Over the past six weeks, Google, Microsoft, Linux (BlueZ), and Apple have rolled out fixes for a Bluetooth security flaw that, among other things, tricks the Bluetooth host machine into pairing with a fake keyboard without user confirmation, allowing threat actors to take control of Android, Linux, macOS, and iOS devices.
The flaw tracked as CVE-2023-45866 (CVE-2024-0230 for Apple and CVE-2024-21306 for Microsoft) leaves Android devices vulnerable whenever Bluetooth is enabled, while Linux devices require Bluetooth to be discoverable or connectable. iOS and macOS devices become vulnerable to the flaw when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.
At this year’s penultimate annual Shmoocon conference in Washington, DC, Marc Newlin, principal reverse engineer at SkySafe, was able to take the wraps off his research that led to his discovery of the flaw given that Apple was the last company to release its fixes on January 11. In his presentation entitled My Name Is Keyboard, Newlin explained how he arrived at his discovery.
Extracting Bluetooth link keys and pairing with different hosts
“If a device has a radio, I have to hack it,” Newlin said during his talk. “I can’t own something with a radio and not know how it works and how it’s broken.”
Newlin has disclosed wirelessly exploitable vulnerabilities for several vendors, most notably in 2016 when he helped discover a class of security vulnerabilities called MouseJack that allowed keystroke injection into wireless mice. “I figured that in eight years, maybe the public shaming that I gave those vendors would’ve caused them to prove their security standards or their security posture,” Newlin said.
In search of a “stunt hacking project,” Newlin “noticed that this current generation of gaming keyboards has addressable LEDs, and I like projects with blinky lights. So, I figured I would buy some of these flagship gaming keyboards for the peripheral vendors and see if they were any better than the MouseJack era. Unfortunately, they weren’t.”
After making headway on fuzzing Dell’s AW920K keyboard but meeting obstacles, Newlin moved on. Apple keyboards didn’t seem the most likely candidates for his next area of research. “I fell victim to Apple’s marketing and all this common wisdom that says these ubiquitous protocols like Bluetooth that everyone uses are inherently secure because if they weren’t, somebody would’ve found the bugs,” he said.
“I just assumed that Apple was going to be beyond my ability, but now eight years have passed since MouseTrack. What I’ve loved about my skillset [is that I’ve] gotten a lot more comfortable with failure. And so, I decided it was finally time to look at Apple and Bluetooth and see what I could find.”
Newlin bought the least expensive Apple Magic Keyboard model that can function as a USB or Bluetooth keyboard and discovered that vulnerabilities in the Magic Keyboard could be exploited to extract the Bluetooth link key via the Lightning port or unauthenticated Bluetooth. He also found that if Lockdown Mode is not enabled, the link key can be read from the paired Mac over a lightning cable or USB.
How this happens is complex, but essentially, the vulnerabilities can be exploited to extract the Bluetooth link key from a Magic Keyboard or its paired Mac through out-of-band pairing, unauthenticated Bluetooth human interface devices (HIDs), extracting the key from the lightning port or USB port on the Mac, or pairing the Magic Keyboard to a different host.
Bluetooth vulnerability extends to other platforms
After discovering the Apple vulnerabilities, Newlin expanded his scope to other platforms, starting with Android. “Sure enough, it worked. I was able to pair anti-keystrokes into the Android device,” he said. “The user does not have to have a keyboard paired with their phone already. And as long as Bluetooth is enabled on the Android device, at any time the phone is on them, and Bluetooth is on, the attacker can then force pair an emulated keyboard with the Android device and inject keystrokes, including at the lock screen.”
Newlin then turned to Linux. “It turns out that the Linux attack is very, very similar,” he said. “On Linux, as long as the host is discoverable and connectable over Bluetooth, the attacker can force-pair a keyboard and inject keystrokes without the user’s confirmation. And so, this is distinct from Android in that the device has to be not only connectable but also discoverable and connectable on Linux for the attack.” Linux fixed this bug in 2020 but left the fix disabled by default.
The hacker community should continue probing Bluetooth flaws
“I think it’s easy to blame the vendors or blame the Bluetooth team, but I think there’s shared responsibility here. I think the vendors definitely dropped the ball by missing these bugs. Some of them have been around for more than a decade. I think we, as the hacker community, dropped the ball by not finding these.”
Newlin received $1,000 from Microsoft and $15,000 from Google in bug bounties for his efforts. Apple, however, is still reviewing whether or how much it will pay Newlin. “I’m not sure where that’ll land,” Newlin said. “And I’m also not sure if my bugs will be eligible for the Apple Bounty program because they don’t fit neatly into any of their bug bounty categories.”
Newlin encourages security researchers to continue probing Bluetooth flaws. “I think it’ll probably be a while [before the full extent of Bluetooth flaws is known] because it will take the community actually fleshing these out and identifying all these additional effective systems beyond what I’ve seen myself,” he said.
“I think there are other types of Bluetooth vulnerabilities that might be possible with these same attack vectors, but I don’t have enough knowledge about Bluetooth at this point to really understand where that will go,” Newlin tells CSO. “I have seen a lot of excitement from some friends with whom I’ve shared the proof-of-concept code, and so I’m encouraged that people are excited to dig into this.”