PSA: Bluetooth vulnerability and PS3 Controllers on Linux in 2024
In late 2023 a Bluetooth vulnerability CVE-2023-45866 was discovered and patched in Bluez. By now, this vulnerability should be fixed on all Linux distributions. The fix has one compatibility implication: support for insecure legacy devices is now disabled by default. The Sony PlayStation 3 Controller (AKA DualShock 3 or DS3) is probably the most notable device affected by this change.
What to do if you have a PS3 Controller
The PS3 Controller should still be plug-and-play on Linux when used wired, this change only affects wireless use.
Wireless use is now disabled by default. It should still be possible to use the controller wirelessly with a configuration change, but that will make your PC vulnerable when Bluetooth is in discoverable mode — that’s when you’re pairing a device; in GNOME that’s when you just have the Bluetooth settings open; easy to have on by accident.
It’s painful for me to say this (I own several PS3 Controllers), but the DS3 is reaching its end-of-life, and we should start to consider moving on from it as a gamepad for PC.
How to re-enable Bluetooth support for the PS3 Controller
This is insecure: It will make your PC an easy target for remote code execution attacks from anyone in close proximity whenever your Bluetooth is in pairing/discoverable mode. It’s usually hard to notice when Bluetooth is in discoverable mode, and it’s very easy to accidentally leave it on. You have been warned.
TL;DR: The following commands should do it, tested on Fedora 39:
sudo sed -Ei~ -e 's/^#ClassicBondedOnly=.*/ClassicBondedOnly=false/' /etc/bluetooth/input.conf
sudo systemctl restart bluetooth
Long version: Use the configuration file at /etc/bluetooth/input.conf
, under the [
section, add the option ]ClassicBondedOnly=false
, then restart the bluetooth service or reboot the computer. Your config file should look like the following:
# Configuration file for the input service
# This section contains options which are not specific to any
# particular interface
[General]
# Set idle timeout (in minutes) before the connection will
# be disconnect (defaults to 0 for no timeout)
#IdleTimeout=30
# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true
# Limit HID connections to bonded devices
# The HID Profile does not specify that devices must be bonded, however some
# platforms may want to make sure that input connections only come from bonded
# device connections. Several older mice have been known for not supporting
# pairing/encryption.
# Defaults to true for security.
ClassicBondedOnly=false
# LE upgrade security
# Enables upgrades of security automatically if required.
# Defaults to true to maximize device compatibility.
#LEAutoSecurity=true
I’m posting this PSA on [email protected] and [email protected]. Please forward this message to other interested Linux communities.
It seems that you are vulnerable during pairing which is for like a minute. What am I missing?
I said this twice on the PSA: it’s hard to tell if your device is in discoverable mode, and it’s easy to forget it in that state, or start it accidentally. I’ve caught my devices accidentally in discoverable mode many times. You could have your PC a whole week in discoverable mode and never notice it, just by having a settings window left open.
It’s more risk than most people should take, hence the warning.
Still, if you’re comfortable with the risk, you’re free to change the config and allow insecure devices.
Given the attacker needs to be within close proximity, it doesnt feel like a very concerning risk for most people. The attacker would need to dedicate time to physically come to your location and deliberately target you?
Maybe for laptops in public places, but a desktop at home is probably fine unless you have very motivated enemies?
Well, no. The biggest issue is automation. There are already people abusing Bluetooth’s nearby devices functionality that makes iPhones and Androids unusable on a subway for example.