JXL Bluetooth HID Keystroke Injection Vulnerability in Android 12.0 Infotainment System

A vulnerability exists in the Bluetooth Human Interface Device (HID) functionality of the JXL 9 Inch Car Android Double Din Player running Android version 12.0. This issue allows attackers to inject arbitrary keystrokes by spoofing a Bluetooth HID device. The vulnerability arises from minimal pairing security, which only requires a simple confirmation, enabling the malicious device to be accepted as a keyboard. Once connected, an attacker can send keystrokes to open browsers, visit malicious websites, or activate infotainment functions without user consent.

Impact

Exploitation of this vulnerability allows for unauthorized injection of keystrokes, potentially leading to unwanted actions within the infotainment system, such as opening web browsers or triggering specific functions, all without the user's knowledge or consent.

Reproduction

To reproduce this vulnerability, an attacker must be within Bluetooth range of the target device. They can then emulate a malicious HID device, which will be accepted as a keyboard due to the weak pairing security. Once the device is connected, the attacker can inject keystrokes to perform various actions on the infotainment system.