set idle timeout (in minutes) before the connection will
# be disconnect (defaults to 0 for no timeout)
#IdleTimeout=30

# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true

# Limit HID connections to bonded devices
# The HID Profile does not specify that devices must be bonded, however some
# platforms may want to make sure that input connections only come from bonded
# device connections. Several older mice have been known for not supporting
# pairing/encryption.
# Defaults to true for security.
ClassicBondedOnly=false

# LE upgrade security
# Enables upgrades of security automatically if required.
# Defaults to true to maximize device compatibility.
#LEAutoSecurity=true

I’m posting this PSA on [email protected] and [email protected]. Please forward this message to other interested Linux communities.

  • leopold@lemmy.kde.social
    link
    fedilink
    English
    arrow-up
    26
    ·
    edit-2
    9 months ago

    So just to clarify, there’s no way to support the DualShock 3 without introducing a security hole? Or is the security hole only a problem with the current driver which could eventually be fixed, rather than something inherent to the device? Also, is there a list of affected devices outside the DualShock 3? Will the Wiimote still work, for instance?

    The DualShock is old, but I’ve always appreciated how I could have all of my gamepads just work on Linux, from the Wiimote to the DualSense. On Windows, most of them needed third party unofficial drivers to be installed and/or would be missing functionality, like motion controls or Bluetooth support. Would be a big shame if it just stopped working wirelessly. Still, I have a lot of significantly better gamepads by now, including a DualSense, so DualShock 3 support isn’t something I really need anymore unless I have a lot of people over and need to connect a lot of controllers.

    • jntesteves@lemmy.worldOP
      link
      fedilink
      arrow-up
      21
      ·
      9 months ago

      The controller itself is insecure, it doesn’t exactly conform to Bluetooth standard. There’s no indication Sony ever planned cross-compatibility, the DualShock 3 was made to be used only on the PS3 console, where the lack of authorization supposedly wouldn’t be a problem.

      Of course, you can still use it on a system where you can accept the risk, as well as on the PS3, or wired. The controllers are not e-waste yet.

          • mvirts@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            9 months ago

            Can you whitelist your controller Mac address and close the vulnerability?

            Also maybe filter input events to only what the ds3 should be sending?

        • Rockslide0482@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Definitely for you to decide, but if you’re on a desktop in a single family home you’re probably fine. A laptop that you bring around with you I would highly advise against. I would probably also evaluate what other functions the computer serves. Just gaming or also do you do your job on that machine. What else does that machine have access to?