Re: Keyboard hack could leave your Mac completely ,> vulnerable - MacFixIt

[David Farber <dave () farber net>]

Begin forwarded message:

From: Jim Gettys <jg () freedesktop org>
Date: August 4, 2009 8:02:23 PM EDT
To: dave () farber net
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] Keyboard hack could leave your Mac completely ,>  
vulnerable - MacFixIt

> From: Jeff Porten <civitan () jeffporten com>
> Date: August 3, 2009 6:46:53 PM EDT
> To: dave () farber net
> Subject: Re: [IP] Keyboard hack could leave your Mac completely  
> vulnerable - MacFixIt
> George Ou does not exactly have the sort of standing credibility on  
> Mac issues which would allow him to get away with an anonymously- 
> sourced attack. I can't say that this attack is impossible, but  
> here's my initial take on the article referenced:
> 1) "The researcher explained that he goes by the name "K. Chen"  
> because he feared harassment from staunch Apple fans who actually  
> believe those Mac versus PC security commercials." Ou's implied  
> ridicule of such people does not exactly support the contention that  
> his views are unbiased -- and I'd wager that 90% of said group  
> gathered that impression long before the commercials were aired,  
> mostly from first- and second-hand experience.
> 2) "I had Mr. Chen demonstrate his possessed keyboard on my  
> computer." This and other references in the article implies a  
> firmware hack, which says nothing about the vector for getting the  
> hacked firmware onto the keyboard. Yes, I'm willing to gather that  
> there are many security flaws which can be exposed by someone who  
> can arbitrarily connect hardware to your computer -- but this would  
> be considered a low-probability threat.
> 3) "To infect your keyboard, the attacker only needs to exploit one  
> of the many weaknesses in Mac OS X and Apple applications." I'm  
> aware of no security flaws which would allow installing new keyboard  
> firmware (that is, without already having root-level access to the  
> Mac), and further, I'd love to see a list of the "many weaknesses"  
> in OS X and Apple applications. (Does Apple publish many  
> applications for OS 9? System 7?) There aren't any issues I'm  
> actively tracking for my clients that aren't related to Flash and  
> Java -- and those have been patched.
> 4) "This type of attack which is resilient against a full hard drive  
> wipe is considered the holy grail of computer hacking because the  
> hardware has been infected." The holy grail of computer hacking is a  
> rootkit which the user is not aware of -- infinite use of the  
> targeted computer is better than one which the user is actively  
> trying countermeasures.
> 5) "The cleaner solution Mr. Chen is proposing is that Apple should  
> simply lock the Keyboard firmware from any future modifications  
> since the keyboard doesn't implement any digital signature  
> protection." Which would likely kill the aftermarket for 3rd-party  
> keyboards (and perhaps other USB devices), and would expose Apple to  
> a great deal of user blowback that they were implementing an iPhone  
> closed ecosystem on the Mac. If Mr. Chen's analysis is as good as  
> his hacking, I'm even less worried about this threat. If I had any  
> idea who Mr. Chen was, I'd be able to confirm this myself.
> In short -- Ou is a known yahoo, and this strikes me as more FUD.  
> I'll believe this when I see confirmation from a respectable source.

Unfortunately, the attack is entirely plausible, and has nothing to do  
with the Mac, per se', though I haven't looked at that presentation.

Here's a synopsis (from a different, non-mac point of view):

Many laptops are designed with what is called an "embedded  
controller", which is a typically a variant of an 8051.

Among other things, these chips now typically provide the emulation  
for old fashioned peripheral devices, like keyboards, to the CPU,  
emulating the old 8042 keyboard controller chip.  They also worry  
about charging the battery, and other such stuff.

But EC's also load the initial firmware (BIOS code) from a serial ROM  
device.  When you are updating the bios on such machines, it is this  
serial ROM you are typically reprogramming.

On the OLPC (where we run OpenFirmware) however, we are careful, and  
once the firmware has initialized, the firmware sets a gate that  
inhibits the write enable to the serial ROM.  So you can only update  
the firmware via the firmware, which checks a signature on the  
firmware before reprogramming), and it can't be reprogrammed at all  
from a running operating system; the write inhibit gate is set before  
transferring control to the OS bootloader, but cannot be cleared from  
software (it is cleared at CPU reset time).

Many vendors are lax about whether/how you can reprogram this serial  
ROM, and may have no good way to inhibit reprogramming of the firmware.
This has little or nothing to do with a Mac; there are many regular  
PC's likely just as vulnerable.
                        - Jim








-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com