Posted on 08/03/2009 9:16:26 PM PDT by Swordmaker
Glad I don’t take the keyboard out of my Macbook and leave it around on a park bench where hackers gather to play chess and share hacks and trojans.
I was wondering about the possibility of this when I got a keyboard firmware update not long after I got my Mac. It’s the first time I’ve ever had a keyboard that needed updating.
I noticed the iPhone thing at the time. There would be a whole article about this “iPhone” vulnerability, and all the way at the bottom it would say in passing that other smart phones are affected too.
I believe they call that social engineering, although in your example that's a euphemism. Most of us don't have a duress password though.
Physical access to either the computer or prior possession of the keyboard is required for this exploit to be installed on the keyboard. The paper notes that this exploit is not limited to Mac keyboards but applies to any "smart" PC keyboard that uses firmware, which means most keyboards with more than the basic keys. K Chen used an Apple keyboard because that is what he uses... it could just as easily have been on any PC keyboard with extra functional keys such as Logitech and Microsoft keyboards.I'll keep hammering away on this good old dumb keyboard. :') Thanks Swordmaker.
I believe they call that social engineering, although in your example that's a euphemism. Most of us don't have a duress password though.
Or is it a euphuism ?
What the hell is that? Some kind of Hamburgler Ferengi?
Well, make sure you don’t leave it in the lawn chair where one of those dog-evading hacker squirrels can get it.
So basically, one would need to voluntarily download a hacked version of the keyboard’s firmware updater and manually install it, giving full permission to to do it (why would someone do that in the first place?).
The only real prospect for danger would be buying a “used” keyboard from a 3rd party (think eBay). But even then, it would sure be a crap-shoot for the nefarious seller. And even then, they would have to get the keyboard back, or find other access to the buyer’s computer.
How many computer devices from any maker have firmware that, with a hacked updater, couldn’t be jacked for any purpose?
Indeed. Headlines with Apple or iSomething in the name get clicks, which means they generate advertising revenue.
No one would care if it was reported as a GSM vulnerability. Ask the average person what a GSM is and they’ll look at you like you just landed from Mars. Part of that is due to poor tech education this country, but part of it is because people don’t care about how things work, just whether or not they do.
Assuming such an exploit could be mounted on a keyboard, then what? To my eye, the researcher has merely posited that rogue code could maybe somehow be put into a keyboard. And... then? To be an effective keylogger, the keystrokes would have to be recorded and/or transmitted to some remote location. How would that work? Wouldn’t such activity be readily perceived by the OS or firewall? Isn’t keyboard RAM rather limited, reducing the ability of keylogger-infected firmware to store much keyboard activity?
I hope this researcher wasn’t tax-funded.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.