If you're using a Magic Keyboard, you've opened up an attack vector

AppleInsider

A researcher has found ways to enter type on your Mac, iPad, or iPhone without your permission, if you're connected to a Bluetooth Magic Keyboard.

An Apple Magic Keyboard

Being able to connect keyboards wirelessly is the enormous boon of Bluetooth -- but Bluetooth has never been the most secure of technologies. Now researcher Marc Newlin has revealed a new vulnerability that easily affects macOS, iOS and iPadOS users.

Newlin says he had been investigating and then reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS for some time. "At this point," he writes in a blog post, "I still thought Bluetooth was probably okay-ish, but the mirage of Apple security was starting to fade."

"When I found similar keystroke-injection vulnerabilities in Linux and Android, it started to look less like an implementation bug, and more like a protocol flaw," he continues. "After reading some of the Bluetooth HID specification, I discovered that it was a bit of both."

Newlin reported the vulnerability to both Apple and Google in August. Apple has yet to respond.

According to Newlin, the "vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation."

"The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification," he continues, "and implementation-specific bugs expose it to the attacker."

It doesn't take much to execute the attack. Newlin says that all it takes is a Linux device, and any Bluetooth adapter for hardware.

What this all means is that once a hacker is faking the Bluetooth connection between your Magic Keyboard and your Mac, they can enter keystrokes at will. They obviously can't do anything that requires user authentication with a password or a Touch ID verification, but otherwise they can launch apps, read messages, and download files.

How to protect yourself from unauthenticated Bluetooth keystroke injection

So far, there is no fix in macOS or iOS, despite the researcher reporting the vulnerability to Apple in August. The easiest way to protect yourself if you're concerned about a Linux-based man-in-the-middle attack like this is to turn off Bluetooth.

Alternatively, a wired keyboard can be used while Bluetooth is on, assuming that there aren't any Magic Keyboards paired.

Additionally, attentiveness will alert the user that there's potentially a problem. If a user authentication dialog pops up as a result of the injection, be certain what it's for.

Keystrokes are not invisible, and the keystroke injection actions should be visible to the user.

Read on AppleInsider

davebarnes

How about expanding the article to explain how this affects:
1. me and my iMac in my home office
2. me and my iPad (with Smart Keyboard Folio for iPad Air (5th generation))
?

maltz

I've never really understood the popularity of wireless mice and keyboards, but especially keyboards.  Mice, ok, the cord can be annoying if it tends to get hung up on something, but rearranging the cord or desk layout has always fixed that for me.  But keyboards are stationary.  What's the point of it being wireless?  And having to mess with charging and/or changing batteries is a hassle.

That's not to say there aren't ANY use cases - I have a wireless keyboard/trackpad combo for my HTPC for when the IR remote doesn't suffice, for example.  And our conference room at work has wireless so the computer driving the large display there can be used by anyone at the table.  But the typical "sitting at your desk using your computer" case I don't really get.

AppleZulu

It's hard to imagine real-world scenarios where this vulnerability is useful enough for a hacker to actually bother with it. The scheme requires the hacker to be very proximate to the victim and very, very patient and/or very, very skilled at directly manipulating the victim. For a hacker to execute some exploit of value, the victim has to already be logged into their device, logged into a target app or website, and then distracted enough to not look at their device for long enough while also not noticing a person looking over their shoulder at their screen while typing furiously. Though not quite to the same extreme, this is almost akin to the warnings that Touch ID was going to result in a rash of victims with stolen devices and severed fingers. 

No security is 100%, but vulnerabilities that require elaborate schemes to exploit them are low-probability problems.

InspiredCode

davebarnes said:

How about expanding the article to explain how this affects:
1. me and my iMac in my home office
2. me and my iPad (with Smart Keyboard Folio for iPad Air (5th generation))
?

Probably doesn’t unless attacker put hardware in your house. It also isn’t clear if that hardware needs to be in place before you pair the keyboard. 

If they went this far, they could just fit you with a modified Magic Keyboard with built-in logger or simply point a camera at you.

In person targeted attacks are extremely rare and there are a million ways to carry out if going to this extent. Since it requires the attacker to be with you it would get outsized police action if they are caught as opposed to an anonymous hacker online.

chasm

Yes, Bluetooth is flawed and should be fixed.

BUT

It’s worth pointing out that this alleged “attack” can only work if the attacker is within 30 feet of you — so at home this is probably a complete non-issue, and even in public you’d probably only be a real risk if you were attended a black-hat hacker convention, or a Starbucks in Silicon Valley.

I concur with AppleZulu about the risk factor on this. Good to be aware of the vulnerability, very VERY low odds of it being a practical thread in the real world.

lighteningkid

maltz said:

I've never really understood the popularity of wireless mice and keyboards, but especially keyboards.  Mice, ok, the cord can be annoying if it tends to get hung up on something, but rearranging the cord or desk layout has always fixed that for me.  But keyboards are stationary.  What's the point of it being wireless?  And having to mess with charging and/or changing batteries is a hassle.

That's not to say there aren't ANY use cases - I have a wireless keyboard/trackpad combo for my HTPC for when the IR remote doesn't suffice, for example.  And our conference room at work has wireless so the computer driving the large display there can be used by anyone at the table.  But the typical "sitting at your desk using your computer" case I don't really get.

I agree on all points! Which makes it especially annoying that Apple doesn't even offer a wired keyboard anymore. It would probably be cheaper and then we could even get the number pad back as a default, which is useful for some professions.

Mike Wuerthele

davebarnes said:

How about expanding the article to explain how this affects:
1. me and my iMac in my home office
2. me and my iPad (with Smart Keyboard Folio for iPad Air (5th generation))
?

I'm not sure what you want that's not in the text already.

"Newlin says that all it takes is a Linux device, and any Bluetooth adapter for hardware" covers the attack vector and how it's executed. The text says what the attack can do, and can't.

mikethemartian

maltz said:

I've never really understood the popularity of wireless mice and keyboards, but especially keyboards.  Mice, ok, the cord can be annoying if it tends to get hung up on something, but rearranging the cord or desk layout has always fixed that for me.  But keyboards are stationary.  What's the point of it being wireless?  And having to mess with charging and/or changing batteries is a hassle.

That's not to say there aren't ANY use cases - I have a wireless keyboard/trackpad combo for my HTPC for when the IR remote doesn't suffice, for example.  And our conference room at work has wireless so the computer driving the large display there can be used by anyone at the table.  But the typical "sitting at your desk using your computer" case I don't really get.

Personally I prefer wired keyboards and mice.

darkvader

chasm said:

Yes, Bluetooth is flawed and should be fixed.

BUT

It’s worth pointing out that this alleged “attack” can only work if the attacker is within 30 feet of you — so at home this is probably a complete non-issue, and even in public you’d probably only be a real risk if you were attended a black-hat hacker convention, or a Starbucks in Silicon Valley.

I concur with AppleZulu about the risk factor on this. Good to be aware of the vulnerability, very VERY low odds of it being a practical thread in the real world.

30 feet IF you're using a legal BT amplifier and antenna.

It's very possible to increase the distance quite a bit if you don't care about that.

StrangeDays

maltz said:

I've never really understood the popularity of wireless mice and keyboards, but especially keyboards.  Mice, ok, the cord can be annoying if it tends to get hung up on something, but rearranging the cord or desk layout has always fixed that for me.  But keyboards are stationary.  What's the point of it being wireless?  And having to mess with charging and/or changing batteries is a hassle.

That's not to say there aren't ANY use cases - I have a wireless keyboard/trackpad combo for my HTPC for when the IR remote doesn't suffice, for example.  And our conference room at work has wireless so the computer driving the large display there can be used by anyone at the table.  But the typical "sitting at your desk using your computer" case I don't really get.

Who wants a computer on their desk? 

Who wants cords laying around their nice desk?

Cords knock things over.

Cords limit your ability to effortlessly move the keyboard to your lap and recline. 

9secondkox2

It’s been a question mark for some time. I can see a proprietary, Apple-secured wireless connection chip being developed and added to Applle’s SOCs. And why not? They’re in a unique position to do so. 

Bluetooth can still be available for third party fare, but it’s another reason to buy Apple accessories if they add their own Bluetoothesque feature. 

AppleZulu

darkvader said:

chasm said:

Yes, Bluetooth is flawed and should be fixed.

BUT

It’s worth pointing out that this alleged “attack” can only work if the attacker is within 30 feet of you — so at home this is probably a complete non-issue, and even in public you’d probably only be a real risk if you were attended a black-hat hacker convention, or a Starbucks in Silicon Valley.

I concur with AppleZulu about the risk factor on this. Good to be aware of the vulnerability, very VERY low odds of it being a practical thread in the real world.

30 feet IF you're using a legal BT amplifier and antenna.

It's very possible to increase the distance quite a bit if you don't care about that.

As this exploit involves injecting type into the victim's computer, the legal 30 foot range is even a moot question. The attacker has to be able to see your screen to do anything with this. While you could conjure up all sorts of scenarios with zoom lenses, cameras and amplified bluetooth transmitters, these ideas become more like suspense caper movies and less like anything anyone in the real world is going to do. Most crimes are opportunistic rather than targeted. That's why we lock our homes with deadbolt locks that aren't actually that hard to open for a skilled lock picker. Most thieves just look for an open window or just jiggle the knob and move on if it's locked, or don't even bother if there's a security camera visible.  Even for crimes that are targeted, the more shenanigans that are required to use a particular vulnerability, the longer the list becomes of other easier, more effective ways to get at that intended target. 

jdiamond

maltz said:

I've never really understood the popularity of wireless mice and keyboards, but especially keyboards.  Mice, ok, the cord can be annoying if it tends to get hung up on something, but rearranging the cord or desk layout has always fixed that for me.  But keyboards are stationary.  What's the point of it being wireless?  And having to mess with charging and/or changing batteries is a hassle.

That's not to say there aren't ANY use cases - I have a wireless keyboard/trackpad combo for my HTPC for when the IR remote doesn't suffice, for example.  And our conference room at work has wireless so the computer driving the large display there can be used by anyone at the table.  But the typical "sitting at your desk using your computer" case I don't really get.

I'm guessing most of the time this isn't by choice.  For example, there was a long era where Apple devices didn't have enough ports, and splitters can only do so much.  And then there's iPads - AFAIK, most third party keyboards must be wireless, although now that iPads have USB-c ports, maybe a wireless keyboard would work.

Honestly, for me, the worst thing about wireless stuff is you have to always wonder if it's charged enough.  

neilm

9secondkox2 said:

It’s been a question mark for some time. I can see a proprietary, Apple-secured wireless connection chip being developed and added to Applle’s SOCs. And why not? They’re in a unique position to do so. 

Apple has already done that with the TouchID version of their Magic Keyboard. The TouchID wireless communication with the host Mac is encrypted. Don’t know whether the normal key entry function is or not.

baconstang

If I lose the wired KB then I lose the 2 USB-A ports on the side, then I have to go futzing around on the back of my 5K to plug something in.
Trackpad, not a problem.

brianjo

AppleZulu said:

It's hard to imagine real-world scenarios where this vulnerability is useful enough for a hacker to actually bother with it. The scheme requires the hacker to be very proximate to the victim and very, very patient and/or very, very skilled at directly manipulating the victim. For a hacker to execute some exploit of value, the victim has to already be logged into their device, logged into a target app or website, and then distracted enough to not look at their device for long enough while also not noticing a person looking over their shoulder at their screen while typing furiously. Though not quite to the same extreme, this is almost akin to the warnings that Touch ID was going to result in a rash of victims with stolen devices and severed fingers. 

No security is 100%, but vulnerabilities that require elaborate schemes to exploit them are low-probability problems.

Believe it or not, key commands can be used to open terminal, execute a command, then close terminal.  Yes, the user would need to be distracted enough not to see that happen on screen, but the hacker doesn't need to see the screen to do that.

An easy to think of scenario is if someone had a computer locked in their office. Hacker next door is able to hack the keyboard to wake the machine, run a command to copy a directory on the machine to a network server, then quits terminal.  No need to see the machine to pull this task off. This can be done when they know the computer isn't being looked at. The user would likely not have any clue that this happened.

That's certainly a vulnerability to be concerned with.

macgui

So this is really a proof of concept situation where the ration of probability to possibility is extremely very low. Interesting, and maybe good to be aware of for some people in specific situations.

I like a wireless keyboard because I'm not always sitting at the desk and like to watch video from a relaxed posture. Wires just impeded that. A wired keyboard is handy for troubleshooting ie booting into Safe Mode and needing the onboard USB ports in some instances. Also handy if the wireless keyboard needs charging. That would be a first time for me if that ever happens. 

Apple doesn't offer wired anymore? That's a little disappointing but I prefer an illuminated keyboard anyway as I'm only a 90% touch typist. 95% if the keyboard has a 10-key.

AppleZulu

brianjo said:

AppleZulu said:

It's hard to imagine real-world scenarios where this vulnerability is useful enough for a hacker to actually bother with it. The scheme requires the hacker to be very proximate to the victim and very, very patient and/or very, very skilled at directly manipulating the victim. For a hacker to execute some exploit of value, the victim has to already be logged into their device, logged into a target app or website, and then distracted enough to not look at their device for long enough while also not noticing a person looking over their shoulder at their screen while typing furiously. Though not quite to the same extreme, this is almost akin to the warnings that Touch ID was going to result in a rash of victims with stolen devices and severed fingers. 

No security is 100%, but vulnerabilities that require elaborate schemes to exploit them are low-probability problems.

Believe it or not, key commands can be used to open terminal, execute a command, then close terminal.  Yes, the user would need to be distracted enough not to see that happen on screen, but the hacker doesn't need to see the screen to do that.

An easy to think of scenario is if someone had a computer locked in their office. Hacker next door is able to hack the keyboard to wake the machine, run a command to copy a directory on the machine to a network server, then quits terminal.  No need to see the machine to pull this task off. This can be done when they know the computer isn't being looked at. The user would likely not have any clue that this happened.

That's certainly a vulnerability to be concerned with.

Your scheme still only works if the target machine doesn’t have a screen lock, which is a rarity. Were that the case, it’d be easier to distract the target, walk into their office and do whatever directly on the machine. 

dewme

AppleZulu said:

It's hard to imagine real-world scenarios where this vulnerability is useful enough for a hacker to actually bother with it. The scheme requires the hacker to be very proximate to the victim and very, very patient and/or very, very skilled at directly manipulating the victim. For a hacker to execute some exploit of value, the victim has to already be logged into their device, logged into a target app or website, and then distracted enough to not look at their device for long enough while also not noticing a person looking over their shoulder at their screen while typing furiously. Though not quite to the same extreme, this is almost akin to the warnings that Touch ID was going to result in a rash of victims with stolen devices and severed fingers. 

No security is 100%, but vulnerabilities that require elaborate schemes to exploit them are low-probability problems.

This is one of those times when you need to understand the difference between possible and probable. I’m confident that the probability of being a victim of this attack is way down on the list of other possible vulnerabilities. 

I’m definitely not going to turn off Bluetooth on my Mac. If you’re in the tinfoil hat club you can reduce your exposure and hat size requirements by setting a shorter screen lock time (with password required) and always make sure your screen is locked before stepping away from your device. 

I’m always surprised by folks who leave their screens in easy view when in close proximity to other people. Recently, I’m standing in line at a restaurant and my wife asks me “Who texts about green beans?” Apparently someone in line ahead of us does text about green beans and isn’t shy about letting the rest of the world know because they’re holding their phone in clear view of everyone  behind them. This does fall into my theory that the majority of time people who view their entire life via their smartphone screens are texting about very mundane stuff that would not have justified them taking their eyes off the road while driving or walking down the street. 

mpschaefer

Does anybody know what the Magic Keyboard uses to communicate when you have it plugged into the computer?

I notice on my Mac that it greys out the Bluetooth Connection for the keyboard though it still has the icon coloured blue.

Is it still using Bluetooth for communication or is it using the USB cable?