Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Keyboard Firmware Hack Demonstrated

Posted by Soulskill on from the qwerty's-revenge dept.

Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."

31 of 275 comments (clear)

  1. Huh?? by nurb432 · · Score: 4, Insightful

    Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

    --
    ---- Booth was a patriot ----
    1. Re:Huh?? by Anonymous Coward · · Score: 5, Informative

      Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).

    2. Re:Huh?? by ettlz · · Score: 4, Funny

      Probably unimplemented DRM. By forming a secure input path, it furnishes printed material content protection --- by stopping you from typing it in.

    3. Re:Huh?? by nedlohs · · Score: 4, Insightful

      I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

    4. Re:Huh?? by mattventura · · Score: 4, Insightful

      The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.
      You could use it constructively, though. You could block the key sequences used to boot off a CD or external drive, which could actually be a useful feature for corporations or schools wanting to prevent booting from external media, since the other methods to prevent that don't work that well.

    5. Re:Huh?? by RalphSleigh · · Score: 4, Informative

      No, it's your OS's job to decide what pressing keypad-minus does, the keyboard should simply tell the OS that keypad-minus key was pressed

      --
      Come as you are, do what you must, be who you will.
    6. Re:Huh?? by petermgreen · · Score: 3, Insightful

      Dealing with USB however is something that requires a reasonablly powerfull microcontroller with quite complex firmware. Most current microcontrollers are flash based and in many cases are likely to have more flash than the application needs.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  2. What's next? by psYchotic87 · · Score: 3, Funny

    Laptop charger hack demonstrated?
    This is getting quite silly... Perhaps manufacturers should try to keep simple devices actually simple.

    1. Re:What's next? by unfunk · · Score: 3, Informative

      I feel somewhat obliged to point out that the Sony PSP is vulnerable to a battery hack. If you put in a certain battery, you can then downgrade the system's firmware and play pirated games etc

  3. Yes, but does it run... by TheRaven64 · · Score: 3, Funny

    ...Contiki?

    --
    I am TheRaven on Soylent News
  4. Coming soon to an enterprise near you by SuperKendall · · Score: 4, Funny

    Mandatory 2k long passwords to defeat possible hardware loggers.

    Changed monthly, of course.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  5. Re:Flash memory in a keyboard? by TheRaven64 · · Score: 5, Informative

    It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

    --
    I am TheRaven on Soylent News
  6. Physical access required by pushing-robot · · Score: 3, Insightful

    Unless you also have some hidden program on the computer to flash the keyboard and later download the data (in which case you could just log the keys by software), you'd need to physically remove the keyboard, flash it with a keylogging BIOS, return the keyboard, then later retrieve the keyboard to get the logged keys.

    And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware. This hack is just further proof of that.

    Oh, and don't let anyone lend you their keyboard.

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:Physical access required by Iphtashu+Fitz · · Score: 5, Insightful

      And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware

      Only as long as they have a fair amount of time. The beauty of this hack is that you could set up a laptop so that any keyboards that get plugged into it are immediately infected. Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave. It minimizes the risk of being caught trying to do something more extensive to the system. You just walk into an unoccupied office and walk back out 30 seconds later knowing that the keylogger is installed, as opposed to spending 30 minutes in the office trying to reboot, get into the firmware, etc.

    2. Re:Physical access required by Anonymous Coward · · Score: 5, Insightful

      Why are people always so quick to dismiss the seriousness of low level exploits?

      Consider a Mac pool at a university. You unplug the keyboard, plug it into a small box with a USB host controller that you programmed to rewrite the keyboard firmware. Plug the keyboard back in, wait until someone else logs in. Then come back, open a text editor, type your secret trigger word, watch as the keyboard spits out the logged passwords.

      Consider a remote root exploit. That enables the hacker to reflash the firmware of an attached keyboard. Then the attacker can remove all traces of the hack from the target computer. The keyboard logs passwords and waits for a trigger word. How do you make someone type a strange word? Captcha. The attacker now has your password/passphrase (SSH login to your company's web server? Your online banking PIN? And the only trace is a modified firmware which nobody checks.

  7. Re:Flash memory in a keyboard? by mlts · · Score: 3, Interesting

    If it has to have a flash BIOS for some reason, why does the flashing utility allow any image to go in without notice? Something like this should either require a signed or encrypted image that the flash utility decodes and decides is correct before putting it in. Maybe something simple as holding a distinct key sequence down on the keyboard while the utility pops up might be an alternative. This way at least the user has to be duped into knowingly flashing the keyboard, as opposed to a completely stealth compromise.

    If I were making a keyboard with a flashable BIOS, rather than going the easy route and hiding a symmetric key on the chip would be eventually discovered, I'd use a SHA256 hash combined with an elliptic signing key to validate that a BIOS image was not tampered with before allowing it to be copied to the device. Yes, (barring someone breaking the public key crypto or obtaining the private key) someone could hack a particular keyboard to accept any flash image, but it would require physical access to the JTAG contacts on the device, and its well known that the game is over when an attacker obtains physical access to a machine anyway.

  8. Re:Flash memory in a keyboard? by confidential · · Score: 5, Informative

    The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

    Two such examples of exactly that:

    1. Aluminum Keyboard Firmware Update (desktops)
    2. MacBook, MacBook Pro Keyboard Firmware Update (portables)

    The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.

  9. What about other keyboard manufacturers? by ThrowAwaySociety · · Score: 3, Insightful

    Is the Apple implementation any different from what other USB HID makers use? I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

    And if so, are other USB keyboards vulnerable to similar hacks?

    1. Re:What about other keyboard manufacturers? by Anonymous Coward · · Score: 5, Informative

      All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification, which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.

      Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.

    2. Re:What about other keyboard manufacturers? by Grishnakh · · Score: 3, Insightful

      Wouldn't this depend on the keyboard being reflashable from the USB interface? There's a lot of USB microcontrollers out there which can only be re-flashed with physical access to the hardware, not through the USB interface. Maybe this violates USB HID spec, but why does anyone need their keyboard firmware to be upgradeable anyway? This isn't exactly something that changes often. Your typical $5 USB-to-serial adaptor isn't upgradeable either to my knowledge, why should this be?

  10. Re:Makes me glad... by Super_Z · · Score: 3, Insightful

    Why do you assume only Apple keyboards are hackable?

  11. How is news worthy... by mario_grgic · · Score: 3, Insightful

    I'm sure every microwave out there is "hackable" in the sense you can replace its firmware and make it burn users popcorn each time. So what?

    Unless you discovered a way to hack someone's keyboard remotely without user intervention, this is not even worth mentioning on a geek site.

    --
    As the island of our knowledge grows, so does the shore of our ignorance.
  12. Re:Flash memory in a keyboard? by ColdWetDog · · Score: 4, Funny

    Yeah, he should wait 24 hours and repost the whole article. That works way better around here.

    --
    Faster! Faster! Faster would be better!
  13. Re:Flash memory in a keyboard? by TheRaven64 · · Score: 3, Funny

    That only works if you call yourself an 'editor'.

    --
    I am TheRaven on Soylent News
  14. Why was this implemented? Stupid or evil? by Animats · · Score: 3, Insightful

    As the article points out, "For a device as simple as a keyboard, it is hard to imagine why a firmware update mechanism is even required." There's no justification for including an update feature other than as a designed-in security hole. The keyboard CPU should be running off a ROM, or at least an MPU where the security bit has been set to prevent future changes.

    This looks like a "feature" put in for development that should have been pulled before release.

  15. People seem to be missing the bigger issue by 93+Escort+Wagon · · Score: 3, Interesting

    The problem here isn't really with the end user's keyboard - flashing that is a lot of work for little return, in most cases.

    The bigger issue is if/when an enterprising criminal gets access at the plant that makes the keyboards. We've seen CDs/DVDs with malware installed (I'm not even thinking about Sony here); we've seen CompactFlash cards preloaded with viruses... if a batch of keyboards shipped out from manufacturing already installed with a key logger, we're really screwed - who's going to notice?

    --
    #DeleteChrome
  16. Re:Too much work by Weedhopper · · Score: 3, Interesting

    Not entirely dumb. I have a US keyboard/top case for a late 2006 MB that began registering as a UK keyboard after a Coke spill.

  17. Re:Um... I must be missing something by vertigoCiel · · Score: 3, Insightful

    That's now how you would pull off this attack. It would go something like this

    "Hey, I think my keyboard's acting up. Could I borrow yours for a sec?"

    "Sure."

  18. Much easier way... by Longjmp · · Score: 3, Informative

    I only need two keystrokes to hack a Mac when I have access to its keyboard:
    Cmd - "s"
    Voila, root access. documented here :p Start into single user mode

    --
    There are fewer illiterates than people who can't read.
  19. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  20. That's not a bug. by Anonymous Coward · · Score: 3, Informative

    That *is* a feature. It isn't a hacked battery, it is a battery which is hacked to appear as an authentic internal tool, designed to read a certain area on a memory stick, so sony can quickly restore a problematic psp.

    It was designed that way, and obscured. the 'hack' merely makes that information public and usable.