Thanks to Leonard210 for the heads up!
Mac Keyboard Hacker Ping!
If you want on or off the Mac Ping List, Freepmail me.
It looks to me as if the hacker has found a way to capture the keyboard buffer and dump it. Not good for any computer user. Getting the data from the computer connected to the hexed keyboard to the hacker who wants the data is another matter entirely. That would require something (like spyware) on the target computer to send it on. Keyboard firmware is not checked by any anti-malware apps that I know of.
Thanks to Leonard210 for the heads up!
If you want on or off the Mac Ping List, Freepmail me.
Guess, macs, not unlike obama, aren't nirvana after all.
neener
So, it sounds as if you somehow get keyboard that has been tampered with, a firmware update that is bogus, or someone has physical access to your keyboard and hacks it, you are in deep doo-doo.
So, someone could go into a workplace with a laptop, unplug a keyboard, plug it into their laptop and modify it, then plug it back in with nobody the wiser.
Crap.
1. Did you hook up your own keyboard?
2. Has your keyboard every been out of your possession since you hooked it up?
I thought they only needed to fool the user into installing a hacked keyboard firmware update, so no physical access is required.
It's good that the DEFCON BlackHat guys point up vulnerabilities, and I'm very glad they do. And this one is definitely interesting.
But the tech press and their breathless eagerness to pair up the word "Mac" with anything negative in a headline are really quite tiresome.
Glad I don’t take the keyboard out of my Macbook and leave it around on a park bench where hackers gather to play chess and share hacks and trojans.
I was wondering about the possibility of this when I got a keyboard firmware update not long after I got my Mac. It’s the first time I’ve ever had a keyboard that needed updating.
Physical access to either the computer or prior possession of the keyboard is required for this exploit to be installed on the keyboard. The paper notes that this exploit is not limited to Mac keyboards but applies to any "smart" PC keyboard that uses firmware, which means most keyboards with more than the basic keys. K Chen used an Apple keyboard because that is what he uses... it could just as easily have been on any PC keyboard with extra functional keys such as Logitech and Microsoft keyboards.I'll keep hammering away on this good old dumb keyboard. :') Thanks Swordmaker.
So basically, one would need to voluntarily download a hacked version of the keyboard’s firmware updater and manually install it, giving full permission to to do it (why would someone do that in the first place?).
The only real prospect for danger would be buying a “used” keyboard from a 3rd party (think eBay). But even then, it would sure be a crap-shoot for the nefarious seller. And even then, they would have to get the keyboard back, or find other access to the buyer’s computer.
How many computer devices from any maker have firmware that, with a hacked updater, couldn’t be jacked for any purpose?
Assuming such an exploit could be mounted on a keyboard, then what? To my eye, the researcher has merely posited that rogue code could maybe somehow be put into a keyboard. And... then? To be an effective keylogger, the keystrokes would have to be recorded and/or transmitted to some remote location. How would that work? Wouldn’t such activity be readily perceived by the OS or firewall? Isn’t keyboard RAM rather limited, reducing the ability of keylogger-infected firmware to store much keyboard activity?
I hope this researcher wasn’t tax-funded.