While 8Kb of flash memory and 256 bytes of RAM might not sound like a whole lot of space, it's enough for an intelligent coder to make use of, and for someone with malicious intent to abuse. K. Chen presented his findings at this year's Black Hat conference.
It's actually quite easy to abuse the memory and RAM in Apple keyboards, thanks to Apple's HIDFirmwareUpdaterTool, which is used to update the firmware in HID devices, among which is the Apple keyboard. "The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That's it," SemiAccurate explains. Nothing is encrypted, decrypted, and it's all very simple to do. Resume the HIDFirmwareUpdaterTool, and a few seconds later, your keyboard is compromised. Rebooting won't help, you can't pull any batteries, and it's impossible to detect.
K. Chen demonstrated a rudimentary keylogger which would print the last five typed characters. There was 1Kb of free space left inside the keyboard, so you can store quite a few keystrokes. It wouldn't take much to do this remotely, using a compromised website, for instance.
"Apple needs to patch this problem ASAP. It is completely remotely exploitable, and almost impossible to remove, especially if you don't know it is there," SemiAccurate writes, "This huge hole that Apple has in it's hardware turns any remote exploit, Apple is full of them, into a huge security problem."
They would've told Apple about this, but the last few times when they called Apple in similar cases, the company didn't even return their calls. "Don't believe them when they try to spin this as minor, owning a keyboard gives you ownership of a system."
Chen can write a tool to lock down the firmware, he says, but he's waiting for a possible official solution from Apple before he attempts to do so. However, he is afraid that Apple will fix this in current and future versions of Mac OS X only, leaving the keyboards open to be attacked from other sources. The fix needs to be implemented at the hardware/firmware level, he says.