[Infowarrior] - Apple keyboard firmware hack

Richard Forno rforno at infowarrior.org
Sun Aug 2 02:06:38 UTC 2009 

Apple keyboard firmware hack demonstrated Apple needs to patch it ASAP  
by Charlie Demerjian at Defcon 17
July 31, 2009

http://www.semiaccurate.com/2009/07/31/apple-keyboard-firmware-hack-demonstrated/
APPLE KEYBOARDS ARE vulnerable to a hack that puts keyloggers and  
malware directly into the keyboard. This could be a serious problem,  
and now that the presentation and code is out there, the bad guys will  
surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it  
at Blackhat this year. The concept is simple, a modern Apple keyboard  
has about 8K of flash memory, and 256 bytes of working ram. For the  
intelligent, this is more than enough space to have a field day.



The machine and keyboard in the demo

K. Chen demonstrated the hack to S|A at Defcon today and it worked  
quite well. You start out by running GDB, and set a breakpoint in  
Apple's HIDFirmwareUpdaterTool. This tool is meant to update the  
firmware in human interface devices, hence the name. The tool is run,  
a breakpoint set, and then you simply cut and paste the new code into  
the firmware image in memory. That's it.



The breakpoint, code and presentation

Nothing is encrypted, decrypted, and the process is simple. You then  
resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is  
compromised. Formatting the OS won't do you any good, the code is in  
keyboard flash. There are no batteries to pull, no nothing, the  
keyboard is simply compromised.

While you can re-flash a keyboard, that is fairly hard to do if you  
don't have a keyboard. Apple internal keyboards are USB devices, as  
are the external ones, so the same hack works for them too. Think  
about that when you count the dwindling number of external USB ports  
on modern Macs.

The new firmware can do anything you want it to. K. Chen demo'd code  
that you put in a password, and when you hit return, it starts playing  
back the last five characters typed in, FIFO. It is a rudimentary  
keylogger, a proof of concept more than anything else. Since there is  
about 1K of flash free in the keyboard itself, you can log quite a few  
keystrokes totally transparently. If you want the code, it is on page  
170 of the PDF presentation linked above.

This exploit is simple and does things by the rules. K. Chen is very  
careful not to do anything in an illegal way, and you have to do all  
the steps manually. It can't easily be done remotely. That said, bad  
guys intent on stealing your data probably won't have the same high  
moral standards, and it probably wouldn't take much to exploit the  
same vulnerability remotely, silently, with code from a compromised  
web page.

Apple needs to patch this problem ASAP. It is completely remotely  
exploitable, and almost impossible to remove, especially if you don't  
know it is there. This huge hole that Apple has in it's hardware turns  
any remote exploit, Apple is full of them, into a huge security problem.

We would have called Apple to let them know about this, but the last  
few times we did, they would not so much as return our phone calls.  
Until Apple releases a way to detect the validity of keyboard firmware  
and patches this huge hole in their system, anyone using Apple  
hardware, regardless of the OS running, is vulnerable. Don't believe  
them when they try to spin this as minor, owning a keyboard gives you  
ownership of a system.S|A

More information about the Infowarrior mailing list