After a public disclosure in December, Apple has issued a firmware update for the Magic Keyboard to block a security flaw that allowed an attacker to enter keystrokes through a cloned keyboard connection.
The now-patched vulnerability was disclosed to Apple and Google in August 2023, and disclosed publicly in December by security researcher Marc Newlin. At the time, Newlin said he had been investigating and then reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS for months.
The patch is available for both the regular and extended Magic Keyboard, both with and without Touch ID. No user action is required, and Apple says that the 2.0.6 patch will automatically apply itself when a Magic Keyboard is paired to an Apple device.
The vulnerability allowed a user with one-time physical access to a Bluetooth keyboard, like the Magic Keyboard, to figure out the Bluetooth pairing key. Once obtained, an assailant nearby could trick the Bluetooth host into pairing with a fake keyboard without user-confirmation.
Once an assailant is faking that Magic Keyboard connection to a Mac, they can enter keystrokes at will. They obviously can’t do anything that requires user authentication with a password or a Touch ID verification, but otherwise they can launch apps, read messages, and download files.
The keystrokes entered were visible to the user, and so were actions taken like launching apps or entering command combinations.