A rare Bluetooth keyboard injection issue was discovered and identified as CVE-2024-0230, and luckily, Apple has quickly resolved the problem with the release of Magic Keyboard Firmware Update 2.0.6.
According to the company, the flaw, which has been classified as a session management issue, allows an attacker with physical access to the accessory to extract the Bluetooth pairing key. This could potentially lead to the eavesdropping of Bluetooth conversations, putting users’ privacy and security at risk.
The discovery of this vulnerability was credited to Marc Newlin from SkySafe, who pointed out the potential dangers posed by unauthenticated Bluetooth connections. When an attacker is within close proximity of a victim, they can exploit this vulnerability to connect to the vulnerable device and manipulate keystrokes. This could allow the attacker to carry out a range of malicious activities, such as installing apps, sending messages, and executing arbitrary commands.
In order for the vulnerabilities to function, the Bluetooth host state machine must be tricked into pairing with a phony keyboard without user confirmation. This presents a significant security risk, as unpatched devices, including Android, Linux/BlueZ, iOS, and macOS, are vulnerable to exploitation.
The affected models of the Magic Keyboard include Magic Keyboard (2021), Magic Keyboard with Numeric Keypad, Magic Keyboard with Touch ID, and Magic Keyboard with Touch ID and Numeric Keypad.
While the researcher noted that attacks that exploit the vulnerability may still be able to access the Lockdown Mode, it is currently unknown whether attackers have taken advantage of the vulnerability in real-world scenarios.
The release of the Magic Keyboard Firmware Update 2.0.6 is a significant move by Apple, as the company typically only releases new and updated designs once a year. The recent iPhone 15 lineup was unveiled at its Wanderlust event in 2023, featuring new and enhanced features.
However, Apple’s decision to roll out a firmware update for the Magic Keyboard underscores the company’s commitment to addressing potential security risks promptly. The unusual nature of this update highlights the importance of prioritizing security and protecting users from potential threats.
Fortunately for users, the update has been released, so they no longer need to manually update their devices. The fix will automatically take effect as long as the keyboard is paired via Bluetooth with its home device. Users can check the firmware version of their Magic Keyboard by accessing the system settings and Bluetooth menu, where they can view the version it’s operating on and whether a new update is available for download.
In conclusion, the release of the Magic Keyboard Firmware Update 2.0.6 serves as a reminder of the ongoing efforts to address vulnerabilities and protect users from potential threats. With the security fix in place, Apple users can continue to enjoy the convenience and efficiency of the Magic Keyboard without worrying about potential security risks.