Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Keyboard Firmware Hack Demonstrated

Posted by Soulskill on from the qwerty's-revenge dept.

Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."

14 of 275 comments (clear)

  1. Huh?? by nurb432 · · Score: 4, Insightful

    Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

    --
    ---- Booth was a patriot ----
    1. Re:Huh?? by Anonymous Coward · · Score: 5, Informative

      Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).

    2. Re:Huh?? by ettlz · · Score: 4, Funny

      Probably unimplemented DRM. By forming a secure input path, it furnishes printed material content protection --- by stopping you from typing it in.

    3. Re:Huh?? by nedlohs · · Score: 4, Insightful

      I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

    4. Re:Huh?? by mattventura · · Score: 4, Insightful

      The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.
      You could use it constructively, though. You could block the key sequences used to boot off a CD or external drive, which could actually be a useful feature for corporations or schools wanting to prevent booting from external media, since the other methods to prevent that don't work that well.

    5. Re:Huh?? by RalphSleigh · · Score: 4, Informative

      No, it's your OS's job to decide what pressing keypad-minus does, the keyboard should simply tell the OS that keypad-minus key was pressed

      --
      Come as you are, do what you must, be who you will.
  2. Coming soon to an enterprise near you by SuperKendall · · Score: 4, Funny

    Mandatory 2k long passwords to defeat possible hardware loggers.

    Changed monthly, of course.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  3. Re:Flash memory in a keyboard? by TheRaven64 · · Score: 5, Informative

    It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

    --
    I am TheRaven on Soylent News
  4. Re:Flash memory in a keyboard? by confidential · · Score: 5, Informative

    The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

    Two such examples of exactly that:

    1. Aluminum Keyboard Firmware Update (desktops)
    2. MacBook, MacBook Pro Keyboard Firmware Update (portables)

    The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.

  5. Re:Physical access required by Iphtashu+Fitz · · Score: 5, Insightful

    And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware

    Only as long as they have a fair amount of time. The beauty of this hack is that you could set up a laptop so that any keyboards that get plugged into it are immediately infected. Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave. It minimizes the risk of being caught trying to do something more extensive to the system. You just walk into an unoccupied office and walk back out 30 seconds later knowing that the keylogger is installed, as opposed to spending 30 minutes in the office trying to reboot, get into the firmware, etc.

  6. Re:Physical access required by Anonymous Coward · · Score: 5, Insightful

    Why are people always so quick to dismiss the seriousness of low level exploits?

    Consider a Mac pool at a university. You unplug the keyboard, plug it into a small box with a USB host controller that you programmed to rewrite the keyboard firmware. Plug the keyboard back in, wait until someone else logs in. Then come back, open a text editor, type your secret trigger word, watch as the keyboard spits out the logged passwords.

    Consider a remote root exploit. That enables the hacker to reflash the firmware of an attached keyboard. Then the attacker can remove all traces of the hack from the target computer. The keyboard logs passwords and waits for a trigger word. How do you make someone type a strange word? Captcha. The attacker now has your password/passphrase (SSH login to your company's web server? Your online banking PIN? And the only trace is a modified firmware which nobody checks.

  7. Re:Flash memory in a keyboard? by ColdWetDog · · Score: 4, Funny

    Yeah, he should wait 24 hours and repost the whole article. That works way better around here.

    --
    Faster! Faster! Faster would be better!
  8. Re:What about other keyboard manufacturers? by Anonymous Coward · · Score: 5, Informative

    All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification, which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.

    Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.

  9. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion