One of the Apple-related talks given at this year's Black Hat security conference dealt with keyboard firmware. Given by "KChen," the talk discussed "Reversing and Exploiting an Apple Firmware Update." While it may not seem like much on the surface, the truth quickly becomes apparent: if someone gains access to your keyboard's firmware, there are a multitude of ways in which they can further compromise your machine.

There are two ways in which this exploit can be perpetrated. The first is if someone has physical access to your computer and your administrative password, and the second is if someone has already gained access to a machine remotely through a rootkit hack. Why would an attacker want anything to do with a keyboard when he already has free reign on a system? The answer, as KChen pointed out, is that an affected user can patch the rootkit exploit and even reformat the drive, but the attacker could still have access to the keyboard.

Chen showed during his session (downloadable in .pdf format) how he reverse engineered Apple's firmware packages and created his own. He even demonstrated how to alter a system so that it thinks its keyboard firmware isn't up to date. His presentation slides are quite technical, but the majority of the information is phrased in a way that most people can understand, minus the code examples.

The reason a firmware takeover on a keyboard can potentially be so dangerous is that the keyboards have 256 bytes of RAM and 8KB of "flash." Not all of that is used, meaning arbitrary code can be stored. The example that Chen gives is a simple keystroke logger that he claims can hold over a 1,000 keystrokes (his example stored about a dozen). This allows an exploiter to intercept anything the user types, including administrative passwords.

Further, if the attacker wishes, he can do things like disable certain keys and even destroy a keyboard with no possibility of reflashing. This applies to Apple's desktop keyboards as well as its laptop keyboards. Chen also pointed out that, in combination with an unpatched machine, an attacker could use a Safari zero-day exploit to destroy Apple keyboards.

As is the case with most Black Hat speakers, Chen's intentions aren't malicious. Many speakers at the conference do IT security research or work in the field and are genuinely concerned about the security of the things we all use and love. The hope is that Apple patches the exploit, and soon.

Listing image by resignent