A researcher has found ways to enter type on on your Mac, iPad, or iPhone without your permission, if you’re connected to a Bluetooth Magic Keyboard.
Being able to connect keyboards wirelessly is the enormous boon of Bluetooth — but Bluetooth has never been the most secure of technologies. Now researcher Marc Newlin has revealed a new vulnerability that easily affects macOS, iOS and iPadOS users.
Newlin says he had been investigating and then reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS for some time. “At this point,” he writes in a blog post, “I still thought Bluetooth was probably okay-ish, but the mirage of Apple security was starting to fade.”
“When I found similar keystroke-injection vulnerabilities in Linux and Android, it started to look less like an implementation bug, and more like a protocol flaw,” he continues. “After reading some of the Bluetooth HID specification, I discovered that it was a bit of both.”
Newlin reported the vulnerability to both Apple and Google in August. Apple has yet to respond.
According to Newlin, the “vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation.”
“The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification,” he continues, “and implementation-specific bugs expose it to the attacker.”
It doesn’t take much to execute the attack. Newlin says that all it takes is a Linux device, and any Bluetooth adapter for hardware.
What this all means is that once a hacker is faking the Bluetooth connection between your Magic Keyboard and your Mac, they can enter keystrokes at will. They obviously can’t do anything that requires user authentication with a password or a Touch ID verification, but otherwise they can launch apps, read messages, and download files.
How to protect yourself from unauthenticated Bluetooth keystroke injection
So far, there is no fix in macOS or iOS, despite the researcher reporting the vulnerability to Apple in August. The easiest way to protect yourself if you’re concerned about a Linux-based man-in-the-middle attack like this is to turn off Bluetooth.
Alternatively, a wired keyboard can be used while Bluetooth is on, assuming that there aren’t any Magic Keyboards paired.
Additionally, attentiveness will alert the user that there’s potentially a problem. If a user authentication dialog pops up as a result of the injection, be certain what it’s for.
Keystrokes are not invisible, and the keystroke injection actions should be visible to the user.