Apple Keyboard Firmware Hack Demonstrated 275
Anonymouse writes with this excerpt from SemiAccurate:
"Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."
Re:Flash memory in a keyboard? (Score:5, Informative)
Re:Huh?? (Score:5, Informative)
Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).
Re:What's next? (Score:4, Informative)
Re:Flash memory in a keyboard? (Score:1, Informative)
I wouldn't be surprised. Modern gaming devices with programmable buttons often store those macros on the device itself, (e.g. the N52te) in order to allow it to work on any computer it's plugged into without needing the extra software - all you need the software for is to program it.
Re:Flash memory in a keyboard? (Score:5, Informative)
The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.
Two such examples of exactly that:
The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.
Re:Doesn't USB have DMA capability? (Score:3, Informative)
Re:Makes me glad... (Score:3, Informative)
probably a lot of keyboards, but Apple keyboards are probably the largest block of a single identifiable brand out there. everyone probably uses OEM'd logitechs but those are probably customized to each OEM
Re:What about other keyboard manufacturers? (Score:5, Informative)
All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification [usb.org], which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.
Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.
Much easier way... (Score:3, Informative)
Cmd - "s"
Voila, root access. documented here
Comment removed (Score:5, Informative)
That's not a bug. (Score:3, Informative)
That *is* a feature. It isn't a hacked battery, it is a battery which is hacked to appear as an authentic internal tool, designed to read a certain area on a memory stick, so sony can quickly restore a problematic psp.
It was designed that way, and obscured. the 'hack' merely makes that information public and usable.
Re:Huh?? (Score:5, Informative)
No, it's your OS's job to decide what pressing keypad-minus does, the keyboard should simply tell the OS that keypad-minus key was pressed
Re:Makes me glad... (Score:1, Informative)
Because Apple and a couple of Logitech keyboards are the only ones to use flash.