CVE-2024-0230 Overview
CVE-2024-0230 is a session management vulnerability affecting Apple Magic Keyboard firmware that allows an attacker with physical access to the device to extract Bluetooth pairing keys and subsequently monitor Bluetooth traffic. This firmware vulnerability stems from improper session handling checks in the Magic Keyboard's Bluetooth pairing mechanism.
Critical Impact
An attacker with physical access to the Magic Keyboard can extract Bluetooth pairing keys, enabling passive eavesdropping on all keyboard input transmitted via Bluetooth, potentially capturing sensitive data including passwords and confidential communications.
Affected Products
- Apple Magic Keyboard Firmware (versions prior to 2.0.6)
- Apple Magic Keyboard (hardware)
Discovery Timeline
- 2024-01-12 - CVE-2024-0230 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-0230
Vulnerability Analysis
This vulnerability exists within the session management implementation of Apple Magic Keyboard firmware. The flaw enables unauthorized extraction of Bluetooth pairing credentials when an attacker gains physical access to the vulnerable keyboard device. Once the pairing key is obtained, an attacker can decrypt and monitor Bluetooth communications between the keyboard and its paired host device.
The attack requires physical proximity and direct access to the keyboard hardware. While this limits the attack surface compared to remote vulnerabilities, the potential for capturing keystrokes including passwords, credentials, and sensitive communications makes this a significant privacy and security concern for enterprise and high-security environments.
Root Cause
The root cause of CVE-2024-0230 lies in insufficient validation checks within the Magic Keyboard's session management functionality. The firmware failed to adequately protect the Bluetooth pairing key material, allowing extraction through physical access mechanisms. Apple addressed this by implementing improved session management checks in Magic Keyboard Firmware Update 2.0.6.
Attack Vector
The attack requires physical access to the target Magic Keyboard device. The attacker must:
- Obtain physical access to an affected Apple Magic Keyboard
- Exploit the session management weakness to extract the Bluetooth pairing key
- Use the extracted key to passively monitor Bluetooth traffic between the keyboard and its paired device
- Capture and decrypt keystroke data transmitted over the Bluetooth connection
This physical access requirement means the vulnerability is most relevant in scenarios where devices may be left unattended, such as office environments, shared workspaces, or situations involving device theft or loss.
Detection Methods for CVE-2024-0230
Indicators of Compromise
- Unexpected firmware access attempts or unusual device behavior on Magic Keyboard peripherals
- Detection of unknown Bluetooth devices attempting to connect or monitor paired keyboard traffic
- Reports of unauthorized physical access to workstations or peripheral devices
- Unusual Bluetooth scanning activity in proximity to affected devices
Detection Strategies
- Implement physical security monitoring in areas where Apple Magic Keyboards are deployed
- Enable Bluetooth connection logging on host systems to identify unexpected pairing attempts
- Use endpoint detection solutions to monitor for unusual peripheral behavior
- Conduct regular firmware version audits to identify unpatched Magic Keyboard devices
Monitoring Recommendations
- Maintain an inventory of all Apple Magic Keyboard devices and their firmware versions
- Monitor for Bluetooth traffic anomalies in sensitive environments
- Implement alerts for any unauthorized physical access to workspaces containing affected devices
- Review Bluetooth device pairing logs regularly for unexpected entries
How to Mitigate CVE-2024-0230
Immediate Actions Required
- Update all affected Apple Magic Keyboards to Firmware version 2.0.6 or later immediately
- Audit all deployed Magic Keyboard devices to identify vulnerable firmware versions
- Implement physical security controls to restrict unauthorized access to keyboard devices
- Consider temporary use of wired keyboards in high-security environments until patches are applied
Patch Information
Apple has released Magic Keyboard Firmware Update 2.0.6 to address this vulnerability. The update implements improved session management checks to prevent unauthorized extraction of Bluetooth pairing keys. Users can obtain the firmware update through their paired Mac by following the instructions in the Apple Support Article.
For detailed patch information, refer to the Apple Knowledge Base.
Workarounds
- Restrict physical access to Magic Keyboard devices in sensitive environments
- Use wired USB connections instead of Bluetooth where possible until firmware is updated
- Implement secure storage procedures for keyboard devices when not in use
- Consider deploying device encryption and endpoint protection solutions to detect unauthorized access attempts
- Enable tamper-evident seals or physical security measures for high-value targets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
