Apple Magic Keyboard receives security update, wise to update
Take action: For all Apple Magic Keyboard users - this is a trivial patch to apply, just have your keyboard connected to your Mac and use it. The exploit may require physical access, but even that can be achieved - especially in today's open plan offices.
Learn More
Apple has released a firmware security update, version 2.0.6, for its Magic Keyboard models to address a Bluetooth-related security vulnerability. This update is applicable to several models including the standard Magic Keyboard, those with Numeric Keypad, Touch ID, and combinations of Touch ID and Numeric Keypad.
The vulnerability, tracked as CVE-2024-0230, allows attackers with physical access to extract the Bluetooth pairing key and monitor Bluetooth traffic. The flaw could be exploited via the Lightning port or unauthenticated Bluetooth, enabling access to the Bluetooth link key from the Magic Keyboard in various ways:
- through the Lightning port if the keyboard hadn’t been powered off since last connected to the Mac,
- via unauthenticated Bluetooth when the keyboard is unplugged from its Mac,
- through the USB port on the paired Mac if Lockdown Mode isn’t enabled.
A PoC of the exploit is announced to be available on GitHub on 13th of January.
Apple has started rolling out this firmware update automatically in the background to devices actively paired to a macOS, iOS, iPadOS, or tvOS device. Users can manually check and update their Magic Keyboard firmware by connecting it to a Mac and waiting for 30 minutes, then verifying the firmware version in the Bluetooth settings.
