KDE Connect Protocol Vulnerability

The KDE Connect protocol is a communication mechanism used by various Linux desktop environments to share files and other data between devices. It allows users to easily transfer files, messages, and media between their computers and mobile devices. However, the vulnerability in question affects the way device IDs are correlated across packets, making it possible for attackers to bypass authentication and gain unauthorized access to connected devices.

You're affected if you use KDE Connect versions 25.12 or earlier on desktop, 0.5.4 or earlier on iOS, 1.34.4 or earlier on Android, GSConnect version 68 or earlier, or Valent version 1.0.0.alpha.49.

Check with: ls /usr/share/kdeconnect/ (on Linux) or search for "kdeconnect" in your iOS device's settings (on iOS).

Note: This vulnerability is specific to KDE Connect and not related to other similar protocols like GSConnect or Valent.

1. Upgrade to KDE Connect version 25.12 or later on desktop.
2. Update to GSConnect version 69 or later on Android.
3. Install Valent version 1.0.0.alpha.50 or later on iOS.
4. Immediate mitigations:
5. Restrict network access to your connected devices (firewall them from the public internet).
6. Monitor for suspicious activity and unauthorized device connections.

• github.com
• github.com
• invent.kde.org
• invent.kde.org
• invent.kde.org
• kde.org