By Luke Whiting — 18 July 2025
A security flaw disclosed last month in Air Keyboard, an iOS app that turns iPhones into wireless keyboards & mice for computers, remains unresolved on Apple’s App Store. The vulnerability allows anyone connected to the same Wi-Fi network to inject keystrokes onto a victim’s device without a password prompt, according to a technical advisory published on 13 June by the vulnerability archive CXSecurity. The persistence of the vulnerability was confirmed this week by the mobile security researcher behind the “Mobile-Hacker” blog.
How the attack works
The iOS version of Air Keyboard quietly listens for commands on TCP port 8888. Because the service lacks both encryption and authentication, a nearby attacker can craft packets that the app will treat as legitimate user input. The advisory includes a short Python proof‑of‑concept script that sends arbitrary keystrokes; a demonstration video shows an attacker taking control of a phone in seconds.
Despite public disclosure, the developer has not issued a patch or warning. The app is still one of the top search results for “wireless keyboard” in Apple’s marketplace at press time.
Android Risks Fair Slightly Better
On Android, Air Keyboard performs a rudimentary handshake in which the desktop companion must provide a four‑character password. That step blocks input injection but not rough handling: the same proof-of-concept crashes the Android build by sending malformed data to its listening port (55535), producing a denial-of-service until the user restarts the app.
Why Users Don’t See It Coming
Mobile operating systems provide limited visibility into open network ports, so average users have no indication that an app is accepting unsolicited traffic. While technically inclined Android owners can dig through netstat or Termux to spot rogue listeners, iOS hides such diagnostics behind jailbreaking. A similar opacity has allowed recent research to uncover undocumented local ports in Meta’s Instagram and Facebook apps, another reminder that convenience features can also serve as attack surfaces.
Higher Risk In Shared Networks
Because both iOS and Android versions run on fixed, predictable ports, an attacker can scan a public hotspot with tools like Nmap, identify active devices, and decide whether to hijack inputs or merely crash the service. Offices, classrooms, and cafés where dozens of phones share a single subnet are especially vulnerable to abuse.
Déjà Vu: “Hi My Name Is Keyboard” and CVE‑2023‑45866
Wireless keystroke injection vulnerabilities can pose significant risks to governments and enterprises. In 2023, Marc Newlin’s “Hi, My Name is Keyboard” demo showed how a rogue Bluetooth peripheral could force‑pair itself as a keyboard and inject keystrokes on Windows, macOS, iOS, and Android without user interaction. The underlying bug was assigned CVE‑2023‑45866.
Nine months later, the FBI, NSA, UK NCSC, and allies warned Governments and Enterprises that Russia’s SVR (aka APT‑29/Midnight Blizzard) was actively exploiting the same CVE in the wild. The convenience of wireless connectivity has a way of smuggling trust into places it doesn’t belong, and cybercriminals and state actors have begun actively exploiting these overlooked off-channel attack vectors.
How Bastille Closes the Blind Spot
Bastille’s 100 % passive Software‑Defined‑Radio sensor arrays continuously scan all signals from 100 MHz to 7.125 GHz, including Wi‑Fi, Bluetooth/BLE, and cellular. Bastille’s AI-powered event detection alerts to anomalous wireless activity, devices, and connections, and provides real-time location of the offending device with 2-3 meter accuracy. Bastille can:
- Detect rogue HID traffic such as rapid‑fire Bluetooth HID reports or unauthenticated AirPlay control frames.
- Locate the offending transmitter in real time, down to the conference room, so that physical security can take action.
- Alert on anomalous open‑port beacons (e.g., a phone suddenly advertising port 8888) and correlate them with the device’s MAC, vendor, and prior behavior.
- Feed SIEM/XDR pipelines with wireless telemetry for unified Zero‑Trust enforcement.
Government, data centers, and Fortune 100 campuses have already deployed Bastille’s patented sensing platform precisely because RF is now part of the kill chain.
