Interesting People mailing list archives
Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76
From: Dave Farber <dave () farber net>
Date: Mon, 17 Aug 2009 13:45:20 -0400
Begin forwarded message:
From: Scott Alexander <salex () dsalex org> Date: August 17, 2009 13:30:42 EDT To: dave () farber netSubject: Re: [IP] Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76
I think the ability to patch the vulnerability depends on information we don't have: Is the firmware update capability controlled by firmware or hardware. And this leads rather immediately to usability vs. security trade offs.I've used hardware where firmware updates were controlled by firmware. I know this because I uploaded the wrong firmware after which the device had to be shipped back to the manufacturer to be repaired. I've also worked with hardware where reprogramming the firmware was a hardware task (and how the firmware was originally programmed).If Apple has chosen to do uploads via firmware control, then fairly arbitrary checks could be added. That said, a successful attacker can also upload firmware that accepts, but does not burn future firmware updates.Coming back to usability, what is the right interface? If you require a password on the computer, I merely need to attach the keyboard to the device that I control when updating the firmware. If the keyboard stores a password, how do I go about updating the password and how do I let the user know the difference between the system password and the keyboard password? (After all, if my system dies and I move my keyboard to the new system, when the firmware asks me for the password to update the keyboard, I need to know the correct password to type.)I believe that securing updates to peripherals is a fairly hard problem that may ultimately require users to understand that those peripherals are separate computing devices. I despair of that given that I still have trouble explaining the difference between RAM and disk space in a way that causes unsophisticated users to make correct decisions when I'm not present.Best, Scott Alexander On Aug 17, 2009, at 9:33 AM, David Farber wrote:Begin forwarded message: From: "David P. Reed" <dpreed () reed com> Date: August 16, 2009 8:43:41 PM EDT To: dave () farber net Cc: ip <ip () v2 listbox com>Subject: Re: [IP] Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76Based on the reported facts below, Apple's ability to "patch" this vulnerability in keyboards in the field is near zero. You can yell and scream at Apple all you want, but if this works, they shipped a vulnerable product, and it cannot be field-repaired. (I can think of some ways to ameliorate the impact, but nothing that can make the keyboards that allow such field upgrades "safe").So, what should we think about this? Actually, we know very little about the vulnerabilities in *any* USB and Bluetooth keyboards that are in the field. Most of them probably have a way to update their firmware that can be exploited to insert a keylogger capability. Since PCs have a much more diverse set of keyboards, perhaps that diversity helps. Do keyboards with the Microsoft label have firmware update capability? It's hard to prove a negative... I suspect they do, and I suspect Microsoft has no way to find out, since most of them are ODM (outsourced design and manufacturing) designs, as are those of most vendors.Fundamentally, you want to keep "firmware upgrade" operations away from your firmware-using system components, except when you really know that they are being done right. How to do this with a vulnerable operating system that lets users run arbitrary code that runs as part of the kernel or install updates to the kernel? Well, the answer is, you can't. You just can't. It's not a matter of Windows vs. OS X vs. Unix. All of them have such paths, because all of them have "field updateable" operating systems and BIOSes.So, let's calm down about Apple. On 08/16/2009 08:07 PM, David Farber wrote:Begin forwarded message: Date: Mon, 3 Aug 2009 08:17:54 -0400 From: Monty Solomon <monty () roscom com> Subject: Apple keyboard firmware hack demonstratedCharlie Demerjian at Defcon 17, 31 Jul 2009: Apple needs to patch it ASAPApple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now thatthe presentation and code is out there, the bad guys will surely be exploiting it.The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, thisis more than enough space to have a field day.K. Chen demonstrated the hack to S|A at Defcon today and it worked quitewell. You start out by running GDB, and set a breakpoint in Apple'sHIDFirmwareUpdaterTool. This tool is meant to update the firmware in human interface devices, hence the name. The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image inmemory. That's it.Nothing is encrypted, decrypted, and the process is simple. You then resumeHIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won't do you any good, the code is inkeyboard flash. There are no batteries to pull, no nothing, the keyboard issimply compromised. ... http://www.semiaccurate.com/2009/07/31/apple-keyboard-firmware-hack-demonstrated/ Reversing and Exploiting an Apple Firmware Update http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Chen ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.comArchives
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76 David Farber (Aug 16)
- <Possible follow-ups>
- Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76 David Farber (Aug 17)
- Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76 David Farber (Aug 17)
- Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76 Dave Farber (Aug 17)
- Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76 David Farber (Aug 17)