After the vulnerability was publicly disclosed in December, Apple released a firmware update for Magic Keyboard to prevent attackers from entering the security flaw by cloning the keyboard. Security researcher Marc Newlin disclosed the vulnerability to Apple and Google in August 2023, and disclosed it publicly in December.
At the time, Newlin said he had been investigating and reporting unauthenticated Bluetooth key injection vulnerabilities in macOS and iOS for months.
The patch applies to both regular and extended MagicKeyboards, including products with and without TouchID. Apple says patch 2.0.6 will be automatically applied when the Magic Keyboard is paired with an Apple device.
The vulnerability allows users with one-time physical access to a Bluetooth keyboard (such as MagicKeyboard) to figure out the Bluetooth pairing key. Once obtained, a nearby attacker can trick a Bluetooth host into pairing with a fake keyboard without user confirmation.
Once an attacker has faked MagicKeyboard's connection to the Mac, they can enter keystrokes at will. Obviously, they can't do anything that requires authenticating the user with a password or Touch ID, but other than that, they can launch apps, read messages, and download files. Keystrokes entered are visible to the user, as are actions such as launching an application or entering a command combination.
learn more:
https://support.apple.com/en-us/HT214050