Apple has recently released a firmware update version 2.0.6 for its Magic Keyboard, addressing a vulnerability in Bluetooth keyboards that could be exploited by attackers. The vulnerability, tracked as CVE-2024-0230, was discovered and reported by researcher Marc Newlin from kySafe. It is a session management issue that could allow threat actors to gain physical access to the keyboard, steal the Bluetooth pairing key, and monitor Bluetooth communications.
According to Apple, if an attacker successfully gains physical access to the device, they could extract the Bluetooth pairing key and monitor Bluetooth traffic. In addition, attackers could leverage an unverified Bluetooth connection to the affected device to inject malicious programs, enabling them to install applications, execute arbitrary commands, and forward messages.
Devices that have not applied the patch are susceptible to network attacks under the following conditions: Android devices are vulnerable as long as Bluetooth is enabled; Linux/BlueZ requires Bluetooth to be discoverable/connectable; and iOS and macOS are affected when Bluetooth is enabled and the Magic Keyboard is paired with a phone or computer.
The firmware update 2.0.6 is applicable to various versions of the Magic Keyboard, including the Magic Keyboard, Magic Keyboard (2021), Magic Keyboard with Numeric Keypad, Magic Keyboard with Touch ID, and Magic Keyboard with Touch ID and Numeric Keypad.
Researchers have noted that the lock mode does not prevent threat actors from exploiting the CVE-2024-0230 vulnerability, and it is currently unclear if the flaw has been exploited in the wild.
In February 2023, Apple released a security update to address a zero-day vulnerability, CVE-2023-23529, in older iPhone and iPad models. This vulnerability is related to a WebKit confusion issue.
CVE-2023-23529 poses a significant threat, as successful exploitation could lead to system crashes. Attackers could even execute arbitrary code on target iPhones and iPads after tricking victims into opening a malicious webpage (this vulnerability also affects Safari 16.3.1 on macOS Big Sur and Monterey).
During the first half of 2023, researchers also discovered three zero-day vulnerabilities in the WebKit browser engine, tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Threat actors can exploit these vulnerabilities to gain access to sensitive information on user devices or trick victims into loading maliciously crafted webpages, allowing for the execution of arbitrary code on compromised devices.
Upon receiving vulnerability reports, Apple addressed the issues by improving boundary checks, input validation, and memory management. The company released Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 on May 1, 2023, to fix CVE-2023-28204 and CVE-2023-32373.
References:
– Security Affairs: “Apple fixes three new zero-days exploited to hack iPhones, Macs”
– BleepingComputer: “Apple bug allowed attackers to monitor Bluetooth traffic”