After making headway on fuzzing Dell’s AW920K keyboard but meeting obstacles, Newlin moved on. Apple keyboards didn’t seem the most likely candidates for his next area of research. “I fell victim to Apple’s marketing and all this common wisdom that says these ubiquitous protocols like Bluetooth that everyone uses are inherently secure because if they weren’t, somebody would’ve found the bugs,” he said.
“I just assumed that Apple was going to be beyond my ability, but now eight years have passed since MouseTrack. What I’ve loved about my skillset [is that I’ve] gotten a lot more comfortable with failure. And so, I decided it was finally time to look at Apple and Bluetooth and see what I could find.”
Newlin bought the least expensive Apple Magic Keyboard model that can function as a USB or Bluetooth keyboard and discovered that vulnerabilities in the Magic Keyboard could be exploited to extract the Bluetooth link key via the Lightning port or unauthenticated Bluetooth. He also found that if Lockdown Mode is not enabled, the link key can be read from the paired Mac over a lightning cable or USB.
How this happens is complex, but essentially, the vulnerabilities can be exploited to extract the Bluetooth link key from a Magic Keyboard or its paired Mac through out-of-band pairing, unauthenticated Bluetooth human interface devices (HIDs), extracting the key from the lightning port or USB port on the Mac, or pairing the Magic Keyboard to a different host.
Bluetooth vulnerability extends to other platforms
After discovering the Apple vulnerabilities, Newlin expanded his scope to other platforms, starting with Android. “Sure enough, it worked. I was able to pair anti-keystrokes into the Android device,” he said. “The user does not have to have a keyboard paired with their phone already. And as long as Bluetooth is enabled on the Android device, at any time the phone is on them, and Bluetooth is on, the attacker can then force pair an emulated keyboard with the Android device and inject keystrokes, including at the lock screen.”
Newlin then turned to Linux. “It turns out that the Linux attack is very, very similar,” he said. “On Linux, as long as the host is discoverable and connectable over Bluetooth, the attacker can force-pair a keyboard and inject keystrokes without the user’s confirmation. And so, this is distinct from Android in that the device has to be not only connectable but also discoverable and connectable on Linux for the attack.” Linux fixed this bug in 2020 but left the fix disabled by default.
