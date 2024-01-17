Over the past six weeks, Google, Microsoft, Linux (BlueZ), and Apple have rolled out fixes for a Bluetooth security flaw that, among other things, tricks the Bluetooth host machine into pairing with a fake keyboard without user confirmation, allowing threat actors to take control of Android, Linux, macOS, and iOS devices.

The flaw tracked as CVE-2023-45866 (CVE-2024-0230 for Apple and CVE-2024-21306 for Microsoft) leaves Android devices vulnerable whenever Bluetooth is enabled, while Linux devices require Bluetooth to be discoverable or connectable. iOS and macOS devices become vulnerable to the flaw when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.

At this year’s penultimate annual Shmoocon conference in Washington, DC, Marc Newlin, principal reverse engineer at SkySafe, was able to take the wraps off his research that led to his discovery of the flaw given that Apple was the last company to release its fixes on January 11. In his presentation entitled My Name Is Keyboard, Newlin explained how he arrived at his discovery.

Extracting Bluetooth link keys and pairing with different hosts

“If a device has a radio, I have to hack it,” Newlin said during his talk. “I can’t own something with a radio and not know how it works and how it’s broken.”

Newlin has disclosed wirelessly exploitable vulnerabilities for several vendors, most notably in 2016 when he helped discover a class of security vulnerabilities called MouseJack that allowed keystroke injection into wireless mice. “I figured that in eight years, maybe the public shaming that I gave those vendors would’ve caused them to prove their security standards or their security posture,” Newlin said.

In search of a “stunt hacking project,” Newlin “noticed that this current generation of gaming keyboards has addressable LEDs, and I like projects with blinky lights. So, I figured I would buy some of these flagship gaming keyboards for the peripheral vendors and see if they were any better than the MouseJack era. Unfortunately, they weren’t.”