Posted on 08/03/2009 9:16:26 PM PDT by Swordmaker
Apple’s sleek $49 Mac keyboards can be hacked and infected with keystroke loggers and impossible-to-detect rootkits, according to a security researcher presenting at this year’s Black Hat/DEFCON conferences.
The researcher, known only as “K. Chen,” found a way to reverse engineer and tamper with the keyboard’s firmware upgrade. With the firmware under control, an attacker can subvert the keyboard by embedding malicious code that allows a rootkit to survive a clean re-installation of the host operating system.
Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.
“Such code could also completely bypass the remote attestation of a Trusted Platform Module, if one were present in the computer. As far as everybody is concerned, our [malicious keyboard] code is simply the user typing commands at the keyboard,” he explained.
Chen said a malicious keyboard can be used to snoop on keystrokes from any machine it is plugged into.
Here’s a technical paper discussing the keyboard firmware attack. In the video below, Chen demonstrates the attack for George Ou.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
It looks to me as if the hacker has found a way to capture the keyboard buffer and dump it. Not good for any computer user. Getting the data from the computer connected to the hexed keyboard to the hacker who wants the data is another matter entirely. That would require something (like spyware) on the target computer to send it on. Keyboard firmware is not checked by any anti-malware apps that I know of.
Thanks to Leonard210 for the heads up!
If you want on or off the Mac Ping List, Freepmail me.
Guess, macs, not unlike obama, aren't nirvana after all.
neener
So, it sounds as if you somehow get keyboard that has been tampered with, a firmware update that is bogus, or someone has physical access to your keyboard and hacks it, you are in deep doo-doo.
So, someone could go into a workplace with a laptop, unplug a keyboard, plug it into their laptop and modify it, then plug it back in with nobody the wiser.
Crap.
You do realize this is a hazard to any keyboard that has firmware in it, right? Not just Mac keyboards?
Read the article. The exploit is for all firmware-loading keyboards, including those manufactured by Microsoft and Logitech.
The headline highlights Apple’s wireless keyboard because headlines involving Apple get clicked more: reference the GSM SMS exploit which was demonstrated on a Sony Ericsson phone, yet was reported in the tech media as an iPhone exploit.
Wouldn’t it be just as easy for the user to flash his firmware with the correct version and thus, make sure everything is “okay”?
First you gotta get the malicious firmware revision onto the Mac's keyboard. That means getting the malware on the Mac that will install it on the keyboard and manage the data coming back from the keyboard AND keep it from being seen on the screen... on a Mac, about the only way to do that is with a Trojan. I am not going to be too worried about it.
Note also that this works on ANY computer and Any keyboard with firmware... if it's got firmware, it can be compromised.That would be any keyboard that requires a driver on PCs. Comparing the ease of compromising Macs with malware and compromising Windows XP with malware, I think that would more likely occur on Windows than on Macs.
It also seems like it would not be a problem for software to be made which would read the firmware, compare it to the current version of the firmware and note if there was any differences.
I don’t know, but I seem to recall there is often a problem going backwards with firmware in certain cases, and there has to be a special executable that can specifically undo it, not just running the previous firmware upgrade.
Anyone have knowledge of this?
1. Did you hook up your own keyboard?
2. Has your keyboard every been out of your possession since you hooked it up?
I thought they only needed to fool the user into installing a hacked keyboard firmware update, so no physical access is required.
It's good that the DEFCON BlackHat guys point up vulnerabilities, and I'm very glad they do. And this one is definitely interesting.
But the tech press and their breathless eagerness to pair up the word "Mac" with anything negative in a headline are really quite tiresome.
---------------------------------------------------------
Sent from my Macbook Pro.
Yes. No.
The data the keyboard sends is sent only to the computer it's connected to. To get it any farther, it must be managed by something on the computer that connects to the internet to send the data on to the hacker. The keyboard cannot do that. I know what is running on my computer.
Psychological attack is a method of making the user the agent of the hacker... the agent has to have physical access to install the installer.
There are currently no drive-by installations of software on a Mac without the involvement of someone with administrator access. If that administrator is foolish enough to trust un-trustworthy sites or install files received in email, then no one can protect him from himself.
Congratulations - you are cleared to fly.
; )
I try to be alert, but most of these hacks they've been touting require physical possession of the hardware. If they get the hardware, you're pretty much pwned, no matter what else happens.
Yeah, that's pretty much a "given" in the world of computer security -- no OS is going to stop am attacker who has physical access and enough time.
In this case, of course, the computer itself isn't even compromised -- the keyboard is. And without a subsequent compromise of the computer, the attacker would need physical access a second time to the keyboard to extract the captured data, if I'm reading this correctly.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.