Apple Keyboard Firmware Hack Demonstrated 275
Anonymouse writes with this excerpt from SemiAccurate:
"Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."
Re:Flash memory in a keyboard? (Score:4, Interesting)
If it has to have a flash BIOS for some reason, why does the flashing utility allow any image to go in without notice? Something like this should either require a signed or encrypted image that the flash utility decodes and decides is correct before putting it in. Maybe something simple as holding a distinct key sequence down on the keyboard while the utility pops up might be an alternative. This way at least the user has to be duped into knowingly flashing the keyboard, as opposed to a completely stealth compromise.
If I were making a keyboard with a flashable BIOS, rather than going the easy route and hiding a symmetric key on the chip would be eventually discovered, I'd use a SHA256 hash combined with an elliptic signing key to validate that a BIOS image was not tampered with before allowing it to be copied to the device. Yes, (barring someone breaking the public key crypto or obtaining the private key) someone could hack a particular keyboard to accept any flash image, but it would require physical access to the JTAG contacts on the device, and its well known that the game is over when an attacker obtains physical access to a machine anyway.
Makes me glad... (Score:2, Interesting)
...that I don't like the Mac keyboards. I use a Mac Pro at work but the first thing I did was go out and buy a Microsoft ergonomic keyboard. Yeah, I know it's probably blasphemy to many to mix MS & Apple hardware, but I've used MS ergonomic keyboards since they practically first came out, both at home and at work, and would never go back to a regular keyboard, especially one from Apple. I've yet to see one from Apple that doesn't make my hands ache after a few hours of use.
The Upside? (Score:1, Interesting)
Anyone have any ideas for firmware modifications to add additional functionality?
Re:Flash memory in a keyboard? (Score:3, Interesting)
Most likely because they never anticipating anyone being bored enough to reverse engineer something as simple as a keyboard to hack it. Its like reverse engineering your old school ball mouse.
Some people just have alot of time on their hands
People seem to be missing the bigger issue (Score:4, Interesting)
The problem here isn't really with the end user's keyboard - flashing that is a lot of work for little return, in most cases.
The bigger issue is if/when an enterprising criminal gets access at the plant that makes the keyboards. We've seen CDs/DVDs with malware installed (I'm not even thinking about Sony here); we've seen CompactFlash cards preloaded with viruses... if a batch of keyboards shipped out from manufacturing already installed with a key logger, we're really screwed - who's going to notice?
Re:Too much work (Score:4, Interesting)
Not entirely dumb. I have a US keyboard/top case for a late 2006 MB that began registering as a UK keyboard after a Coke spill.