William Gallagher
A researcher has found ways to enter type on your Mac, iPad, or iPhone without your permission, if you're connected to a Bluetooth Magic Keyboard.
Being able to connect keyboards wirelessly is the enormous boon of Bluetooth — but Bluetooth has never been the most secure of technologies. Now researcher Marc Newlin has revealed a new vulnerability that easily affects macOS, iOS and iPadOS users.
Newlin says he had been investigating and then reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS for some time. "At this point," he writes in a blog post, "I still thought Bluetooth was probably okay-ish, but the mirage of Apple security was starting to fade."
"When I found similar keystroke-injection vulnerabilities in Linux and Android, it started to look less like an implementation bug, and more like a protocol flaw," he continues. "After reading some of the Bluetooth HID specification, I discovered that it was a bit of both."
Newlin reported the vulnerability to both Apple and Google in August. Apple has yet to respond.
According to Newlin, the "vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation."
"The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification," he continues, "and implementation-specific bugs expose it to the attacker."
It doesn't take much to execute the attack. Newlin says that all it takes is a Linux device, and any Bluetooth adapter for hardware.
What this all means is that once a hacker is faking the Bluetooth connection between your Magic Keyboard and your Mac, they can enter keystrokes at will. They obviously can't do anything that requires user authentication with a password or a Touch ID verification, but otherwise they can launch apps, read messages, and download files.
How to protect yourself from unauthenticated Bluetooth keystroke injection
So far, there is no fix in macOS or iOS, despite the researcher reporting the vulnerability to Apple in August. The easiest way to protect yourself if you're concerned about a Linux-based man-in-the-middle attack like this is to turn off Bluetooth.
Alternatively, a wired keyboard can be used while Bluetooth is on, assuming that there aren't any Magic Keyboards paired.
Additionally, attentiveness will alert the user that there's potentially a problem. If a user authentication dialog pops up as a result of the injection, be certain what it's for.
Keystrokes are not invisible, and the keystroke injection actions should be visible to the user.
Charles Martin
Christine McKee
Oliver Haslam
28 Comments
How about expanding the article to explain how this affects:
1. me and my iMac in my home office
2. me and my iPad (with Smart Keyboard Folio for iPad Air (5th generation))
?
It's hard to imagine real-world scenarios where this vulnerability is useful enough for a hacker to actually bother with it. The scheme requires the hacker to be very proximate to the victim and very, very patient and/or very, very skilled at directly manipulating the victim. For a hacker to execute some exploit of value, the victim has to already be logged into their device, logged into a target app or website, and then distracted enough to not look at their device for long enough while also not noticing a person looking over their shoulder at their screen while typing furiously. Though not quite to the same extreme, this is almost akin to the warnings that Touch ID was going to result in a rash of victims with stolen devices and severed fingers.
No security is 100%, but vulnerabilities that require elaborate schemes to exploit them are low-probability problems.
Yes, Bluetooth is flawed and should be fixed.
It’s worth pointing out that this alleged “attack” can only work if the attacker is within 30 feet of you — so at home this is probably a complete non-issue, and even in public you’d probably only be a real risk if you were attended a black-hat hacker convention, or a Starbucks in Silicon Valley.
I concur with AppleZulu about the risk factor on this. Good to be aware of the vulnerability, very VERY low odds of it being a practical thread in the real world.