With the discovery of two new vulnerabilities that put iPhones, Android smartphones, Macs and other devices at risk of attack, it may seem like a reasonable idea to turn Bluetooth off completely when in public.

The first vulnerability, known as BLUFFS, allows an attacker to impersonate your device; the second vulnerability can be exploited by hackers to gain full control of your device as if it were paired with a Bluetooth keyboard .

As reported by Dark Reading, this newly discovered critical Bluetooth vulnerability (tracked as CVE-2022-45866) is a keystroke injection flaw. Worse yet, this fake keyboard can connect to your device without your confirmation.

The flaw itself was discovered by Marc Newlin of SkySafe, who detailed his findings in a blog post. He explained that he encountered the flaw while investigating Apple's Magic Keyboard. Newlin soon realized that the flaw is also exploitable in iOS and macOS lockdown modes, but Android and Linux devices are vulnerable as well.

Once an attacker pairs an emulated Bluetooth keyboard with a smartphone or computer, they can perform any action that does not require a password or fingerprint. From installing new apps to forwarding emails and text messages, there are many things someone can do without direct access to your device.

Unlike the recently discovered flaw in the Bluetooth protocol, this flaw has existed for at least a decade. According to Newlin, the reason it went undetected for so long is that it was a relatively simple flaw that was hidden in plain sight.

While other security researchers are looking for weaknesses in Bluetooth's encryption scheme, few have thought to look for bugs in such a simple authentication bypass.

As for the best Android phones, they have been vulnerable to this flaw since 2012, when Android 4.2.2 was released. At the same time, however, the flaw was patched in the Linux kernel in 202. For some reason, however, based on Newlin's research on the issue, the fix was left disabled by default.

Since his discovery, Newlin has informed Apple, Google, and the Bluetooth SIG about the flaw. Most of the affected devices have been patched, but some devices, including many of the top-of-the-line MacBooks, iPhones, and Android smartphones, are still vulnerable.

As for malware and malicious apps, the best antivirus software and the best Android antivirus apps can protect devices from potential attacks. Unfortunately, the same cannot be said for attacks that exploit Bluetooth flaws.

The only option is to disable Bluetooth in public, which is a real inconvenience for those using wireless earphones or the best smartwatches, and especially so for those wearing Bluetooth hearing aids. This is because an attacker would need to be in close proximity to you and your device in order to exploit this flaw.

Thankfully, this is a critical vulnerability that Apple, Google, other hardware manufacturers, and the Bluetooth SIG have already been notified of. As such, it is recommended that new security updates for smartphones and computers be installed as soon as they become available.

We will update this article as we learn more about this vulnerability and how companies plan to address it.