After making headway on fuzzing Dell’s AW920K keyboard however assembly obstacles, Newlin moved on. Apple keyboards didn’t appear the most certainly candidates for his subsequent space of analysis. “I fell sufferer to Apple’s advertising and all this frequent knowledge that claims these ubiquitous protocols like Bluetooth that everybody makes use of are inherently safe as a result of in the event that they weren’t, anyone would’ve discovered the bugs,” he stated.
“I simply assumed that Apple was going to be past my skill, however now eight years have handed since MouseTrack. What I’ve beloved about my skillset [is that I’ve] gotten much more comfy with failure. And so, I made a decision it was lastly time to have a look at Apple and Bluetooth and see what I may discover.”
Newlin purchased the least costly Apple Magic Keyboard mannequin that may perform as a USB or Bluetooth keyboard and found that vulnerabilities within the Magic Keyboard could possibly be exploited to extract the Bluetooth hyperlink key through the Lightning port or unauthenticated Bluetooth. He additionally discovered that if Lockdown Mode isn’t enabled, the hyperlink key may be learn from the paired Mac over a lightning cable or USB.
How this occurs is advanced, however basically, the vulnerabilities may be exploited to extract the Bluetooth hyperlink key from a Magic Keyboard or its paired Mac by means of out-of-band pairing, unauthenticated Bluetooth human interface units (HIDs), extracting the important thing from the lightning port or USB port on the Mac, or pairing the Magic Keyboard to a distinct host.
Bluetooth vulnerability extends to different platforms
After discovering the Apple vulnerabilities, Newlin expanded his scope to different platforms, beginning with Android. “Certain sufficient, it labored. I used to be capable of pair anti-keystrokes into the Android system,” he stated. “The consumer doesn’t should have a keyboard paired with their cellphone already. And so long as Bluetooth is enabled on the Android system, at any time the cellphone is on them, and Bluetooth is on, the attacker can then power pair an emulated keyboard with the Android system and inject keystrokes, together with on the lock display.”
Newlin then turned to Linux. “It seems that the Linux assault may be very, very comparable,” he stated. “On Linux, so long as the host is discoverable and connectable over Bluetooth, the attacker can force-pair a keyboard and inject keystrokes with out the consumer’s affirmation. And so, that is distinct from Android in that the system needs to be not solely connectable but in addition discoverable and connectable on Linux for the assault.” Linux mounted this bug in 2020 however left the repair disabled by default.
