Marc Newlin's Keyboard Spoofing Attack Sends Arbitrary Commands to Android, iOS, macOS, and Linux

Security researcher Marc Newlin has detailed a flaw in Bluetooth implementations on Google's Android, Apple's iOS and macOS, and Linux which, at its worst, can allow anyone within radio range to silently send unauthenticated commands to your device — by pretending to be a keyboard.

"I started with an investigation of wireless gaming keyboards, but they proved to be the wrong kind of dumpster fire, so I looked to Apple's Magic Keyboard for a challenge. It had two things notably absent from my earlier peripheral research: Bluetooth and Apple," Newlin, of drone security firm SkySafe, explains of his discovery of the vulnerability.

"I had a lot to learn, but one question led to another," Newlin continues, "and I was soon reporting unauthenticated Bluetooth keystroke-injection vulnerabilities in macOS and iOS, both exploitable in Lockdown Mode. When I found similar keystroke-injection vulnerabilities in Linux and Android, it started to look less like an implementation bug, and more like a protocol flaw. After reading some of the Bluetooth HID specification, I discovered that it was a bit of both."

Newlin's discovery, which builds on his 2016 work on MouseJack attacks against non-Bluetooth wireless peripherals, targets the host-peripheral pairing system within the Bluetooth protocol. A Linux box with a low-cost off-the-shelf Bluetooth dongle pretends to be a keyboard, and sends a pairing request — but one which is accepted by the target system silently, without notification. Once paired, the attacker can send arbitrary keystrokes to the target device — including, where accessible by keyboard, opening applications and sending commands.

It's a serious flaw, and one which appears to be widespread. Google's Android platform was found to be the most vulnerable, and could be attacked at any time so long as Bluetooth was enabled. Apple's desktop macOS and mobile iOS were the second most vulnerable, requiring both that Bluetooth be enabled and that a legitimate Magic Keyboard had previously been paired with the device. The BlueZ stack on Linux was the least vulnerable, falling to the attack only when configured to be discoverable.

"Full vulnerability details and proof-of-concept scripts will be released at an upcoming conference," Newlin promises. "I'm really not sure what sort of wireless keyboard to recommend at this point. If you are reading this and you make a secure wireless keyboard, please send me one so I can hack it for you. (I'm serious. I want a challenge.)"

A patch for the flaw is already available for BlueZ on Linux, while Google has supplied fixes for Androids 11 through 14 to original equipment manufacturers (OEMs) and will patch its Pixel hardware through the December security update — but will leave end-of-life Android 10 devices vulnerable. Apple has not commented on the vulnerability nor its plans to patch same.

Newlin's write-up of the attack is available on the SykSafe GitHub repository; the vulnerability has been assigned CVE-2023-45866 in the Common Vulnerabilities and Exposures project.