Apple keyboard firmware hack demonstrated

Status
Not open for further replies.
T

ToyotaNSaturn

Joined
Apr 11, 2003
Messages
11,283
Location
Spring HIll
Apple keyboard firmware hack demonstrated
Apple needs to patch it ASAP
http://www.semiaccurate.com/2009/07/31/apple-keyboard-firmware-hack-demonstrated/

Apple needs to patch this problem ASAP. It is completely remotely exploitable, and almost impossible to remove, especially if you don't know it is there. This huge hole that Apple has in it's hardware turns any remote exploit, Apple is full of them, into a huge security problem.
 
Another source says this is exploit is an issue with all modern USB keyboards. Supposedly it is also necessary to gain physical access to the keyboard to retrieve the logged data, unless there is another program that can flash the keyboard installed on the computer itself.

In any case, I know someone will have a field day with this thread. I think I can hear his bedroom slippers approaching, or maybe that's just heavy breathing...
wink.gif
 
A hardware keylogger can be put on ANY computer, regardless of the operating system used. It is hard to detect unless a person knows what they are looking at and no software can detect it. And if somebody was really determined to spy on you, they could swtich your keyboard with an identical keyboard that had a keylogger built in. You would never be able to detect it, and it would work with any operating system-Windows XP, Unix, Linux, Mac, Vista, Windows 7 or whatever. Perhaps it could be teamed up with some sort of software to send the encrypted keystrokes somewhere on the internet.
 
Originally Posted By: Mystic
A hardware keylogger can be put on ANY computer, regardless of the operating system used. It is hard to detect unless a person knows what they are looking at and no software can detect it. And if somebody was really determined to spy on you, they could swtich your keyboard with an identical keyboard that had a keylogger built in. You would never be able to detect it, and it would work with any operating system-Windows XP, Unix, Linux, Mac, Vista, Windows 7 or whatever. Perhaps it could be teamed up with some sort of software to send the encrypted keystrokes somewhere on the internet.


The way hardware based keyloggers generally work is, you open a notepad and hit a certain key sequence on the board and they 'type' out a copy of all the keystrokes exactly as recorded. I don't think this can be initiated from software at all, or, rather, I'm sure it could but I've never seen that kind of thing for sale.
 
The last time I was in an Apple Inc. store there was at least one type of software keylogger for sale that would work on Apple Computers. I can't remember what it was called. There is supposed to be something like 3-4 commercial software keyloggers available for Apple Computers. That does not include any illegal software keyloggers. People use the commercial keyloggers to watch what family members or employees do on the computers.

There are also commercial software keyloggers available for Windows. I think one is called Spectral or something like that. I don't know. I have never used one.

Some of the stuff that can be contained in rootkits and Trojan Horse programs are keyloggers.

The hardware keyloggers will work on ANY computer, regardless of operating system. They are hard to detect unless a person knows what they are looking at. Good reason not to let anybody you don't know into your server room. It is possible to put a hardware keylogger into a keyboard, of course. The person who installed the hardware keylogger would have to retrieve it at a certain time unless they had somehow combined it with some sort of software to send the keystrokes (encrypted, of course) out to the internet.
 
I have seen hardware keyloggers. Trust me, you will never forget the first time you see one hooked up to the back of a computer.
 
Originally Posted By: moribundman
In any case, I know someone will have a field day with this thread. I think I can hear his bedroom slippers approaching, or maybe that's just heavy breathing...
wink.gif



I was right.
 
If that is supposed to be a reference to me Mori, you need to read my replies more carefully. I said that a hardware keylogger can be used on ANY computer, regardless of operating system. In the original post, the way it was worded, it seemed like just an Apple problem. So tell me how I attacked Apple Computers?

There is no attack on Apple in any of my replies above-none whatsoever. If anything I am careful to point out that on any computer, regardless of operating system, a hardware keylogger can be used.

If I am wrong in anything I said above-prove it.
 
Originally Posted By: Mystic
So tell me how I attacked Apple Computers?


Read and comprehend. Show me where I said you would attack Apple. I said someone would have a field day with this thread. I was right. You appeared on cue. I also predict you aren't done just yet.
grin2.gif
 
The exploit that is talked about is directed at Apple Computers. Maybe the same exploit would work against Windows computers as well, at least if they used USB keyboards. It does not say. I don't know if USB keyboards are very common with Windows computers. Most Windows computers I am aware of do not use USB keyboards.

So if I really wanted to I could have made a big deal about this-about how it affects Apple Computers. I did not.

I do know that hardware keyloggers can be used against any computer, and it is possible to conceal one in a keyboard. If somebody was really clever and really wanted your data, the concealment in a lookalike keyboard would be the thing to do. But even for a regular run-of-the-mill keylogger hooked up to the back of a computer, how many people check the backs of their computers?
 
Originally Posted By: moribundman
Originally Posted By: Mystic
[snip]


[snip] I also predict you aren't done just yet.
grin2.gif



Right again!
 
And I don't care if you have a problem or not with me responding to a post. I have the same rights you have to reply to a post, and I will do so whenever I feel like it. If you have a problem with that, take it to a moderator.
 
Originally Posted By: moribundman
Originally Posted By: moribundman
Originally Posted By: Mystic
[snip]


[snip] I also predict you aren't done just yet.
grin2.gif



Right again!


Gentlemen, I think I have finally uncovered a picture of the elusive Moribundman:

Carnac.jpg
 
Originally Posted By: moribundman
Another source says this is exploit is an issue with all modern USB keyboards. Supposedly it is also necessary to gain physical access to the keyboard to retrieve the logged data, unless there is another program that can flash the keyboard installed on the computer itself ...


Great, now they will know I use Amsoil.
27.gif
 
Originally Posted By: greenaccord02
This is why I build all my own machines and use only very old PS/2 keyboards that I have personally disassembled and rebuilt.

Durn kids. That's why I use punch cards instead of a keyboard.
 
There is not enough information given at semiaccurate.com to be able to determine if this exploit is limited just to Apple Computers or Windows computers also. Apparently the keyboard does have to be a USB keyboard. I am no expert on keyboards and I don't know if all or some or most keyboards could be subject to this exploit. Basically a software keylogger is being created inside the keyboard and potentially information gathered could be sent somewhere else on the internet, perhaps by other software loaded to the computer by a website that had been compromised. Perhaps because of the design of Apple Computer keyboards only Apple Computers could be affected. I don't know.

They are making use of Apple's HIDFirmwareUpdateTool which of course is Apple technology developed by Apple. But keyboards used by other computers with different operating systems perhaps could also be affected, assuming the keyboard is even capable of a firmware update.

Anyway, I think Apple needs to pay attention to something like this. And then develop a solution that will prevent anybody doing what was done.

If I was going to try to spy on some certain individual in particular I think I would use a hardware keylogger, which is easily available (just do a little searching on the internet). As long as it is possible to get to that person's computer and install and remove the keylogger it would probably never be discovered, especially if it was concealed in a lookalike keyboard. A hardware keylogger can be used on any computer.

If there was no access to the computer something like this could be done. A software keylogger can consist of just a few lines of code and the keystrokes would not have to be stored in the keylogger-they could be transmitted in encrypted form to the hard drive of the computer and at some later time transmitted to another personal computer or server out on the internet somewhere.

That is all I am going to say. I don't think I attacked Apple or anybody else.
 
Status
Not open for further replies.

Similar threads

OVERKILL
Ivanti VPN appliance breach hits critical mass
Replies
5
Views
588
PandaBear
B
Bought a "Trash Can"
Replies
8
Views
1K
bunnspecial
redhat
New home build network/Wi-Fi infrastructure
2
Replies
22
Views
2K
meep
1 SX
Apple MacBook Pro M1 vs i7/i9 15" or 16"
Replies
5
Views
813
NO2
O
Looking for a monitor 'cart' for a large monitor...help?
Replies
4
Views
1K
OilMagnate
Back
Top