Apple keyboard firmware hack demonstrated

Apple needs to patch it ASAP

by Charlie Demerjian at Defcon 17

July 31, 2009

APPLE KEYBOARDS ARE vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

The machine and keyboard in the demo

K. Chen demonstrated the hack to S|A at Defcon today and it worked quite well. You start out by running GDB, and set a breakpoint in Apple's HIDFirmwareUpdaterTool. This tool is meant to update the firmware in human interface devices, hence the name. The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That's it.

The breakpoint, code and presentation

Nothing is encrypted, decrypted, and the process is simple. You then resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won't do you any good, the code is in keyboard flash. There are no batteries to pull, no nothing, the keyboard is simply compromised.

While you can re-flash a keyboard, that is fairly hard to do if you don't have a keyboard. Apple internal keyboards are USB devices, as are the external ones, so the same hack works for them too. Think about that when you count the dwindling number of external USB ports on modern Macs.

The new firmware can do anything you want it to. K. Chen demo'd code that you put in a password, and when you hit return, it starts playing back the last five characters typed in, FIFO. It is a rudimentary keylogger, a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently. If you want the code, it is on page 170 of the PDF presentation linked above.

This exploit is simple and does things by the rules. K. Chen is very careful not to do anything in an illegal way, and you have to do all the steps manually. It can't easily be done remotely. That said, bad guys intent on stealing your data probably won't have the same high moral standards, and it probably wouldn't take much to exploit the same vulnerability remotely, silently, with code from a compromised web page.

Apple needs to patch this problem ASAP. It is completely remotely exploitable, and almost impossible to remove, especially if you don't know it is there. This huge hole that Apple has in it's hardware turns any remote exploit, Apple is full of them, into a huge security problem.

We would have called Apple to let them know about this, but the last few times we did, they would not so much as return our phone calls. Until Apple releases a way to detect the validity of keyboard firmware and patches this huge hole in their system, anyone using Apple hardware, regardless of the OS running, is vulnerable. Don't believe them when they try to spin this as minor, owning a keyboard gives you ownership of a system.