PSA: Bluetooth vulnerability and PS3 Controllers on Linux in 2024

In late 2023 a Bluetooth vulnerability CVE-2023-45866 was discovered and patched in Bluez. By now, this vulnerability should be fixed on all Linux distributions. The fix has one compatibility implication: support for insecure legacy devices is now disabled by default. The Sony PlayStation 3 Controller (AKA DualShock 3 or DS3) is probably the most notable device affected by this change.

What to do if you have a PS3 Controller

The PS3 Controller should still be plug-and-play on Linux when used wired, this change only affects wireless use.

Wireless use is now disabled by default. It should still be possible to use the controller wirelessly with a configuration change, but that will make your PC vulnerable when Bluetooth is in discoverable mode — that’s when you’re pairing a device; in GNOME that’s when you just have the Bluetooth settings open; easy to have on by accident.

It’s painful for me to say this (I own several PS3 Controllers), but the DS3 is reaching its end-of-life, and we should start to consider moving on from it as a gamepad for PC.

How to re-enable Bluetooth support for the PS3 Controller

This is insecure: It will make your PC an easy target for remote code execution attacks from anyone in close proximity whenever your Bluetooth is in pairing/discoverable mode. It’s usually hard to notice when Bluetooth is in discoverable mode, and it’s very easy to accidentally leave it on. You have been warned.

TL;DR: The following command should do it, tested on Fedora 39:

sudo sed -iE -e 's/^#ClassicBondedOnly=.*/ClassicBondedOnly=false/' /etc/bluetooth/input.conf && sudo systemctl restart bluetooth

Long version: Use the configuration file at /etc/bluetooth/input.conf, under the [General] section, add the option ClassicBondedOnly=false, then restart the bluetooth service or reboot the computer. Your config file should look like the following:

# Configuration file for the input service

# This section contains options which are not specific to any
# particular interface
[General]

# Set idle timeout (in minutes) before the connection will
# be disconnect (defaults to 0 for no timeout)
#IdleTimeout=30

# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true

# Limit HID connections to bonded devices
# The HID Profile does not specify that devices must be bonded, however some
# platforms may want to make sure that input connections only come from bonded
# device connections. Several older mice have been known for not supporting
# pairing/encryption.
# Defaults to true for security.
ClassicBondedOnly=false

# LE upgrade security
# Enables upgrades of security automatically if required.
# Defaults to true to maximize device compatibility.
#LEAutoSecurity=true

I’m posting this PSA on !linux@lemmy.ml and !linux_gaming@lemmy.world. Please forward this message to other interested Linux communities.

  • bitwolf@lemmy.one
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    9 months ago

    I am very happy with the 8bitdo Pro 2 and the Gulikit King Kong 2 The dpad is a similar diameter but feels more rigid.

    For the 8bitdo: The 4 buttons are spaced a bit further, and the buttons have a more prominent corner on them. All of the buttons have a satisfying action and travel. I like that the battery is easily removed.

    Only wishlist item would be for hall joysticks.

    The Gulikit King Kong 2:

    Feels like a very high quality Xbox styled controller. I am wary of the shoulder buttons of Xbox styled controllers but these do feel like a different type of switch internally so maybe it’ll last longer.