Slashdot Mirror
Apple Keyboard Firmware Hack Demonstrated
Anonymouse writes with this excerpt from SemiAccurate:
"Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."
It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.
I am TheRaven on Soylent News
Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).
I feel somewhat obliged to point out that the Sony PSP is vulnerable to a battery hack. If you put in a certain battery, you can then downgrade the system's firmware and play pirated games etc
I wouldn't be surprised. Modern gaming devices with programmable buttons often store those macros on the device itself, (e.g. the N52te) in order to allow it to work on any computer it's plugged into without needing the extra software - all you need the software for is to program it.
The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.
Two such examples of exactly that:
The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.
No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember). A USB device has to trick the driver into starting a DMA, which is probably difficult for a keyboard to do without pretending to be some other kind of device. FireWire, on the other hand, allows one device to initiate a DMA request on another and it is up to the driver to block this.
I am TheRaven on Soylent News
probably a lot of keyboards, but Apple keyboards are probably the largest block of a single identifiable brand out there. everyone probably uses OEM'd logitechs but those are probably customized to each OEM
All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification, which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.
Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.
I only need two keystrokes to hack a Mac when I have access to its keyboard: :p Start into single user mode
Cmd - "s"
Voila, root access. documented here
There are fewer illiterates than people who can't read.
Comment removed based on user account deletion
That *is* a feature. It isn't a hacked battery, it is a battery which is hacked to appear as an authentic internal tool, designed to read a certain area on a memory stick, so sony can quickly restore a problematic psp.
It was designed that way, and obscured. the 'hack' merely makes that information public and usable.
No, it's your OS's job to decide what pressing keypad-minus does, the keyboard should simply tell the OS that keypad-minus key was pressed
Come as you are, do what you must, be who you will.
Because Apple and a couple of Logitech keyboards are the only ones to use flash.