Apple has released a firmware update for its proprietary wireless keyboards after a researcher demonstrated he could exploit a flaw to inject keystrokes and perform actions posing as the user.
Marc Newlin of SkySafe had been toying with Bluetooth hacks as a challenge when he discovered “unauthenticated Bluetooth keystroke-injection vulnerabilities” in macOS and iOS, both exploitable in Lockdown Mode.
“When I found similar keystroke-injection vulnerabilities in Linux and Android, it started to look less like an implementation bug, and more like a protocol flaw,” Newlin explains. “After reading some of the Bluetooth HID specification, I discovered that it was a bit of both.”
According to his research, a motivated attacker with physical access to the target device can trick the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation.
Once paired with the target device, the attacker can inject keystrokes to perform actions as the victim – install apps, run arbitrary commands, forward messages, etc – provided those actions don't require a password or biometric authentication.
In theory, an attacker could exploit the flaw to run the software of their choosing, including malware.
Newlin notified Apple of the weakness a while ago, prompting the Cupertino tech giant to release a fix in the form of a firmware update.
Magic Keyboard Firmware Update 2.0.6 addresses the issue in Magic Keyboard; Magic Keyboard (2021); Magic Keyboard with Numeric Keypad; Magic Keyboard with Touch ID; and Magic Keyboard with Touch ID and Numeric Keypad.
“A session management issue was addressed with improved checks,” according to the tech giant’s advisory.
Apple’s support document makes no mention of the flaw being exploited in the wild, and neither does Newlin. Nonetheless, netizens should always ensure they are running the latest version of the software supplied by their device’s vendor, including firmware updates like this one.
For peace of mind, it’s recommended that you also always run a dedicated security solution on your device.