New Bluetooth vulnerability allows takeover of iOS, Android, Linux, and MacOS devices

New Bluetooth vulnerability allows takeover of iOS, Android, Linux, and MacOS devices

News Analysis

Jan 17, 20246 mins

Mobile SecurityVulnerabilities

Security researcher Marc Newlin shared how he discovered the Bluetooth bug that leaves keyboards vulnerable to injection attacks that can allow attackers to take over user devices.

Credit: Shutterstock

Over the past six weeks, Google, Microsoft, Linux (BlueZ), and Apple have rolled out fixes for a Bluetooth security flaw that, among other things, tricks the Bluetooth host machine into pairing with a fake keyboard without user confirmation, allowing threat actors to take control of Android, Linux, macOS, and iOS devices.

The flaw tracked as CVE-2023-45866 (CVE-2024-0230 for Apple and CVE-2024-21306 for Microsoft) leaves Android devices vulnerable whenever Bluetooth is enabled, while Linux devices require Bluetooth to be discoverable or connectable. iOS and macOS devices become vulnerable to the flaw when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.

At this year’s penultimate annual Shmoocon conference in Washington, DC, Marc Newlin, principal reverse engineer at SkySafe, was able to take the wraps off his research that led to his discovery of the flaw given that Apple was the last company to release its fixes on January 11. In his presentation entitled My Name Is Keyboard, Newlin explained how he arrived at his discovery.

Extracting Bluetooth link keys and pairing with different hosts

“If a device has a radio, I have to hack it,” Newlin said during his talk. “I can’t own something with a radio and not know how it works and how it’s broken.”

0 seconds of 29 secondsVolume 0%

Newlin has disclosed wirelessly exploitable vulnerabilities for several vendors, most notably in 2016 when he helped discover a class of security vulnerabilities called MouseJack that allowed keystroke injection into wireless mice. “I figured that in eight years, maybe the public shaming that I gave those vendors would’ve caused them to prove their security standards or their security posture,” Newlin said.

In search of a “stunt hacking project,” Newlin “noticed that this current generation of gaming keyboards has addressable LEDs, and I like projects with blinky lights. So, I figured I would buy some of these flagship gaming keyboards for the peripheral vendors and see if they were any better than the MouseJack era. Unfortunately, they weren’t.”

After making headway on fuzzing Dell’s AW920K keyboard but meeting obstacles, Newlin moved on. Apple keyboards didn’t seem the most likely candidates for his next area of research. “I fell victim to Apple’s marketing and all this common wisdom that says these ubiquitous protocols like Bluetooth that everyone uses are inherently secure because if they weren’t, somebody would’ve found the bugs,” he said.

“I just assumed that Apple was going to be beyond my ability, but now eight years have passed since MouseTrack. What I’ve loved about my skillset [is that I’ve] gotten a lot more comfortable with failure. And so, I decided it was finally time to look at Apple and Bluetooth and see what I could find.”

Newlin bought the least expensive Apple Magic Keyboard model that can function as a USB or Bluetooth keyboard and discovered that vulnerabilities in the Magic Keyboard could be exploited to extract the Bluetooth link key via the Lightning port or unauthenticated Bluetooth. He also found that if Lockdown Mode is not enabled, the link key can be read from the paired Mac over a lightning cable or USB.

How this happens is complex, but essentially, the vulnerabilities can be exploited to extract the Bluetooth link key from a Magic Keyboard or its paired Mac through out-of-band pairing, unauthenticated Bluetooth human interface devices (HIDs), extracting the key from the lightning port or USB port on the Mac, or pairing the Magic Keyboard to a different host.

Bluetooth vulnerability extends to other platforms

After discovering the Apple vulnerabilities, Newlin expanded his scope to other platforms, starting with Android. “Sure enough, it worked. I was able to pair anti-keystrokes into the Android device,” he said. “The user does not have to have a keyboard paired with their phone already. And as long as Bluetooth is enabled on the Android device, at any time the phone is on them, and Bluetooth is on, the attacker can then force pair an emulated keyboard with the Android device and inject keystrokes, including at the lock screen.”

Newlin then turned to Linux. “It turns out that the Linux attack is very, very similar,” he said. “On Linux, as long as the host is discoverable and connectable over Bluetooth, the attacker can force-pair a keyboard and inject keystrokes without the user’s confirmation. And so, this is distinct from Android in that the device has to be not only connectable but also discoverable and connectable on Linux for the attack.” Linux fixed this bug in 2020 but left the fix disabled by default.

The hacker community should continue probing Bluetooth flaws

“I think it’s easy to blame the vendors or blame the Bluetooth team, but I think there’s shared responsibility here. I think the vendors definitely dropped the ball by missing these bugs. Some of them have been around for more than a decade. I think we, as the hacker community, dropped the ball by not finding these.”

Newlin received $1,000 from Microsoft and $15,000 from Google in bug bounties for his efforts. Apple, however, is still reviewing whether or how much it will pay Newlin. “I’m not sure where that’ll land,” Newlin said. “And I’m also not sure if my bugs will be eligible for the Apple Bounty program because they don’t fit neatly into any of their bug bounty categories.”

Newlin encourages security researchers to continue probing Bluetooth flaws. “I think it’ll probably be a while [before the full extent of Bluetooth flaws is known] because it will take the community actually fleshing these out and identifying all these additional effective systems beyond what I’ve seen myself,” he said.

“I think there are other types of Bluetooth vulnerabilities that might be possible with these same attack vectors, but I don’t have enough knowledge about Bluetooth at this point to really understand where that will go,” Newlin tells CSO. “I have seen a lot of excitement from some friends with whom I’ve shared the proof-of-concept code, and so I’m encouraged that people are excited to dig into this.”

Related content

  • [
    News analysis

Over 178,000 SonicWall firewalls still vulnerable to old flaws

Denial of service and remote code execution possible if organizations don’t upgrade their SonicWall firmware.
By Lucian Constantin
Jan 17, 2024 4 mins
Network SecurityVulnerabilities
](Over 178,000 SonicWall firewalls still vulnerable to old flaws | CSO Online)

  • [
    News analysis

London internet attack highlights confusing hacktivism movement

Anonymous Sudan has claimed responsibility for the failed attack on the London Internet Exchange, but questions remain.
By Jon Gold
Jan 17, 2024 4 mins
DDoSHacker GroupsCyberattacks
](London internet attack highlights confusing hacktivism movement | CSO Online)

  • [

A tougher balancing act in 2024, the year of the CISO

While CISOs are mostly satisfied, their jobs are increasingly stressful. Corporate executives and boards must take steps to address these challenges.
By Jon Oltsik
Jan 17, 2024 6 mins
CSO and CISOCareers
](A tougher balancing act in 2024, the year of the CISO | CSO Online)

  • [

SoftwareProjects exposes substantial customer and affiliate data

Thousands of SoftwareProjects customer and affiliate personally identifiable information were exposed publicly through non-password protected database.
By Shweta Sharma
Jan 17, 2024 3 mins
Data PrivacyData and Information SecurityVulnerabilities
](SoftwareProjects exposes substantial customer and affiliate data | CSO Online)


From our editors straight to your inbox

Get started by entering your email address below.

by Cynthia Brumfield

Contributing Writer

Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. She runs a cybersecurity news destination site,, consults with companies through her firm DCT-Associates, and is the author of the book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.

More from this author

Most popular authors

Shweta Sharma

Senior Writer

Joe Sullivan


Linda Rosencrance

Contributing Writer

Show me more



Citrix NetScaler devices face active zero-day exploitations

By Shweta Sharma
Jan 17, 20243 mins
Zero-day vulnerability
](Citrix NetScaler devices face active zero-day exploitations | CSO Online)


CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Nov 20, 202315 mins
](CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison | CSO Online)


Reaping the Benefits of Security Metrics

Dec 21, 202321 mins
](Reaping the Benefits of Security Metrics | CSO Online)

Sponsored Links



Our Network

Open Original Source Article