Re: Apple keyboard firmware hack demonstrated [RISKS] Risks Digest 25.76

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Scott Alexander <salex () dsalex org>
> Date: August 17, 2009 13:30:42 EDT
> To: dave () farber net
> Subject: Re: [IP] Re:  Apple keyboard firmware hack demonstrated  
> [RISKS] Risks Digest 25.76

> I think the ability to patch the vulnerability depends on  
> information we don't have: Is the firmware update capability  
> controlled by firmware or hardware.  And this leads rather  
> immediately to usability vs. security trade offs.
>
> I've used hardware where firmware updates were controlled by  
> firmware.  I know this because I uploaded the wrong firmware after  
> which the device had to be shipped back to the manufacturer to be  
> repaired.  I've also worked with hardware where reprogramming the  
> firmware was a hardware task (and how the firmware was originally  
> programmed).
>
> If Apple has chosen to do uploads via firmware control, then fairly  
> arbitrary checks could be added.  That said, a successful attacker  
> can also upload firmware that accepts, but does not burn future  
> firmware updates.
>
> Coming back to usability, what is the right interface?  If you  
> require a password on the computer, I merely need to attach the  
> keyboard to the device that I control when updating the firmware.   
> If the keyboard stores a password, how do I go about updating the  
> password and how do I let the user know the difference between the  
> system password and the keyboard password?  (After all, if my system  
> dies and I move my keyboard to the new system, when the firmware  
> asks me for the password to update the keyboard, I need to know the  
> correct password to type.)
>
> I believe that securing updates to peripherals is a fairly hard  
> problem that may ultimately require users to understand that those  
> peripherals are separate computing devices.  I despair of that given  
> that I still have trouble explaining the difference between RAM and  
> disk space in a way that causes unsophisticated users to make  
> correct decisions when I'm not present.
>
> Best,
> Scott Alexander
>
> On Aug 17, 2009, at 9:33 AM, David Farber wrote:
>
> > Begin forwarded message:
> >
> > From: "David P. Reed" <dpreed () reed com>
> > Date: August 16, 2009 8:43:41 PM EDT
> > To: dave () farber net
> > Cc: ip <ip () v2 listbox com>
> > Subject: Re: [IP] Apple keyboard firmware hack demonstrated [RISKS]  
> > Risks Digest 25.76
> >
> > Based on the reported facts below, Apple's ability to "patch" this  
> > vulnerability in keyboards in the field is near zero.  You can yell  
> > and scream at Apple all you want, but if this works, they shipped a  
> > vulnerable product, and it cannot be field-repaired.  (I can think  
> > of some ways to ameliorate the impact, but nothing that can make  
> > the keyboards that allow such field upgrades "safe").
> >
> > So, what should we think about this?  Actually, we know very little  
> > about the vulnerabilities in *any* USB and Bluetooth keyboards that  
> > are in the field.  Most of them probably have a way to update their  
> > firmware that can be exploited to insert a keylogger capability.    
> > Since PCs have a much more diverse set of keyboards, perhaps that  
> > diversity helps.  Do keyboards with the Microsoft label have  
> > firmware update capability?  It's hard to prove a negative...  I  
> > suspect they do, and I suspect Microsoft has no way to find out,  
> > since most of them are ODM (outsourced design and manufacturing)  
> > designs, as are those of most vendors.
> >
> > Fundamentally, you want to keep "firmware upgrade" operations away  
> > from your firmware-using system components, except when you really  
> > know that they are being done right.  How to do this with a  
> > vulnerable operating system that lets users run arbitrary code that  
> > runs as part of the kernel or install updates to the kernel?  Well,  
> > the answer is, you can't.  You just can't.  It's not a matter of  
> > Windows vs. OS X vs. Unix.  All of them have such paths, because  
> > all of them have "field updateable" operating systems and BIOSes.
> >
> > So, let's calm down about Apple.
> >
> >
> > On 08/16/2009 08:07 PM, David Farber wrote:
> > > Begin forwarded message:
> > >
> > >
> > > Date: Mon, 3 Aug 2009 08:17:54 -0400
> > > From: Monty Solomon <monty () roscom com>
> > > Subject: Apple keyboard firmware hack demonstrated
> > >
> > > Charlie Demerjian at Defcon 17, 31 Jul 2009: Apple needs to patch  
> > > it ASAP
> > >
> > > Apple keyboards are vulnerable to a hack that puts keyloggers and  
> > > malware
> > > directly into the keyboard. This could be a serious problem, and  
> > > now that
> > > the presentation and code is out there, the bad guys will surely be
> > > exploiting it.
> > >
> > > The vulnerability was discovered by K. Chen, and he gave a talk on  
> > > it at
> > > Blackhat this year. The concept is simple, a modern Apple keyboard  
> > > has about
> > > 8K of flash memory, and 256 bytes of working ram. For the  
> > > intelligent, this
> > > is more than enough space to have a field day.
> > >
> > > K. Chen demonstrated the hack to S|A at Defcon today and it worked  
> > > quite
> > > well. You start out by running GDB, and set a breakpoint in Apple's
> > > HIDFirmwareUpdaterTool. This tool is meant to update the firmware  
> > > in human
> > > interface devices, hence the name. The tool is run, a breakpoint  
> > > set, and
> > > then you simply cut and paste the new code into the firmware image  
> > > in
> > > memory. That's it.
> > >
> > > Nothing is encrypted, decrypted, and the process is simple. You  
> > > then resume
> > > HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is
> > > compromised. Formatting the OS won't do you any good, the code is in
> > > keyboard flash. There are no batteries to pull, no nothing, the  
> > > keyboard is
> > > simply compromised. ...
> > >
> > > http://www.semiaccurate.com/2009/07/31/apple-keyboard-firmware-hack-demonstrated/
> > >
> > > Reversing and Exploiting an Apple Firmware Update
> > > http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Chen
> > >
> > >
> > >
> > > -------------------------------------------
> > > Archives: https://www.listbox.com/member/archive/247/=now
> > > RSS Feed: https://www.listbox.com/member/archive/rss/247/
> > > Powered by Listbox: http://www.listbox.com
> >
> > Archives        



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com