Apple released the firmware update for the magic keyboard to eliminate the vulnerability of security under the identifier CVE-2024-0230 (originally disclosed as CVE-2023-45866), which allowed attackers to fake the keyboard Bluetooth connection.
This vulnerability was published in December, although it became the first time it became known to Security Researcher Mark Newlin.
Security researcher Mark Newlin, who announced the vulnerability, said that he studied and reported problems with unconfirmed Bluetooth connections in MacOS and iOS systems.
The update, which received version 2.0.6, is available for a regular and expanded version of the Magic Keyboard, both with and without Touch ID. User actions to install the update are not required; it is automatically installed when the Magic Keyboard is connected to the Apple device.
Recall, the vulnerability allowed those who had one-time physical access to the Bluetooth keyboard, for example, to the Magic Keyboard, to determine the key of the Bluetooth pair. Having received it, the attacker could deceive the Bluetooth host and connect a fake keyboard without confirming the user.
After connecting a fake keyboard to the Mac, an attacker could, at their discretion, press any keys. Although for actions requiring a password or confirmation of Touch ID, such access was not a threat, the attacker could still launch applications, read messages, and download files from the victim’s device.
Entered keys and actions performed, such as launching applications or entering command combinations, of course, were visible to the user. Therefore, apparently, Apple was in no hurry with the release of an official update, without giving it special importance.