After making headway on fuzzing Dell’s AW920K keyboard however assembly obstacles, Newlin moved on. Apple keyboards didn’t appear the almost definitely candidates for his subsequent space of analysis. “I fell sufferer to Apple’s advertising and marketing and all this widespread knowledge that claims these ubiquitous protocols like Bluetooth that everybody makes use of are inherently safe as a result of in the event that they weren’t, someone would’ve discovered the bugs,” he mentioned.
“I simply assumed that Apple was going to be past my potential, however now eight years have handed since MouseTrack. What I’ve cherished about my skillset [is that I’ve] gotten much more snug with failure. And so, I made a decision it was lastly time to have a look at Apple and Bluetooth and see what I might discover.”
Newlin purchased the least costly Apple Magic Keyboard mannequin that may perform as a USB or Bluetooth keyboard and found that vulnerabilities within the Magic Keyboard might be exploited to extract the Bluetooth hyperlink key through the Lightning port or unauthenticated Bluetooth. He additionally discovered that if Lockdown Mode just isn’t enabled, the hyperlink key might be learn from the paired Mac over a lightning cable or USB.
How this occurs is advanced, however basically, the vulnerabilities might be exploited to extract the Bluetooth hyperlink key from a Magic Keyboard or its paired Mac by way of out-of-band pairing, unauthenticated Bluetooth human interface gadgets (HIDs), extracting the important thing from the lightning port or USB port on the Mac, or pairing the Magic Keyboard to a special host.
Bluetooth vulnerability extends to different platforms
After discovering the Apple vulnerabilities, Newlin expanded his scope to different platforms, beginning with Android. “Certain sufficient, it labored. I used to be in a position to pair anti-keystrokes into the Android gadget,” he mentioned. “The consumer doesn’t need to have a keyboard paired with their telephone already. And so long as Bluetooth is enabled on the Android gadget, at any time the telephone is on them, and Bluetooth is on, the attacker can then pressure pair an emulated keyboard with the Android gadget and inject keystrokes, together with on the lock display.”
Newlin then turned to Linux. “It seems that the Linux assault could be very, very comparable,” he mentioned. “On Linux, so long as the host is discoverable and connectable over Bluetooth, the attacker can force-pair a keyboard and inject keystrokes with out the consumer’s affirmation. And so, that is distinct from Android in that the gadget needs to be not solely connectable but additionally discoverable and connectable on Linux for the assault.” Linux mounted this bug in 2020 however left the repair disabled by default.