Posted on 08/03/2009 9:16:26 PM PDT by Swordmaker
Apple’s sleek $49 Mac keyboards can be hacked and infected with keystroke loggers and impossible-to-detect rootkits, according to a security researcher presenting at this year’s Black Hat/DEFCON conferences.
The researcher, known only as “K. Chen,” found a way to reverse engineer and tamper with the keyboard’s firmware upgrade. With the firmware under control, an attacker can subvert the keyboard by embedding malicious code that allows a rootkit to survive a clean re-installation of the host operating system.
Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.
“Such code could also completely bypass the remote attestation of a Trusted Platform Module, if one were present in the computer. As far as everybody is concerned, our [malicious keyboard] code is simply the user typing commands at the keyboard,” he explained.
Chen said a malicious keyboard can be used to snoop on keystrokes from any machine it is plugged into.
Here’s a technical paper discussing the keyboard firmware attack. In the video below, Chen demonstrates the attack for George Ou.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
Glad I don’t take the keyboard out of my Macbook and leave it around on a park bench where hackers gather to play chess and share hacks and trojans.
I was wondering about the possibility of this when I got a keyboard firmware update not long after I got my Mac. It’s the first time I’ve ever had a keyboard that needed updating.
I noticed the iPhone thing at the time. There would be a whole article about this “iPhone” vulnerability, and all the way at the bottom it would say in passing that other smart phones are affected too.
I believe they call that social engineering, although in your example that's a euphemism. Most of us don't have a duress password though.
Physical access to either the computer or prior possession of the keyboard is required for this exploit to be installed on the keyboard. The paper notes that this exploit is not limited to Mac keyboards but applies to any "smart" PC keyboard that uses firmware, which means most keyboards with more than the basic keys. K Chen used an Apple keyboard because that is what he uses... it could just as easily have been on any PC keyboard with extra functional keys such as Logitech and Microsoft keyboards.I'll keep hammering away on this good old dumb keyboard. :') Thanks Swordmaker.
I believe they call that social engineering, although in your example that's a euphemism. Most of us don't have a duress password though.
Or is it a euphuism ?
What the hell is that? Some kind of Hamburgler Ferengi?
Well, make sure you don’t leave it in the lawn chair where one of those dog-evading hacker squirrels can get it.
So basically, one would need to voluntarily download a hacked version of the keyboard’s firmware updater and manually install it, giving full permission to to do it (why would someone do that in the first place?).
The only real prospect for danger would be buying a “used” keyboard from a 3rd party (think eBay). But even then, it would sure be a crap-shoot for the nefarious seller. And even then, they would have to get the keyboard back, or find other access to the buyer’s computer.
How many computer devices from any maker have firmware that, with a hacked updater, couldn’t be jacked for any purpose?
Indeed. Headlines with Apple or iSomething in the name get clicks, which means they generate advertising revenue.
No one would care if it was reported as a GSM vulnerability. Ask the average person what a GSM is and they’ll look at you like you just landed from Mars. Part of that is due to poor tech education this country, but part of it is because people don’t care about how things work, just whether or not they do.
Assuming such an exploit could be mounted on a keyboard, then what? To my eye, the researcher has merely posited that rogue code could maybe somehow be put into a keyboard. And... then? To be an effective keylogger, the keystrokes would have to be recorded and/or transmitted to some remote location. How would that work? Wouldn’t such activity be readily perceived by the OS or firewall? Isn’t keyboard RAM rather limited, reducing the ability of keylogger-infected firmware to store much keyboard activity?
I hope this researcher wasn’t tax-funded.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.