On TV.com: EMMANUELLE CHRIQUI Photos
BNET Business Network:
BNET
TechRepublic
ZDNet

August 3rd, 2009

Hacker demos persistent Mac keyboard attack

Posted by Ryan Naraine @ 8:55 am

Categories: Anti Virus, Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Malware, Passwords, Patch Watch, Research, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Apple Macintosh, Hacker, Firmware, Attack, Keyboards, Rootkits, Hardware, Peripherals, Security, Spyware, Adware & Malware

Apple’s sleek $49 Mac keyboards can be hacked and infected with keystroke loggers and impossible-to-detect rootkits, according to a security researcher presenting at this year’s Black Hat/DEFCON conferences.

The researcher, known only as “K. Chen,” found a way to reverse engineer and tamper with the keyboard’s firmware upgrade. With the firmware under control, an attacker can subvert the keyboard by embedding malicious code that allows a rootkit to survive a  clean re-installation of the host operating system.

Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.

“Such code could also completely bypass the remote attestation of a Trusted Platform Module, if one were present in the computer. As far as everybody is concerned, our [malicious keyboard] code is simply the user typing commands at the keyboard,” he explained.

Chen said a malicious keyboard can be used to snoop on keystrokes from any machine it is plugged into.

Here’s a technical paper discussing the keyboard firmware attack.  In the video below, Chen demonstrates the attack for George Ou.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 97 Talkback(s)
...still 10 times more secure than MS...
you dont have even a clue as to what you are talking about, do you?

How many people hand over their keyboards and under ideal
conditions say "here-hack this"

Go rent one (a clue) at... (Read the rest)
Posted by: MarkCD3 Posted on: 08/31/09  (Edited: 08/31/09 @ 01:18) You are currently: a Guest | | Terms of Use
Ha ha, hah ah ahahahhah... Mac Security.  trance2tec | 08/03/09
Any computer is vulnerable to this, not just macs  ChiperSoft | 08/03/09
Dependent upon the keyboard having the vector  Patanjali | 08/03/09
Correct.  phatkat | 08/04/09
The question is getting the keyboard hacked in the first place.  vulpine@... | 08/04/09
What about coming from the factory that way?..  JCitizen | 08/04/09
Good point...  vulpine@... | 08/04/09
Thank you vulpine...  JCitizen | 08/05/09
NOT just proof of concept, it HAPPENED!!..  JCitizen | 08/04/09
It IS a proof of concept, and it did NOT happen  DeusExMachina | 08/04/09
Agree, although...  Wintel BSOD | 08/04/09
(edited)  JCitizen | 08/05/09
So?  DeusExMachina | 08/06/09
Yes it does...  JCitizen | 08/07/09
NO IT DOESN"T  DeusExMachina | 08/08/09
I don't care about Apple's door..  JCitizen | 08/10/09
You don't know that.  vulpine@... | 08/04/09
Remember chip and pin....  GetReal-mac.com | 08/04/09
rofl  Jimster480 | 08/04/09
What security  honeymonster | 08/03/09
Your usual uninformed reply  DeusExMachina | 08/04/09
...still 10 times more secure than MS...  MarkCD3 | 08/31/09
Doesn't this require physical access to the keyboard?  ChiperSoft | 08/03/09
No it does not require physical access  georgeou | 08/03/09
No, it requires physical or root access  Resuna | 08/03/09
The point is that it survives cleanup of the host computer  Patanjali | 08/03/09
Yes, exactly!...  JCitizen | 08/04/09
You over-estimate the use of digital signatures.  Bruizer | 08/04/09
Here is a link to a better read on it...  i8thecat | 08/04/09
Maybe he did already....  JCitizen | 08/04/09
Wrong  DeusExMachina | 08/04/09
Duplicate Post  ChiperSoft | 08/03/09
That is pretty much what I said  georgeou | 08/03/09
Thanks George...  JCitizen | 08/04/09
RE: Hacker demos persistent Mac keyboard attack  Solid Jedi Knight | 08/03/09
Who's drinking the Kool-Aid now?  KaplanMike | 08/04/09
Not according to the victims...  JCitizen | 08/04/09
your dumb  Jimster480 | 08/04/09
Blue pill? Red pill? How about no pill?  vulpine@... | 08/04/09
It's only a matter of time...  Narg | 08/04/09
Which you have been posting here for eons  DeusExMachina | 08/04/09
Me Either  Jimster480 | 08/04/09
The difference is that  DeusExMachina | 08/04/09
TIME-OUT !!  Jkirk3279 | 08/06/09
Funny...  DeusExMachina | 08/06/09
RE: Hacker demos persistent Mac keyboard attack  tmconte | 08/04/09
That is what our members thought...  JCitizen | 08/04/09
Physical switch  vulpine@... | 08/04/09
Was this under CISC chip architecture?  JCitizen | 08/05/09
Was on the 'gumdrop' iMacs.  vulpine@... | 08/06/09
Excellent design!...  JCitizen | 08/07/09
It's easy to find hardware keyboard logging devices.  richard233 | 08/04/09
The key question -- why bother?  Technogeez | 08/04/09
More than it was yesterday...  KaplanMike | 08/04/09
LOL... Ouch!!!  i8thecat | 08/04/09
Ah!!!  dwcfastrice | 08/04/09
Turn of wireless in public places...  JCitizen | 08/04/09
Turn off wireless? HUH?!?  DeusExMachina | 08/04/09
ClamAV has nothing to do with anything....  Wintel BSOD | 08/05/09
If it had stopped the fake update..  JCitizen | 08/05/09
What does that have to do with anything?  Wintel BSOD | 08/06/09
Perhaps, but I still can see the senario..  JCitizen | 08/07/09
Well you keep going off on tangents...  Wintel BSOD | 08/07/09
It has everything to do with PC security...  JCitizen | 08/10/09
Others were speculating ...  JCitizen | 08/05/09
So?  DeusExMachina | 08/06/09
This keyboard chip is in more than one..  JCitizen | 08/07/09
And again, it is irrelevant  DeusExMachina | 08/08/09
I don't need proof..  JCitizen | 08/10/09
RE: Hacker demos persistent Mac keyboard attack  alexeig | 08/04/09
Yes.. But... It's limited to line of sight  i8thecat | 08/04/09
RE: Hacker demos persistent Mac keyboard attack  dinosoft@... | 08/04/09
Thank you Mr. Orwell  howardgr | 08/04/09
RE: It's only a matter of time...  vbnomad@... | 08/04/09
RE: Hacker demos persistent Mac keyboard attack  creep144 | 08/04/09
It is NOT just a matter of time - it's TOO LATE...  JCitizen | 08/04/09
Quit posting that stupid link  DeusExMachina | 08/04/09
I know pgit, I don't know you...  JCitizen | 08/05/09
Believe me about what?  DeusExMachina | 08/06/09
Let us just make that a general statement...  JCitizen | 08/07/09
Even then  DeusExMachina | 08/08/09
You'll never convince me otherwise...  JCitizen | 08/10/09
You keep saying the same thing...  vulpine@... | 08/04/09
Turn on the lights  DeusExMachina | 08/05/09
Thank you DEM..  JCitizen | 08/05/09
A Light Dawns...  Jkirk3279 | 08/06/09
I just think it is unusual...  JCitizen | 08/07/09
Tom Jones  DeusExMachina | 08/08/09
Apple is primarily a hardware vendor...  JCitizen | 08/10/09
Okay..  JCitizen | 08/05/09
Persistent = Sticky  3dguru | 08/04/09
RE: Hacker demos persistent Mac keyboard attack  bb_apptix | 08/05/09
Yeah, good think...  DeusExMachina | 08/05/09
Mac SUCK ! P-E-R-I-O-D !  Gradius2 | 08/06/09
RE: Hacker demos persistent Mac keyboard attack  Mashman | 08/07/09
Thanks for adding substantively to the discussion  DeusExMachina | 08/08/09
You d*lts are so transparent  MarkCD3 | 08/31/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here