KDE Connect Brute-Force Vulnerability in Verification Code Protocol

A vulnerability exists in the KDE Connect verification-code protocol, prior to 2025-04-18, allowing brute-force attacks due to the use of only 8-character verification codes. This issue affects KDE Connect versions prior to 1.33.0 on Android, versions prior to 25.04 on desktop, versions prior to 0.5 on iOS, as well as Valent prior to 1.0.0.alpha.47 and GSConnect prior to 59.

Impact

Exploitation of this vulnerability allows an attacker to brute-force a key pair, potentially matching the verification code of another device and impersonating it.

Remediation

Users are advised to update KDE Connect on all devices to a version that is not vulnerable. The updated versions use a time-based component in key generation, making brute-force attacks impractical. For backward compatibility, KDE Connect maintains the old verification code method when pairing with devices running earlier versions. After updating, verify that the device uses protocol version 8, which includes the security fix.