Apple’s Latest Firmware Update: A Shield Against CVE-2024-0230 Vulnerability

Apple has released a firmware update for the Magic Keyboard to address a security vulnerability identified as CVE-2024-0230 (initially disclosed as CVE-2023-45866). This vulnerability allowed malicious actors to forge Bluetooth connections with the keyboard. This vulnerability was publicly disclosed in December, although it first came to light in August 2023.

Security researcher Marc Newlin of SkySafe, who reported the vulnerability, stated that he spent months investigating and reporting issues related to unauthenticated Bluetooth connections in macOS and iOS systems.

The update, designated as version 2.0.6, is available for both the standard and extended versions of the Magic Keyboard, with or without Touch ID. No user action is required to install the update: it automatically installs when the Magic Keyboard is connected to an Apple device.

It’s important to note that CVE-2024-0230 allowed those with one-time physical access to a Bluetooth keyboard, such as the Magic Keyboard, to determine the Bluetooth pairing key. Once obtained, the attacker could deceive the Bluetooth host and connect a counterfeit keyboard without user confirmation.

Once the counterfeit keyboard was connected to a Mac, the attacker could press any keys at will. While actions requiring a password or Touch ID confirmation were not at risk, the attacker could still launch applications, read messages, and download files from the victim’s device.

The keystrokes and actions performed, such as launching applications or entering command combinations, were, of course, visible to the user. Therefore, it appears that Apple did not rush to release an official update, perhaps not considering it a significant threat.