×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Keyboard Firmware Hack Demonstrated

Soulskill posted more than 4 years ago | from the qwerty's-revenge dept.

Security 275

Anonymouse writes with this excerpt from SemiAccurate: "Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the device's firmware. This could be a serious problem, and now that the presentation and code (PDF) is out there, the bad guys will surely be exploiting it. The vulnerability was discovered by K. Chen, and he gave a talk on it at Black Hat this year (PDF). The concept is simple: a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working RAM. For the intelligent, this is more than enough space to have a field day. ... The new firmware can do anything you want it to. Chen demonstrated code which, when you put in a password and hit return, starts playing back the last five characters typed in, LIFO. It is a rudimentary keylogger; a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

275 comments

Huh?? (4, Insightful)

nurb432 (527695) | more than 4 years ago | (#28910081)

Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

fp (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28910143)

ladies, get your pussies ready!

Re:Huh?? (1, Insightful)

anss123 (985305) | more than 4 years ago | (#28910147)

Why does a keyboard even need flash in the first place? Being a keyboard isn't a complex job.

Flash chips are cheap these days.

And what's to stop people from simply installing a tiny key logging chip inside your keyboard? Seems less trouble than writing a crummy firmware hacks, and it's not like I'd notice an extra chip inside my keyboard.

Re:Huh?? (1, Insightful)

MaskedSlacker (911878) | more than 4 years ago | (#28910219)

The need for physical access? Sure, someone intentionally spying on YOU might do it, but for someone looking to keylog as many credit card numbers as possible it'd be kinda difficult/pointless.

Re:Huh?? (1, Insightful)

anss123 (985305) | more than 4 years ago | (#28910595)

The need for physical access?

You need physical access for flashing the keyboard, unless you have taken over the mac's os. In the later case you can install a key logger in the OS, so why bother with the keyboard. Also you need to get the keydata somehow out of the keyboard so without OS control you have to straddle over and collect it yourself.

Hey, why are you connecting you laptop to my keyboard....

Point is, this security vulnerability is no big deal.

Re:Huh?? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28910877)

Unless the firmware was hacked before you received your new keyboard...

Re:Huh?? (1)

anss123 (985305) | more than 4 years ago | (#28911051)

Unless the firmware was hacked before you received your new keyboard...

Which still leaves you the problem of retriving the data.

YOU BEST BE TROLLIN' (0)

Anonymous Coward | more than 4 years ago | (#28910939)

'physical access unless you have taken over the mac's os'

lol. That's not 'physical access'. That's "You can use physical access, or use remote access".

In the later case you can install a key logger in the OS, so why bother with the keyboard.

..er, because the user can reformat his machine from read-only media, and think he's safe? That's the whole idea.

Re:YOU BEST BE TROLLIN' (1)

anss123 (985305) | more than 4 years ago | (#28911131)

..er, because the user can reformat his machine from read-only media, and think he's safe? That's the whole idea.

..er, because the user can reformat his machine from read-only media, and think he's safe? That's the whole idea.

If the user reformats his mac how will you retrieve the keylog? Either you need physical access or you have to break into the OS again. If you can break into the OS it's unlikely that the 1000 character keylog waiting for you is worth the effort.

If you got physical access you can install a physical key logger. A firmware key logger may be easier to hide and install but that's it. You still have to retrieve the data, so excepting the greater ease it's not superior to a simple key logger hidden inside your keyboard. Also, a key logger on the port of your PC is likely easier to install and remove (when the evil guy wants it back to see what's on it) opposed to hocking your keyboard to a laptop or whatever.

Re:Huh?? (4, Insightful)

mattventura (1408229) | more than 4 years ago | (#28911057)

The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.
You could use it constructively, though. You could block the key sequences used to boot off a CD or external drive, which could actually be a useful feature for corporations or schools wanting to prevent booting from external media, since the other methods to prevent that don't work that well.

Re:Huh?? (1)

anss123 (985305) | more than 4 years ago | (#28911207)

The only possible reason I could think for someone doing this is because it would work cross-OS, and even on boot sequences before a normal keylogger would be activated, so you could do this to steal a disk encryption password.

That is a good point, but only for attacking those dual booters and disk encrypters (the lather perhaps being the most useful as you could then steal the disk and get the data - assuming you can't copy it to a USB stick or download it over the nett for some reason.)

You could use it constructively

You could be onto something there, but there's probably programmable keyboards better suited for this already :-)

Re:Huh?? (1)

RoFLKOPTr (1294290) | more than 4 years ago | (#28911163)

Any security vulnerability like this is a big deal... ESPECIALLY when security is one of the primary things that Apple advertises about its OS and hardware. What's to stop the compromised keyboard from sending the keylogged data to an FTP server like just about every other trojan on the planet? Also, a virus scanner could easily remove a trojan from the OS, while finding it in the keyboard's firmware would be a somewhat more difficult task.

Re:Huh?? (4, Insightful)

nedlohs (1335013) | more than 4 years ago | (#28910739)

I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

Re:Huh?? (1)

anss123 (985305) | more than 4 years ago | (#28910859)

I'm pretty sure it's easier for me to get some code to run on your machine than it is for me to break into your house and install a logger inside your keyboard.

If you can break into my machine, install a flash based key logger and have that transmit data over the internet back to you then you could have saved yourself the problem of using a flash based key logger - as you obviously have control of the OS and can keylogg far more than one-thousand keystrokes.

Re:Huh?? (2, Insightful)

nedlohs (1335013) | more than 4 years ago | (#28910953)

But if you removed the logger, say by reinstalling the OS or whatever I would lose that. With it in the keyboard I you need to also replace that (or reflash it of course).

Re:Huh?? (0)

Anonymous Coward | more than 4 years ago | (#28911065)

Because this tool just sends messages to a HID device, AFAIK, it can be run as any user, admin or otherwise. Want the root password on somebody's Mac OS X box? All you need is a shell account.

Re:Huh?? (1)

anss123 (985305) | more than 4 years ago | (#28911289)

Because this tool just sends messages to a HID device, AFAIK, it can be run as any user, admin or otherwise. Want the root password on somebody's Mac OS X box? All you need is a shell account.

Hmm, didn't realize you could do this from user mode. That's more serious, yes. You still need a "shell account" though. Most people don't hand those out.

Re:Huh?? (5, Informative)

Anonymous Coward | more than 4 years ago | (#28910187)

Modern peripherals have microcontrollers that are basically tiny computers all on one chip. The have program flash, data registers, and sometimes data flash or eeprom memory. They are basically small computers about a $1.00 a pop, and are generally more affordable than custom silicon for most low-speed applications (i.e. less than 20 MIPS).

Re:Huh?? (0)

Anonymous Coward | more than 4 years ago | (#28910345)

...microcontrollers that are basically tiny computers all on one chip.

You felt the need to explain what a microcontroller is on Slashsot? What next, you're going to explain how the computer does math in "binary" which are ones and zeros ?

Re:Huh?? (1)

UltimApe (991552) | more than 4 years ago | (#28910399)

yes, because the original question he was answering seemed equally ill-informed. If the original question needed to be asked, it'd be likely that they didn't know what a microcontroller was.

Re:Huh?? (0)

Anonymous Coward | more than 4 years ago | (#28910465)

What next, you're going to explain how the computer does math in "binary" which are ones and zeros ?

Damn it, all this time I was thinking it used 0-9 like everyone else does.

Re:Huh?? (0)

Anonymous Coward | more than 4 years ago | (#28910255)

A keyboard these days is a big switch matrix make of conductive ink on mylar and a microcontroller to decode the keys and whatever protocol your host wants.

Like it or not, FLASH is what you get on microcontroller these days. Few if any of the devices are EPROM based anymore. By making the same part generic and programmable, you get huge volume and lower price.

Re:Huh?? (1)

Darkness404 (1287218) | more than 4 years ago | (#28910435)

I'm assuming so it can be reprogrammed to change between the multiple keyboard layouts without much of a hardware change other than changing the keycaps.

Re:Huh?? (1)

beelsebob (529313) | more than 4 years ago | (#28910705)

Why on earth would you do that in the hardware level? The keyboard just sends key codes, not characters to the OS, it's the OS's job to map them onto characters.

Re:Huh?? (4, Funny)

ettlz (639203) | more than 4 years ago | (#28910447)

Probably unimplemented DRM. By forming a secure input path, it furnishes printed material content protection --- by stopping you from typing it in.

Re:Huh?? (1)

MMC Monster (602931) | more than 4 years ago | (#28910731)

If these are recent (last 2-3 year) keyboards, the ones I have double as non-powered USB hubs.

The idea is that you plug in your mouse and Watcom tablet or other input device directly into the keyboard instead of snaking a couple extra wires to the computer.

Pretty nifty (until now, that is).

totally sweet (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28910087)

first post

Flash memory in a keyboard? (2, Insightful)

lorenlal (164133) | more than 4 years ago | (#28910109)

Pardon my ignorance. I have a lot of it. What is the advantage of having flash memory in a keyboard? I remember that the keyboard (at least at one time, I don't know if that's still the case) used an interrupt call to process input... But the load the keyboard placed on system resources should be so low, that there wouldn't be a need to offload that right? I have to be missing something here. It seems to me that by having something like this, you're just begging for trouble since it opens another attack surface. Anywhere you have processing and memory is a place for malware to reside. This doesn't impress me much Apple.

Re:Flash memory in a keyboard? (5, Informative)

TheRaven64 (641858) | more than 4 years ago | (#28910179)

It's a USB keyboard. That means that it communicates with the host via quite a complex protocol. A keyboard is not just a 'send a specific 8-bit signal when each button is pressed or released' device anymore. The amount of logic needed is not very large, but it's a lot more than a PS/2-style keyboard needed. The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

Re:Flash memory in a keyboard? (1)

TJamieson (218336) | more than 4 years ago | (#28910239)

+5 Informative. In fact, the laptop keyboards also have a bit of flash, and Apple has updated a whole host of keyboard firmware over time.

Re:Flash memory in a keyboard? (5, Informative)

confidential (23321) | more than 4 years ago | (#28910311)

The firmware could have been in ROM, but these days Flash is about as cheap as ROM and gives you the option of distributing fixes if you find bugs after the device ships.

Two such examples of exactly that:

  1. Aluminum Keyboard Firmware Update (desktops) [apple.com]
  2. MacBook, MacBook Pro Keyboard Firmware Update (portables) [apple.com]

The only news here is that the same mechanism of installing these updates is able to have other third party software installed in their place as well.

What about other keyboard manufacturers? (3, Insightful)

ThrowAwaySociety (1351793) | more than 4 years ago | (#28910325)

Is the Apple implementation any different from what other USB HID makers use? I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

And if so, are other USB keyboards vulnerable to similar hacks?

Re:What about other keyboard manufacturers? (1)

Doctor_Jest (688315) | more than 4 years ago | (#28910505)

I was thinking the same thing (typing on my Logitech Wave)... I would think that before this presentation, most people figured the attack vector YOUR KEYBOARD would be low if not miniscule. This is most likely a disturbing trend we're going to see more of before it's all said and done (and you know what they say, after all is said and done, a lot more is said than done.) I remember they used to attempt keyboard hacks by listening via the internal microphone, as well as using other nefarious spy-like techniques to gather your passwords. No more. No need to flutter in like Tom Cruise and attach a keylogger to the back of a connector.. now you just cause a firmware update. *facepalm* This is going to make all these thrillers seem so pedestrian. :)

I have littlesnitch on my Macs, so in the unlikely event my keyboard is compromised (God forbid), at least I'll have a clue it's trying to squawk out of turn. :) Yes, I realize it's not perfect... but at least I'm performing my due diligence in the face of an unpatched vulnerability. :) *sigh* This is getting silly, to be honest. The KEYBOARD? Really? adjusts tinfoil hat....

Re:What about other keyboard manufacturers? (5, Informative)

Anonymous Coward | more than 4 years ago | (#28910755)

All USB keyboards are vulnerable. The blame here rests on the USB Device Firmware Update Specification [usb.org] , which specifies how firmware updates are supposed to work. Hint: there's no security. The only reason this makes news at all is because it has the word "Apple" in the title.

Spec compliant, secure: choose one. USB was designed for single user computers without security in mind. The only way to solve this (partially) with existing hardware would be to block access to hardware devices from applications running as non-root users, which is fundamentally contrary to the desire to get device drivers out of the kernel for stability. Short of that, this can only be solved by putting a more powerful CPU in the keyboard controller so that it can do a signature check on its own firmware.

Re:What about other keyboard manufacturers? (1)

Scrameustache (459504) | more than 4 years ago | (#28910773)

I'd be kind of surprised if Apple did anything original with its keyboard design other than making them shiny and thin (and giving them no tactile feedback whatsoever.)

Mine is a USB hub, you can plug in your mouse (right or left hand side, as you wish) and a USB key, or pretty much anything else.

I like having two mice coming out of it, personally (my preference varies).

I've never seen that on a windows machine.

Re:What about other keyboard manufacturers? (0)

Anonymous Coward | more than 4 years ago | (#28911063)

Have you looked?
I have a USB hub in my "Microsoft Natural Keyboard Pro" which I bought in 2001. It was released in 1999.
I'm sure other makers have had it for atleast as long.

Re:Flash memory in a keyboard? (-1, Redundant)

nurb432 (527695) | more than 4 years ago | (#28910343)

Has there *ever* been a shipped fix for a keyboard?

The code is pretty simple, adequate testing should eliminate the need for in the field updates. Or at the least put a stupid switch on it so you know you are updating.

Re:Flash memory in a keyboard? (1)

TheRaven64 (641858) | more than 4 years ago | (#28910383)

Asking a question that another poster answered two posts up and five minutes earlier is a good way to get a -1 redundant moderation.

Re:Flash memory in a keyboard? (1)

mysidia (191772) | more than 4 years ago | (#28910485)

Such a switch would cost money. But it's a fricken keyboard, it's got lots of buttons.

Seems like there could be a special sequence of keys you have to press and hold for 30 seconds before the existing firmware would accept the request to initiate an update.

Re:Flash memory in a keyboard? (1)

Plunky (929104) | more than 4 years ago | (#28910597)

It's a USB keyboard. That means that it communicates with the host via quite a complex protocol.

I wonder how different the Bluetooth keyboards are? I have an older one and I've never heard about this HIDFirmwareUpdaterTool, be interesting to see if I could hack my Bluetooth keyboard..

(I'm not likely to be vulnerable to a remote attack with this as I use a different OS and to my certain knowledge there is no way to initiate a firmware update from the host)

Re:Flash memory in a keyboard? (1)

TheRaven64 (641858) | more than 4 years ago | (#28910665)

Bluetooth is even more complicated, so I wouldn't be surprised if there's more RAM and flash in your keyboard. Not sure how the updates are handled, but they may be something simple like using the Bluetooth serial profile, in which case you'd be vulnerable to attach via any OS (although the attacker would have to already have root access). This attack is only really useful if you want to preserve a compromise past a reinstall. You'd probably get the keyboard to recognise the sequence "root\n" and "su\n" and then log the next dozen or so keystrokes, so you'd have the root password. Alternatively do the same thing with sudo, then you may get the password of a user in the sudoes file - if ssh is enabled you can then use this to get remote access. Convenient if you have physical access a few times for short periods (just long enough to install the firmware and then retrieve the password).

Re:Flash memory in a keyboard? (1)

ps60k (1356273) | more than 4 years ago | (#28910771)

In addition to being a USB keyboard, it also acts as a USB hub. All Apple USB keyboards have at least two built-in USB ports for mice, etc. I would imagine it requires a little more "logic" than a typical USB keyboard.

Re:Flash memory in a keyboard? (1)

Wingman 5 (551897) | more than 4 years ago | (#28910185)

The main disadvantage to current keyboards that I see is that they only allow 3-6 concurrent key presses. That may not be a issue when typing frequently but if you modify the keyboard to be the capture source for a MAME cabinet that can be a issue. Perhaps the ram and firmware is to get around this issue.

Re:Flash memory in a keyboard? (1)

dgatwood (11270) | more than 4 years ago | (#28911189)

It depends on how the keyboard is matrixed, I suppose, but you have to have more than three-key handling or you wouldn't be able to detect people holding down the four or five modifier keys and pressing a key... not to mention that you'd have certain combinations of single modifiers with single keys that couldn't be detected at all.... :-)

With any keyboard encoder, you should be able to get at least 8 buttons or so even without any sharing or reprogramming. If you matrix the joystick in an interesting way to rule out absurd combinations (you can't push the stick up and down at the same time, for example), you can probably go even higher. How many controls do you need?

Re:Flash memory in a keyboard? (1)

unfunk (804468) | more than 4 years ago | (#28910195)

I'm curious too. I'd be surprised if my Logitech G15 keyboard had read/write memory (all the programs for it run on the OS), so just why the hell does Apple feel the need to make a keyboard with that?

Re:Flash memory in a keyboard? (1, Informative)

Anonymous Coward | more than 4 years ago | (#28910227)

I wouldn't be surprised. Modern gaming devices with programmable buttons often store those macros on the device itself, (e.g. the N52te) in order to allow it to work on any computer it's plugged into without needing the extra software - all you need the software for is to program it.

Re:Flash memory in a keyboard? (1)

mysidia (191772) | more than 4 years ago | (#28910509)

Maybe in future versions of MacOS there will be new keyboard features, or a simpler/different keyboard communications protocol, and a firmware update will allow you to keep using your existing KB, instead of throwing it away and buying a brand new next-edition KB?

Re:Flash memory in a keyboard? (0)

Anonymous Coward | more than 4 years ago | (#28910923)

Your Logitech G15 is a USB keyboard that also acts as a hub, has programmable macro keys that don't go through the OS and evidently has upgradeable firmware and you'd be surprised if it had flash/EPROM? Most gaming mice have upgradeable firmware!

Christ, learn WTF you're talking about before you flap your jaw.

Re:Flash memory in a keyboard? (3, Interesting)

mlts (1038732) | more than 4 years ago | (#28910263)

If it has to have a flash BIOS for some reason, why does the flashing utility allow any image to go in without notice? Something like this should either require a signed or encrypted image that the flash utility decodes and decides is correct before putting it in. Maybe something simple as holding a distinct key sequence down on the keyboard while the utility pops up might be an alternative. This way at least the user has to be duped into knowingly flashing the keyboard, as opposed to a completely stealth compromise.

If I were making a keyboard with a flashable BIOS, rather than going the easy route and hiding a symmetric key on the chip would be eventually discovered, I'd use a SHA256 hash combined with an elliptic signing key to validate that a BIOS image was not tampered with before allowing it to be copied to the device. Yes, (barring someone breaking the public key crypto or obtaining the private key) someone could hack a particular keyboard to accept any flash image, but it would require physical access to the JTAG contacts on the device, and its well known that the game is over when an attacker obtains physical access to a machine anyway.

Re:Flash memory in a keyboard? (2, Interesting)

ironicsky (569792) | more than 4 years ago | (#28910729)

Most likely because they never anticipating anyone being bored enough to reverse engineer something as simple as a keyboard to hack it. Its like reverse engineering your old school ball mouse.

Some people just have alot of time on their hands

What's next? (3, Funny)

psYchotic87 (1455927) | more than 4 years ago | (#28910111)

Laptop charger hack demonstrated?
This is getting quite silly... Perhaps manufacturers should try to keep simple devices actually simple.

Re:What's next? (3, Informative)

unfunk (804468) | more than 4 years ago | (#28910201)

I feel somewhat obliged to point out that the Sony PSP is vulnerable to a battery hack. If you put in a certain battery, you can then downgrade the system's firmware and play pirated games etc

Re:What's next? (1)

oDDmON oUT (231200) | more than 4 years ago | (#28910551)

Perhaps manufacturers should try to keep simple devices actually simple.

When most major appliances, all automobiles, motorcycles, HDTVs, etc., etc., have a least one (if not dozens) of microprocessors and storage chips onboard, the time for that sentiment was long past in the last century.

We've sold our souls for convenience and "ease of use" features, and are now beginning to reap the dark side of those value adds.

FINALLY! (0)

Anonymous Coward | more than 4 years ago | (#28910163)

A first port for the Mac!

Coming soon to an enterprise near you (4, Funny)

SuperKendall (25149) | more than 4 years ago | (#28910165)

Mandatory 2k long passwords to defeat possible hardware loggers.

Changed monthly, of course.

Re:Coming soon to an enterprise near you (1)

Kozz (7764) | more than 4 years ago | (#28910721)

No problem. My company supplies me with all the post-it notes I need!

Too much work (-1, Offtopic)

rolfwind (528248) | more than 4 years ago | (#28910191)

I don't know if it's still applicable to the new MacBooks, but on my 3-4 year old G4s, reinstalling the keyboard is a ton of work (I assume the keyboard cable has to be taken out to reprogram it???):
http://www.ifixit.com/Guide/Repair/Installing-PowerBook-G4-Aluminum-15-Inch-1-1-5-GHz-Keyboard/223/1 [ifixit.com]

Takes about an hour, less if you're skilled at it. With that much access to the actual machine... this is nothing but a proof of concept, as there are easier ways to do it, imo.

Re:Too much work (0)

Anonymous Coward | more than 4 years ago | (#28910281)

RTFA.

Update is completely through software. You'd know this if you even glanced at the article.

Re:Too much work (1)

dgatwood (11270) | more than 4 years ago | (#28910667)

That's a red herring. Unless they have changed recently, the internal keyboards on Mac laptops are dumb devices---just a bunch of wires and switches. The controller is on the logic board.

Re:Too much work (3, Interesting)

Weedhopper (168515) | more than 4 years ago | (#28910963)

Not entirely dumb. I have a US keyboard/top case for a late 2006 MB that began registering as a UK keyboard after a Coke spill.

Physical access required (3, Insightful)

pushing-robot (1037830) | more than 4 years ago | (#28910241)

Unless you also have some hidden program on the computer to flash the keyboard and later download the data (in which case you could just log the keys by software), you'd need to physically remove the keyboard, flash it with a keylogging BIOS, return the keyboard, then later retrieve the keyboard to get the logged keys.

And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware. This hack is just further proof of that.

Oh, and don't let anyone lend you their keyboard.

Re:Physical access required (5, Insightful)

Iphtashu Fitz (263795) | more than 4 years ago | (#28910377)

And, as they say, physical access is root access. There are an unlimited number of ways someone could compromise your computer if they are given access to the hardware and firmware

Only as long as they have a fair amount of time. The beauty of this hack is that you could set up a laptop so that any keyboards that get plugged into it are immediately infected. Then you only need a few seconds alone with the targets computer to unplug the keyboard, plug it into your laptop to infect it, then plug it back into the targets computer and leave. It minimizes the risk of being caught trying to do something more extensive to the system. You just walk into an unoccupied office and walk back out 30 seconds later knowing that the keylogger is installed, as opposed to spending 30 minutes in the office trying to reboot, get into the firmware, etc.

Re:Physical access required (1)

FlyingBishop (1293238) | more than 4 years ago | (#28910693)

I also don't see to many good ways to stop this.

With BIOS passwords and an alarmed lock on the case, even though someone has physical access, they're missing most of the benefits. This, you need some sort of lock that prevents the user from unplugging the USB cable, and then you need to somehow ensure that they can't load any software to take the keyboard.

Seems like a really stupid problem when I'm using a 10-year-old OEM keyboard that probably cost all of $10 that has no such issues.

No, It would take me about two seconds (1)

Hal The Computer (674045) | more than 4 years ago | (#28911149)

Apple keyboards are pretty standard. You just buy your own and install a keylogger at your leisure. Then you just have to swap your doctored keyboard for theirs. If you have any skill at slight of hand, you could probably do this while someone is watching you.

Re:Physical access required (5, Insightful)

Anonymous Coward | more than 4 years ago | (#28910425)

Why are people always so quick to dismiss the seriousness of low level exploits?

Consider a Mac pool at a university. You unplug the keyboard, plug it into a small box with a USB host controller that you programmed to rewrite the keyboard firmware. Plug the keyboard back in, wait until someone else logs in. Then come back, open a text editor, type your secret trigger word, watch as the keyboard spits out the logged passwords.

Consider a remote root exploit. That enables the hacker to reflash the firmware of an attached keyboard. Then the attacker can remove all traces of the hack from the target computer. The keyboard logs passwords and waits for a trigger word. How do you make someone type a strange word? Captcha. The attacker now has your password/passphrase (SSH login to your company's web server? Your online banking PIN? And the only trace is a modified firmware which nobody checks.

Re:Physical access required (1)

pushing-robot (1037830) | more than 4 years ago | (#28910603)

I'm not dismissing the seriousness of the exploit, just pointing out that there are tons of ways to exploit a computer you have physical access to. You could swap keyboards when someone isn't looking. You could hook up one of the tinier keyloggers. Or you could attack the computer itself in any number of ways.

The moral is: If you want to protect against knowledgeable, determined attackers, don't let them touch your PC.

Flash needs write protect switches (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28910243)

Microcontrollers in keyboards, BIOS flash, USB-sticks, SD-cards: Please give us hardware write protection. Whether we want our keyboards to be just keyboards, our BIOS unmodified by root kits, USB sticks which we can insert into someone else's system without worrying that our stick gets infected or boot of an SD-card, a simple write protect switch is the easiest and most reliable way.

Re:Flash needs write protect switches (0)

Anonymous Coward | more than 4 years ago | (#28910385)

I'd like to see this myself, where to start a BIOS flash process some type of button needs to be held down or a DIP switch flipped.

I sort of miss the days of SCSI drives. With just one flick of a DIP switch, the entire drive was made read-only. Nothing would be able to write to it, no matter how trashed the host machine ended up, no way, no how.

I'd use this functionality on removable drives, copying files then moving them to a FTP server and serving them from the read-only drive to ensure that the files would remain unmodified, even if the FTP server got compromised. However, those were the days before people thought of adding code to the ftp daemon to tamper with the executable as it was in flight before it got to the client.

Doesn't USB have DMA capability? (1)

JanusFury (452699) | more than 4 years ago | (#28910251)

If I'm not mistaken, doesn't USB have a way for devices to access the host's memory via DMA? If so, does that mean it's possible for a 'hacked' keyboard to use DMA to write an exploit into the host machine's memory?

Re:Doesn't USB have DMA capability? (2, Informative)

TheRaven64 (641858) | more than 4 years ago | (#28910333)

No, USB DMAs can only be initiated from the host (it's a client-server protocol, remember). A USB device has to trick the driver into starting a DMA, which is probably difficult for a keyboard to do without pretending to be some other kind of device. FireWire, on the other hand, allows one device to initiate a DMA request on another and it is up to the driver to block this.

Makes me glad... (1, Interesting)

Iphtashu Fitz (263795) | more than 4 years ago | (#28910287)

...that I don't like the Mac keyboards. I use a Mac Pro at work but the first thing I did was go out and buy a Microsoft ergonomic keyboard. Yeah, I know it's probably blasphemy to many to mix MS & Apple hardware, but I've used MS ergonomic keyboards since they practically first came out, both at home and at work, and would never go back to a regular keyboard, especially one from Apple. I've yet to see one from Apple that doesn't make my hands ache after a few hours of use.

Re:Makes me glad... (3, Insightful)

Super_Z (756391) | more than 4 years ago | (#28910349)

Why do you assume only Apple keyboards are hackable?

Re:Makes me glad... (2, Informative)

alen (225700) | more than 4 years ago | (#28910397)

probably a lot of keyboards, but Apple keyboards are probably the largest block of a single identifiable brand out there. everyone probably uses OEM'd logitechs but those are probably customized to each OEM

Re:Makes me glad... (1)

mysidia (191772) | more than 4 years ago | (#28910561)

So, er, what if there is a similar firmware hack discovered for Logitech KBs? The problem with everyone using OEM'd logitechs, or everyone using any particular KB type, hackability is more likely to be exploited than otherwise.

Customized to each OEM doesn't necessarily mean incompatible firmware, or a different process for upgrading/applying firmware.

Re:Makes me glad... (0)

Anonymous Coward | more than 4 years ago | (#28910439)

It's blasphemy indeed. I won't contaminate my MS hardware with "shiny" Abble shit.

The Upside? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28910313)

Anyone have any ideas for firmware modifications to add additional functionality?

Re:The Upside? (1, Funny)

Anonymous Coward | more than 4 years ago | (#28910335)

A key sequence that can be hit so it would hit the space bar every couple seconds.

This is so I can AFK in WoW BGs without getting booted, but still get honor and marks.

Re:The Upside? (1)

mysidia (191772) | more than 4 years ago | (#28910587)

The 'fn' button is a PITA. I would like to turn it into an 'insert' button, and use the caps lock key as a fn button instead, since I never use caps lock anyways.

One often needs Shift+Insert when RDP'ing or connect to a remote windows machine with remote console, and an Apple keyboard has no means of sending that keystroke.

How is news worthy... (3, Insightful)

mario_grgic (515333) | more than 4 years ago | (#28910443)

I'm sure every microwave out there is "hackable" in the sense you can replace its firmware and make it burn users popcorn each time. So what?

Unless you discovered a way to hack someone's keyboard remotely without user intervention, this is not even worth mentioning on a geek site.

Re:How is news worthy... (1)

FlyingBishop (1293238) | more than 4 years ago | (#28910621)

Are you a computer professional? Because this is huge. My university decided to stop buying PC hardware, and just re-use their existing Windows XP licenses for boot camp on all new machines. Incidentally, every new machine on campus has one of these keyboards. A reasonably curious student could easily pwn a few keyboards in one of the labs, and then have a handy supply of logins to screw around with as he pleases. This is bad bad bad for anyone deploying Mac keyboards in an enterprise environment.

Re:How is news worthy... (1)

mario_grgic (515333) | more than 4 years ago | (#28910835)

Yes, I'm a computer professional :D. Why go into all the trouble flashing ROM and keyboards, when a simple small, unobtrusive USB keyboard logger is so much easier, more convenient and it has larger memory and some of them are no thicker than the keyboard cable. Also, if you have access to the machine, there are other better ways to do what you want.

Old tech is the best tech. (1)

oDDmON oUT (231200) | more than 4 years ago | (#28910449)

This is a hack on all the new shiny aluminum white keyed keyboards.

I predict a run no eBay sales of old keyboards [ebay.com] and USB PC alternatives for the paranoid.

For the rest, well...you get what you pay for eh?

Re:Old tech is the best tech. (2, Funny)

slyborg (524607) | more than 4 years ago | (#28910553)

Love the dumb comments on this thread. The army of ninja hackers will not be sneaking into houses tonight to backdoor all of the Apple keyboards in the world. The fact that it requires physical access to the keyboard makes it pretty close to useless except for public access sites and people who are cheating on their S.O. who happens to be a Black Hat hacker. I would suggest in the latter case you are hella screwed anyway.

So all it needs... (1)

s0litaire (1205168) | more than 4 years ago | (#28910703)

... is for a enterprising hacker to do:

1) A bit of code hacking to put the Keylogger + a simple method to send keystrokes to a 3rd party into a firmware update for the keyboard.

2) Start a "Man in the middle" attack between a Mac user and Mac update servers.

3) User installs update..

4) ???

5) Profit off of all those banking details....

Um... I must be missing something (2, Insightful)

Hortensia Patel (101296) | more than 4 years ago | (#28910821)

If someone has sufficient permissions on your machine to update your firmware, aren't you kind of screwed already? I suppose they could swap your (external) keyboard for a compromised one, but that still implies physical access.

That said, given that the ability to update is useful, and that the flash memory size we're talking about is so small, is there a significant downside to having the OS check hashes of the firmware code on initialization?

Why was this implemented? Stupid or evil? (3, Insightful)

Animats (122034) | more than 4 years ago | (#28910827)

As the article points out, "For a device as simple as a keyboard, it is hard to imagine why a firmware update mechanism is even required." There's no justification for including an update feature other than as a designed-in security hole. The keyboard CPU should be running off a ROM, or at least an MPU where the security bit has been set to prevent future changes.

This looks like a "feature" put in for development that should have been pulled before release.

People seem to be missing the bigger issue (3, Interesting)

93 Escort Wagon (326346) | more than 4 years ago | (#28910885)

The problem here isn't really with the end user's keyboard - flashing that is a lot of work for little return, in most cases.

The bigger issue is if/when an enterprising criminal gets access at the plant that makes the keyboards. We've seen CDs/DVDs with malware installed (I'm not even thinking about Sony here); we've seen CompactFlash cards preloaded with viruses... if a batch of keyboards shipped out from manufacturing already installed with a key logger, we're really screwed - who's going to notice?

Re:People seem to be missing the bigger issue (1)

yupa (751893) | more than 4 years ago | (#28911017)

And how will you recover the data ? The keyboard can't call home on its own.

Hack request!! (1)

erroneus (253617) | more than 4 years ago | (#28911217)

Hopefully some of the keyboard hackers read slashdot. I would like to request a function added to the keyboard that senses certain "L33T" speak words and automatically backspaces and substitutes REAL words in its place. Some parents might even like to see such a function that senses curse words and substitutes +%$#"!! for matching words... could even be marketable...hrm?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...