Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Keyboard Firmware Hack Demonstrated

Posted by Soulskill on from the qwerty's-revenge dept.

Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."

24 of 275 comments (clear)

  1. Huh?? by nurb432 · · Score: 4, Insightful

    Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

    --
    ---- Booth was a patriot ----
    1. Re:Huh?? by anss123 · · Score: 1, Insightful

      Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

      Flash chips are cheap these days.

      And what's to stop people from simply installing a tiny key logging chip inside your keyboard? Seems less trouble than writing a crummy firmware hacks, and it's not like I'd notice an extra chip inside my keyboard.

    2. Re:Huh?? by MaskedSlacker · · Score: 1, Insightful

      The need for physical access? Sure, someone intentionally spying on YOU might do it, but for someone looking to keylog as many credit card numbers as possible it'd be kinda difficult/pointless.

    3. Re:Huh?? by anss123 · · Score: 1, Insightful

      The need for physical access?

      You need physical access for flashing the keyboard, unless you have taken over the mac's os. In the later case you can install a key logger in the OS, so why bother with the keyboard. Also you need to get the keydata somehow out of the keyboard so without OS control you have to straddle over and collect it yourself.

      Hey, why are you connecting you laptop to my keyboard....

      Point is, this security vulnerability is no big deal.

    4. Re:Huh?? by nedlohs · · Score: 4, Insightful

      I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

    5. Re:Huh?? by Anonymous Coward · · Score: 1, Insightful

      Unless the firmware was hacked before you received your new keyboard...

    6. Re:Huh?? by nedlohs · · Score: 2, Insightful

      But if you removed the logger, say by reinstalling the OS or whatever I would lose that. With it in the keyboard I you need to also replace that (or reflash it of course).

    7. Re:Huh?? by mattventura · · Score: 4, Insightful

      The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.
      You could use it constructively, though. You could block the key sequences used to boot off a CD or external drive, which could actually be a useful feature for corporations or schools wanting to prevent booting from external media, since the other methods to prevent that don't work that well.

    8. Re:Huh?? by Anonymous Coward · · Score: 1, Insightful

      Just add a piece of paper to the box:

      "Congratulations on your purchase of a new mac! You're probably a former windows user looking to escape from daily crashes and insecure applications, so please take a moment to read these instructions and familiarize yourself with your new mac's security features!

      One new feature we have added is extra encryption for your bank and credit card webpages. To activate this encryption, please visit each of your banks and credit card's websites (be sure to type the URL, do not click on any links in your emails as hackers can send you fake links that look real) and log in.

      After logging in to each of these websites, visit our enhanced encryption website at http://bankencrypter.com/ You will be asked to type an easy-to-read captcha (an image designed to prove that you're human, rather than a hacker). Once you have done so, the encryption process for that site will be complete and you will be extra secure!

      Note: While our encryption is designed for bank accounts and credit card websites, you can use it for your e-mail as well. Just follow the steps above to enable extra security to your webmail account!"

    9. Re:Huh?? by adolf · · Score: 1, Insightful

      Mac user: "What's a shell account?"

      Linux user explains the whole thing.

      Mac user: *head explodes*

      --
      Kid-proof tablet..
    10. Re:Huh?? by petermgreen · · Score: 3, Insightful

      Dealing with USB however is something that requires a reasonablly powerfull microcontroller with quite complex firmware. Most current microcontrollers are flash based and in many cases are likely to have more flash than the application needs.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  2. Flash memory in a keyboard? by lorenlal · · Score: 2, Insightful

    Pardon my ignorance. I have a lot of it. What is the advantage of having flash memory in a keyboard? I remember that the keyboard (at least at one time, I don't know if that's still the case) used an interrupt call to process input... But the load the keyboard placed on system resources should be so low, that there wouldn't be a need to offload that right? I have to be missing something here. It seems to me that by having something like this, you're just begging for trouble since it opens another attack surface. Anywhere you have processing and memory is a place for malware to reside. This doesn't impress me much Apple.

  3. Physical access required by pushing-robot · · Score: 3, Insightful

    Unless you also have some hidden program on the computer to flash the keyboard and later download the data (in which case you could just log the keys by software), you'd need to physically remove the keyboard, flash it with a keylogging BIOS, return the keyboard, then later retrieve the keyboard to get the logged keys.

    And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware. This hack is just further proof of that.

    Oh, and don't let anyone lend you their keyboard.

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:Physical access required by Iphtashu+Fitz · · Score: 5, Insightful

      And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware

      Only as long as they have a fair amount of time. The beauty of this hack is that you could set up a laptop so that any keyboards that get plugged into it are immediately infected. Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave. It minimizes the risk of being caught trying to do something more extensive to the system. You just walk into an unoccupied office and walk back out 30 seconds later knowing that the keylogger is installed, as opposed to spending 30 minutes in the office trying to reboot, get into the firmware, etc.

    2. Re:Physical access required by Anonymous Coward · · Score: 5, Insightful

      Why are people always so quick to dismiss the seriousness of low level exploits?

      Consider a Mac pool at a university. You unplug the keyboard, plug it into a small box with a USB host controller that you programmed to rewrite the keyboard firmware. Plug the keyboard back in, wait until someone else logs in. Then come back, open a text editor, type your secret trigger word, watch as the keyboard spits out the logged passwords.

      Consider a remote root exploit. That enables the hacker to reflash the firmware of an attached keyboard. Then the attacker can remove all traces of the hack from the target computer. The keyboard logs passwords and waits for a trigger word. How do you make someone type a strange word? Captcha. The attacker now has your password/passphrase (SSH login to your company's web server? Your online banking PIN? And the only trace is a modified firmware which nobody checks.

    3. Re:Physical access required by Anonymous Coward · · Score: 1, Insightful

      And only buy keyboards that are certified never to have been touched by human hands? I could probably infect half the Apple keyboards in the local Fry's without drawing suspicion.

  4. Flash needs write protect switches by Anonymous Coward · · Score: 1, Insightful

    Microcontrollers in keyboards, BIOS flash, USB-sticks, SD-cards: Please give us hardware write protection. Whether we want our keyboards to be just keyboards, our BIOS unmodified by root kits, USB sticks which we can insert into someone else's system without worrying that our stick gets infected or boot of an SD-card, a simple write protect switch is the easiest and most reliable way.

  5. What about other keyboard manufacturers? by ThrowAwaySociety · · Score: 3, Insightful

    Is the Apple implementation any different from what other USB HID makers use? I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

    And if so, are other USB keyboards vulnerable to similar hacks?

    1. Re:What about other keyboard manufacturers? by Grishnakh · · Score: 3, Insightful

      Wouldn't this depend on the keyboard being reflashable from the USB interface? There's a lot of USB microcontrollers out there which can only be re-flashed with physical access to the hardware, not through the USB interface. Maybe this violates USB HID spec, but why does anyone need their keyboard firmware to be upgradeable anyway? This isn't exactly something that changes often. Your typical $5 USB-to-serial adaptor isn't upgradeable either to my knowledge, why should this be?

  6. Re:Makes me glad... by Super_Z · · Score: 3, Insightful

    Why do you assume only Apple keyboards are hackable?

  7. How is news worthy... by mario_grgic · · Score: 3, Insightful

    I'm sure every microwave out there is "hackable" in the sense you can replace its firmware and make it burn users popcorn each time. So what?

    Unless you discovered a way to hack someone's keyboard remotely without user intervention, this is not even worth mentioning on a geek site.

    --
    As the island of our knowledge grows, so does the shore of our ignorance.
  8. Um... I must be missing something by Hortensia+Patel · · Score: 2, Insightful

    If someone has sufficient permissions on your machine to update your firmware, aren't you kind of screwed already? I suppose they could swap your (external) keyboard for a compromised one, but that still implies physical access.

    That said, given that the ability to update is useful, and that the flash memory size we're talking about is so small, is there a significant downside to having the OS check hashes of the firmware code on initialization?

    1. Re:Um... I must be missing something by vertigoCiel · · Score: 3, Insightful

      That's now how you would pull off this attack. It would go something like this

      "Hey, I think my keyboard's acting up. Could I borrow yours for a sec?"

      "Sure."

  9. Why was this implemented? Stupid or evil? by Animats · · Score: 3, Insightful

    As the article points out, "For a device as simple as a keyboard, it is hard to imagine why a firmware update mechanism is even required." There's no justification for including an update feature other than as a designed-in security hole. The keyboard CPU should be running off a ROM, or at least an MPU where the security bit has been set to prevent future changes.

    This looks like a "feature" put in for development that should have been pulled before release.