Linked by Thom Holwerda on Sat 1st Aug 2009 18:22 UTC
Apple Almost everything has a processor and/or memory chips these days, including keyboards. Apple's keyboards are no exception; they have 8Kb of flash memory, and 256 bytes of RAM. K. Chen has found a way to very easily install keyloggers and other possibly malicious code right inside these Apple keyboards (more here). Proof of concept code is here as well.
Thread beginning with comment 376539
To read all comments associated with this story, please click here.
Before everyone flies off the handle...
by darknexus on Sat 1st Aug 2009 20:37 UTC
darknexus
Member since:
2008-07-15

This certainly doesn't seem as bad as the sensationalists would like you to believe. The Apple firmware updater has to be run, a break point is set and from there your keyboard can be compromised. First off, how is a remote web site going to run this Apple firmware updater? What modern browser can arbitrarily run executables on the host machine (well, perhaps, aside from IE6 but that's hardly modern). Second, I've used the Apple firmware updater. Before it does anything, it prompts you to update the keyboard firmware. This is not something that will happen out of the blue, you must explicitly run the firmware updater first and accept the upgrade and, on OS X anyway, you then need to enter your administrator's password to confirm the action.
So what we basically have here is a vulnerability that requires physical access to the machine in order to be enabled, and further relies on the keyboard not being at the latest firmware version, as the firmware updater won't download or run an image unless it's newer than the current one installed. The only way I can see this being a serious problem is if a hacked firmware image were somehow placed on Apple's servers (rather unlikely), or dns poisoning to redirect the firmware updater to a different server (possible, but for a rather small payoff by modern standards of cracking). It's a threat, certainly, but not a huge one.

Reply Score: 6

jabbotts Member since:
2007-09-06

Interviews after this years Pwn2Own described osX security around the browser as pretty open. A reason it was targeted was that the Safari browser does not provide the same protective layers that other browsers offer (though, the next major version addresses this in some ways I hear). Outcome, browser can run executable code.

Now it's on the system with no sandboxing to break out of. It needs only escalate it's privaledge to root. Not easy on a well configured posix base but not impossible.

Now it's root, it redirects input/output and send the [OK] button press when firmware flasher requires it. Maybe it presents a spoofed layer overtop the actual firmware messagebox and gets it done a-la social engineering.

Injecting break points is a standard part of running software and easily done with root privaledge. Maybe it simply patches in memory as needed for that step.

It's not like your average skript kiddie is going to get this one but gov and criminal enterprise are already working on it. Attacks never get worse, they only ever get better. If left unpatched, this will become a problem.

Reply Parent Score: 3