Forgot your password?
typodupeerror
Security Businesses Input Devices Apple

Apple Keyboard Firmware Hack Demonstrated 275

Posted by Soulskill
from the qwerty's-revenge dept.
Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."
This discussion has been archived. No new comments can be posted.

Apple Keyboard Firmware Hack Demonstrated

Comments Filter:
  • Huh?? (Score:5, Insightful)

    by nurb432 (527695) on Saturday August 01, 2009 @12:26PM (#28910081) Homepage Journal

    Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

    • Re:Huh?? (Score:5, Informative)

      by Anonymous Coward on Saturday August 01, 2009 @12:37PM (#28910187)

      Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).

    • I'm assuming so it can be reprogrammed to change between the multiple keyboard layouts without much of a hardware change other than changing the keycaps.
      • by beelsebob (529313)

        Why on earth would you do that in the hardware level? The keyboard just sends key codes, not characters to the OS, it's the OS's job to map them onto characters.

        • by prockcore (543967)

          Ah but the keyboard needs to understand how keycodes change for Shift/Ctrl/AltGR/etc.

          • The potential being that a user can change the keyboard to, say, "US English" or "International" without requiring the OS to explicitly support it?

            Then one could plug a keyboard into OS X, XP, Gnome, Haiku etc and not have to mess around configuring the settings each time. Which in shared households would mean 'Gary' just plugs in his $5 US English keyboard set to international with all the weird symbols to do his Spanish/German homework and the rest of the family use their own and don't have to reset the k

    • Re:Huh?? (Score:5, Funny)

      by ettlz (639203) on Saturday August 01, 2009 @01:02PM (#28910447) Journal
      Probably unimplemented DRM. By forming a secure input path, it furnishes printed material content protection --- by stopping you from typing it in.
      • More likely so that the same hardware can be used for multiple languages & key templates. Not to mention such a thing could be useful for gaming keyboards.

    • If these are recent (last 2-3 year) keyboards, the ones I have double as non-powered USB hubs.

      The idea is that you plug in your mouse and Watcom tablet or other input device directly into the keyboard instead of snaking a couple extra wires to the computer.

      Pretty nifty (until now, that is).

      • by Tacvek (948259)

        Keyboards with built-in hubs have been around nearly as long as as USB keyboards. The idea would be that you plug your mouse, and perhaps your joystick into the keyboard, using only one USB port on the computer for all your major input devices. These days, a hub built into the keyboard is often the most convenient USB port for flash drives.

        Similarly, it was thought that your monitor might be a USB device (Not fully USB, still using a VGA or DVI cable for the video image, but perhaps passing monitor configur

    • Re:Huh?? (Score:4, Insightful)

      by petermgreen (876956) <plugwash.p10link@net> on Saturday August 01, 2009 @08:50PM (#28913479) Homepage

      Dealing with USB however is something that requires a reasonablly powerfull microcontroller with quite complex firmware. Most current microcontrollers are flash based and in many cases are likely to have more flash than the application needs.

  • by lorenlal (164133) on Saturday August 01, 2009 @12:29PM (#28910109)
    Pardon my ignorance. I have a lot of it. What is the advantage of having flash memory in a keyboard? I remember that the keyboard (at least at one time, I don't know if that's still the case) used an interrupt call to process input... But the load the keyboard placed on system resources should be so low, that there wouldn't be a need to offload that right? I have to be missing something here. It seems to me that by having something like this, you're just begging for trouble since it opens another attack surface. Anywhere you have processing and memory is a place for malware to reside. This doesn't impress me much Apple.
    • by TheRaven64 (641858) on Saturday August 01, 2009 @12:36PM (#28910179) Journal
      It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.
      • by TJamieson (218336)

        +5 Informative. In fact, the laptop keyboards also have a bit of flash, and Apple has updated a whole host of keyboard firmware over time.

      • by confidential (23321) on Saturday August 01, 2009 @12:49PM (#28910311)

        The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

        Two such examples of exactly that:

        1. Aluminum Keyboard Firmware Update (desktops) [apple.com]
        2. MacBook, MacBook Pro Keyboard Firmware Update (portables) [apple.com]

        The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.

      • by ThrowAwaySociety (1351793) on Saturday August 01, 2009 @12:51PM (#28910325)

        Is the Apple implementation any different from what other USB HID makers use? I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

        And if so, are other USB keyboards vulnerable to similar hacks?

        • I was thinking the same thing (typing on my Logitech Wave)... I would think that before this presentation, most people figured the attack vector YOUR KEYBOARD would be low if not miniscule. This is most likely a disturbing trend we're going to see more of before it's all said and done (and you know what they say, after all is said and done, a lot more is said than done.) I remember they used to attempt keyboard hacks by listening via the internal microphone, as well as using other nefarious spy-like tech
          • by xenocide2 (231786)

            have littlesnitch on my Macs, so in the unlikely event my keyboard is compromised (God forbid), at least I'll have a clue it's trying to squawk out of turn. :)

            I think you missed the slide where they discussed how to disable it via keyboard commands.

        • by Anonymous Coward on Saturday August 01, 2009 @01:36PM (#28910755)

          All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification [usb.org], which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.

          Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.

          • by Grishnakh (216268) on Saturday August 01, 2009 @03:18PM (#28911463)

            Wouldn't this depend on the keyboard being reflashable from the USB interface? There's a lot of USB microcontrollers out there which can only be re-flashed with physical access to the hardware, not through the USB interface. Maybe this violates USB HID spec, but why does anyone need their keyboard firmware to be upgradeable anyway? This isn't exactly something that changes often. Your typical $5 USB-to-serial adaptor isn't upgradeable either to my knowledge, why should this be?

        • I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

          Mine is a USB hub, you can plug in your mouse (right or left hand side, as you wish) and a USB key, or pretty much anything else.

          I like having two mice coming out of it, personally (my preference varies).

          I've never seen that on a windows machine.

      • by Plunky (929104)

        It's a USB keyboard. That means that it communicates with the host via quite a complex protocol.

        I wonder how different the Bluetooth keyboards are? I have an older one and I've never heard about this HIDFirmwareUpdaterTool, be interesting to see if I could hack my Bluetooth keyboard..

        (I'm not likely to be vulnerable to a remote attack with this as I use a different OS and to my certain knowledge there is no way to initiate a firmware update from the host)

        • Bluetooth is even more complicated, so I wouldn't be surprised if there's more RAM and flash in your keyboard. Not sure how the updates are handled, but they may be something simple like using the Bluetooth serial profile, in which case you'd be vulnerable to attach via any OS (although the attacker would have to already have root access). This attack is only really useful if you want to preserve a compromise past a reinstall. You'd probably get the keyboard to recognise the sequence "root\n" and "su\n"
      • by daryl_and_daryl (1005065) on Saturday August 01, 2009 @03:38PM (#28911609)

        for anything more complex that a light switch, the flash will be the least expensive way to go - as mentioned above, what we are talking about is a micro-controller, not a dedicated flash memory chip like that used to store the music (or whatever) in a mp3 player. The smallest of these are US $1 Retail in single quantity. order a million and they are likely 20 cents tops. A slightly larger one will have enough pins for the keys on the keyboard and spit USB out the other end, along with enough extra pins to act as a USB Hub, light the LEDs for caps lock, and still have pins left over for factory testing. 1 chip is all you need ( yes it might be cheaper to use dumb logic to multiplex the pins from the keyboard buttons - in fact it is - the difference is a few cents but over a few million it adds up - i am attempting to make the simple argument )

        And this chip is still well under $1.

        With one of these i can use the same chip in every keyboard i design. The logic design for all my keyboards never needs to change - so i need to only stock 1 pc board for all keyboards - just flash the correct firmware before it goes into the keyboard. If someone lays out the pc board wrong - i may well be able to fix this problem in the firmware. I want to make a trackball, a joystick, a WOW keyboard - same chip, same logic pc board, just slightly different firmware - some guy in marketing wants to add an LED, same chip - same pc board

        This same thing is what makes it possible to 'flash' BIOS. In "The Old Days" Bios was an expensive, custom memory chip . You had to change out the chip itself to upgrade the BIOS. So you had to disassemble the computer, so you needed someone who could do this, ... it was expensive to make a change, it was not easy to add a feature, like support for a new drive. and so on..

        Today all BIOS is FLASH - and the flash is either inside a micro-controller, or (and more often the case) the memory has its own micro-controller and this is what handles all of the heavy lifting for a BIOS upgrade - it programs the BIOS memory. And everyone of these BIOS micro-controllers has extra RAM and FLASH hanging around, it makes upgrades easy and cheap. Problems that used to cost millions to fix are now only a download away.

        These micro-controllers are everywhere today - they run the fancy display of car stereos - the graphics - the security code for detachable faceplates - all in one of these little things. The same is true for home stereos - it is cheaper to install one of these on the pc board with the display than to pay for the bigger connectors that would be needed otherwise. It really can be, and often is, cheaper than wire. And again use the same pc board, just flash new software into it, and the marketing guys have new features - or at least flashing lights - for the cost of changing some code. The left over memory in this chip is what allows for fancy 'demo' displays on electronics - the memory is there - let the marketing guys fill it with whatever they want. The other guys add a 'cool' feature - add your own without even slowing down the assembly line ( yes testing .... i know )

        Anywhere you see cool flashing lights, or a small add on feature, on a piece of electronics, it is likely that one of these micro controllers is what is making that happen. You want serial and not USB - easy - , you want to make you product compatible with another guys new product - easy, you want to change the length of time on the wash cycle of your dishwasher so that it can get a better rating in Consumer Reports - easy -

        Every keyboard has a similar problem - just happened to be exploited on a Mac first.

        And if you are looking for a career in electronics/computer science/engineering - embedded design can be fun

    • by unfunk (804468)
      I'm curious too. I'd be surprised if my Logitech G15 keyboard had read/write memory (all the programs for it run on the OS), so just why the hell does Apple feel the need to make a keyboard with that?
    • by mlts (1038732) * on Saturday August 01, 2009 @12:45PM (#28910263)

      If it has to have a flash BIOS for some reason, why does the flashing utility allow any image to go in without notice? Something like this should either require a signed or encrypted image that the flash utility decodes and decides is correct before putting it in. Maybe something simple as holding a distinct key sequence down on the keyboard while the utility pops up might be an alternative. This way at least the user has to be duped into knowingly flashing the keyboard, as opposed to a completely stealth compromise.

      If I were making a keyboard with a flashable BIOS, rather than going the easy route and hiding a symmetric key on the chip would be eventually discovered, I'd use a SHA256 hash combined with an elliptic signing key to validate that a BIOS image was not tampered with before allowing it to be copied to the device. Yes, (barring someone breaking the public key crypto or obtaining the private key) someone could hack a particular keyboard to accept any flash image, but it would require physical access to the JTAG contacts on the device, and its well known that the game is over when an attacker obtains physical access to a machine anyway.

      • Re: (Score:3, Interesting)

        by ironicsky (569792)

        Most likely because they never anticipating anyone being bored enough to reverse engineer something as simple as a keyboard to hack it. Its like reverse engineering your old school ball mouse.

        Some people just have alot of time on their hands

      • by jpmorgan (517966)
        And your keyboard would cost $200...
      • by headbulb (534102)

        This hack could be done to any usb keyboard.

        A firmware flashing utility that refused to flash if the firmware image isn't from the manufactor would be annoying. There are usefull firmwares that are hacked. Dvd firmware that removes regions comes to mind.

        While a bios is a firmware. A firmware is not a bios.

        This hack also requires physical access, which means there are other ways to compromise the system.

  • by psYchotic87 (1455927) <stefanhetzwaantje.gmail@com> on Saturday August 01, 2009 @12:30PM (#28910111)
    Laptop charger hack demonstrated?
    This is getting quite silly... Perhaps manufacturers should try to keep simple devices actually simple.
    • Re:What's next? (Score:4, Informative)

      by unfunk (804468) on Saturday August 01, 2009 @12:39PM (#28910201) Journal
      I feel somewhat obliged to point out that the Sony PSP is vulnerable to a battery hack. If you put in a certain battery, you can then downgrade the system's firmware and play pirated games etc
      • That's a feature, not a bug.

      • That's not a bug. (Score:3, Informative)

        by Anonymous Coward

        That *is* a feature. It isn't a hacked battery, it is a battery which is hacked to appear as an authentic internal tool, designed to read a certain area on a memory stick, so sony can quickly restore a problematic psp.

        It was designed that way, and obscured. the 'hack' merely makes that information public and usable.

    • Perhaps manufacturers should try to keep simple devices actually simple.

      When most major appliances, all automobiles, motorcycles, HDTVs, etc., etc., have a least one (if not dozens) of microprocessors and storage chips onboard, the time for that sentiment was long past in the last century.

      We've sold our souls for convenience and "ease of use" features, and are now beginning to reap the dark side of those value adds.

  • by TheRaven64 (641858) on Saturday August 01, 2009 @12:33PM (#28910149) Journal
    ...Contiki?
  • by SuperKendall (25149) on Saturday August 01, 2009 @12:34PM (#28910165)

    Mandatory 2k long passwords to defeat possible hardware loggers.

    Changed monthly, of course.

    • by Kozz (7764)

      No problem. My company supplies me with all the post-it notes I need!

  • by pushing-robot (1037830) on Saturday August 01, 2009 @12:43PM (#28910241)

    Unless you also have some hidden program on the computer to flash the keyboard and later download the data (in which case you could just log the keys by software), you'd need to physically remove the keyboard, flash it with a keylogging BIOS, return the keyboard, then later retrieve the keyboard to get the logged keys.

    And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware. This hack is just further proof of that.

    Oh, and don't let anyone lend you their keyboard.

    • by Iphtashu Fitz (263795) on Saturday August 01, 2009 @12:55PM (#28910377)

      And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware

      Only as long as they have a fair amount of time. The beauty of this hack is that you could set up a laptop so that any keyboards that get plugged into it are immediately infected. Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave. It minimizes the risk of being caught trying to do something more extensive to the system. You just walk into an unoccupied office and walk back out 30 seconds later knowing that the keylogger is installed, as opposed to spending 30 minutes in the office trying to reboot, get into the firmware, etc.

      • Apple keyboards are pretty standard. You just buy your own and install a keylogger at your leisure. Then you just have to swap your doctored keyboard for theirs. If you have any skill at slight of hand, you could probably do this while someone is watching you.

    • by Anonymous Coward on Saturday August 01, 2009 @12:59PM (#28910425)

      Why are people always so quick to dismiss the seriousness of low level exploits?

      Consider a Mac pool at a university. You unplug the keyboard, plug it into a small box with a USB host controller that you programmed to rewrite the keyboard firmware. Plug the keyboard back in, wait until someone else logs in. Then come back, open a text editor, type your secret trigger word, watch as the keyboard spits out the logged passwords.

      Consider a remote root exploit. That enables the hacker to reflash the firmware of an attached keyboard. Then the attacker can remove all traces of the hack from the target computer. The keyboard logs passwords and waits for a trigger word. How do you make someone type a strange word? Captcha. The attacker now has your password/passphrase (SSH login to your company's web server? Your online banking PIN? And the only trace is a modified firmware which nobody checks.

      • I'm not dismissing the seriousness of the exploit, just pointing out that there are tons of ways to exploit a computer you have physical access to. You could swap keyboards when someone isn't looking. You could hook up one of the tinier keyloggers. Or you could attack the computer itself in any number of ways.

        The moral is: If you want to protect against knowledgeable, determined attackers, don't let them touch your PC.

  • If I'm not mistaken, doesn't USB have a way for devices to access the host's memory via DMA? If so, does that mean it's possible for a 'hacked' keyboard to use DMA to write an exploit into the host machine's memory?

    • Re: (Score:3, Informative)

      by TheRaven64 (641858)
      No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember). A USB device has to trick the driver into starting a DMA, which is probably difficult for a keyboard to do without pretending to be some other kind of device. FireWire, on the other hand, allows one device to initiate a DMA request on another and it is up to the driver to block this.
      • by iluvcapra (782887)

        No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember).

        Note well, though, while we're talking about Macs, that FireWire/IEEE 1394 is non-hosted and does have DMA, so in theory someone could hand you a hacked Sony camcorder or hard drive with malicious firmware, that would then have DMA to your computer. But that's a "hardhack."

  • Makes me glad... (Score:2, Interesting)

    by Iphtashu Fitz (263795)

    ...that I don't like the Mac keyboards. I use a Mac Pro at work but the first thing I did was go out and buy a Microsoft ergonomic keyboard. Yeah, I know it's probably blasphemy to many to mix MS & Apple hardware, but I've used MS ergonomic keyboards since they practically first came out, both at home and at work, and would never go back to a regular keyboard, especially one from Apple. I've yet to see one from Apple that doesn't make my hands ache after a few hours of use.

  • by mario_grgic (515333) on Saturday August 01, 2009 @01:01PM (#28910443)

    I'm sure every microwave out there is "hackable" in the sense you can replace its firmware and make it burn users popcorn each time. So what?

    Unless you discovered a way to hack someone's keyboard remotely without user intervention, this is not even worth mentioning on a geek site.

    • How many people do you know that uses their microwave to do online banking? THINK
  • This is a hack on all the new shiny aluminum white keyed keyboards.

    I predict a run no eBay sales of old keyboards [ebay.com] and USB PC alternatives for the paranoid.

    For the rest, well...you get what you pay for eh?

    • Re: (Score:3, Funny)

      by slyborg (524607)

      Love the dumb comments on this thread. The army of ninja hackers will not be sneaking into houses tonight to backdoor all of the Apple keyboards in the world. The fact that it requires physical access to the keyboard makes it pretty close to useless except for public access sites and people who are cheating on their S.O. who happens to be a Black Hat hacker. I would suggest in the latter case you are hella screwed anyway.

  • ... is for a enterprising hacker to do:

    1) A bit of code hacking to put the Keylogger + a simple method to send keystrokes to a 3rd party into a firmware update for the keyboard.

    2) Start a "Man in the middle" attack between a Mac user and Mac update servers.

    3) User installs update..

    4) ???

    5) Profit off of all those banking details....

  • by Hortensia Patel (101296) on Saturday August 01, 2009 @01:48PM (#28910821)

    If someone has sufficient permissions on your machine to update your firmware, aren't you kind of screwed already? I suppose they could swap your (external) keyboard for a compromised one, but that still implies physical access.

    That said, given that the ability to update is useful, and that the flash memory size we're talking about is so small, is there a significant downside to having the OS check hashes of the firmware code on initialization?

    • by vertigoCiel (1070374) on Saturday August 01, 2009 @02:57PM (#28911307)
      That's now how you would pull off this attack. It would go something like this

      "Hey, I think my keyboard's acting up. Could I borrow yours for a sec?"

      "Sure."
      • Meh. I'm not sure which one is the attacker in your scenario, but IMHO that's still requiring physical access. You need to:

        1) Be right next to the target, and probably known to them, since people don't generally borrow hardware from total strangers
        2) Have a plausible reason for having a spare keyboard handy
        3) Be able to sabotage the victim's keyboard so that it "acts up" when you need it to

        All in all, I don't find this remotely scary. This is not going to be the dreaded Mac Virus Of The Apocalypse (you know

  • by Animats (122034) on Saturday August 01, 2009 @01:48PM (#28910827) Homepage

    As the article points out, "For a device as simple as a keyboard, it is hard to imagine why a firmware update mechanism is even required." There's no justification for including an update feature other than as a designed-in security hole. The keyboard CPU should be running off a ROM, or at least an MPU where the security bit has been set to prevent future changes.

    This looks like a "feature" put in for development that should have been pulled before release.

  • by 93 Escort Wagon (326346) on Saturday August 01, 2009 @01:58PM (#28910885)

    The problem here isn't really with the end user's keyboard - flashing that is a lot of work for little return, in most cases.

    The bigger issue is if/when an enterprising criminal gets access at the plant that makes the keyboards. We've seen CDs/DVDs with malware installed (I'm not even thinking about Sony here); we've seen CompactFlash cards preloaded with viruses... if a batch of keyboards shipped out from manufacturing already installed with a key logger, we're really screwed - who's going to notice?

    • by fluffy99 (870997)

      How do you know China isn't already doing this? I certainly don't doubt that NSA does this type of stuff.

  • Hopefully some of the keyboard hackers read slashdot. I would like to request a function added to the keyboard that senses certain "L33T" speak words and automatically backspaces and substitutes REAL words in its place. Some parents might even like to see such a function that senses curse words and substitutes +%$#"!! for matching words... could even be marketable...hrm?

    • by grcumb (781340)

      Hopefully some of the keyboard hackers read slashdot. I would like to request a function added to the keyboard that senses certain "L33T" speak words and automatically backspaces and substitutes REAL words in its place. Some parents might even like to see such a function that senses curse words and substitutes +%$#"!! for matching words... could even be marketable...hrm?

      So, like, a Perl interpreter, then?

  • Much easier way... (Score:3, Informative)

    by Longjmp (632577) on Saturday August 01, 2009 @03:37PM (#28911603)
    I only need two keystrokes to hack a Mac when I have access to its keyboard:
    Cmd - "s"
    Voila, root access. documented here :p Start into single user mode [apple.com]
  • Bet you could infect a keyboard and have it reinfect the computer ever time you try and format / reinstall your OS...

  • I just bought all cheap PC keyboards to replace the aging mac keyboards. mainly because the mac ones are way too expensive... ~$40. Also because all the Mac keyboards have been a point of irritation- from being bright white with clear housing (sure shows crumbs well) to having non-traditional keys (new ones ala mac book keyboard) they just aren't good for the real work environment.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...