Seriously, how safe is our keybaords?


DoFoT9

macrumors P6
Jun 11, 2007
17,497
27
Singapore
doesnt it have to be done locally? i.e. hacker dude comes to your house and then installs vulnerable firmware on keyboard.
yup but what is to stop them from buying the keyboard, then selling a bunch on ebay? bada-bing bada-boom hello credit card details! (etc) ;)
 

ranguvar

macrumors 6502
Sep 18, 2009
318
1
doesnt it have to be done locally? i.e. hacker dude comes to your house and then installs vulnerable firmware on keyboard.
Remember that one Java security hole that gave Java applets unrestricted access to your computer? It's as simple as running all the necessary code (patched firmware & gdb-stuff) through the JNI, and *PA-BOOM* your keyboard's compromised, completely remotely ;)

And that's just an example, this probably applies to millions of security holes out there....
 

gnasher729

macrumors P6
Nov 25, 2005
16,509
3,101
Consider this: For a remote exploit, the attacker must be able to download and run code on your Macintosh that will upgrade the keyboard firmware. If the attacker can download and run code to upgrade the keyboard firmware, they can download and run code to do anything.

So we have two facts: 1. A person with physical access to your computer can install a keylogger by changing the firmware on your keyboard. That person can much easier install a key logger that will work with any keyboard, not just an Apple one, by installing a tiny bit of hardware between the USB cable of the keyboard and the USB port on your computer.

2. A hacker who can convince your computer to download and run software on your computer can do anything. But they can't convince your computer to download and run software on your computer, and if they can, then the keyboard is the last of your worries.

3. A danger is that a hacker with access to your computer could install this on his own keyboard at home, then go to your machine and swap keyboards. They would still need a way to extract the information, so they would have to come back to your machine. And again, there are physical key loggers.

Summary: If Macs are vulnerable to viruses, then we have problems. And there are much worse things that a virus can do than installing a key logger. And if some malicious person has physical access to your Mac, then you have a problem, but this key logger in the Mac firmware is the smallest of your worries.
 

TuffLuffJimmy

macrumors G3
Apr 6, 2007
8,989
25
Portland, OR
Consider this: For a remote exploit, the attacker must be able to download and run code on your Macintosh that will upgrade the keyboard firmware. If the attacker can download and run code to upgrade the keyboard firmware, they can download and run code to do anything.

So we have two facts: 1. A person with physical access to your computer can install a keylogger by changing the firmware on your keyboard. That person can much easier install a key logger that will work with any keyboard, not just an Apple one, by installing a tiny bit of hardware between the USB cable of the keyboard and the USB port on your computer.

2. A hacker who can convince your computer to download and run software on your computer can do anything. But they can't convince your computer to download and run software on your computer, and if they can, then the keyboard is the last of your worries.

Summary: If Macs are vulnerable to viruses, then we have problems. And there are much worse things that a virus can do than installing a key logger. And if some malicious person has physical access to your Mac, then you have a problem, but this key logger in the Mac firmware is the smallest of your worries.
Or the virus from visiting a malicious site could also install a keylogger to the keyboard. So if you discover your virus and you format the drive the malware will still be in your keyboard and immediately compromise your machine and any computer you ever connect that keyboard to.
 

designgeek

macrumors 65816
Jan 30, 2009
1,061
0
"Town"
Or the virus from visiting a malicious site could also install a keylogger to the keyboard. So if you discover your virus and you format the drive the malware will still be in your keyboard and immediately compromise your machine and any computer you ever connect that keyboard to.
Only if you're dumb enough to download the firmware hack.
 

designgeek

macrumors 65816
Jan 30, 2009
1,061
0
"Town"
or be unlucky enough to purchase a bad keyboard.
Yeah, I guess worst case scenario is that the hack would be put on used boards and then sold on ebay. Then some unsuspecting person would buy it and long story short the zombies attack and the world ends.;)
 

DoFoT9

macrumors P6
Jun 11, 2007
17,497
27
Singapore
Yeah, I guess worst case scenario is that the hack would be put on used boards and then sold on ebay. Then some unsuspecting person would buy it and long story short the zombies attack and the world ends.;)
just saw zombieland, so nice one! (dreams)

but seriously this could end up being a pretty massive scam. especially if the buyers were popular and waited until they sold thousands of keyboards.
 

300D

macrumors 65816
May 2, 2009
1,284
0
Tulsa
None of you have anything worth keylogging.

If you do, a smart user wouldn't be using anything wireless to transmit sensitive information.
 

Spacedust

macrumors 6502a
May 24, 2009
933
91
I'm using Logitech Illuminated Keyboard so I'm safe ;) Nothing to flash here.

It's the best keyboard for Mac Pro !
 

goMac

macrumors 604
Apr 15, 2004
6,767
783
yup but what is to stop them from buying the keyboard, then selling a bunch on ebay? bada-bing bada-boom hello credit card details! (etc) ;)
Except you have to have physical access to get the data back out. It's not like the keyboard has an internet connection.
 

DoFoT9

macrumors P6
Jun 11, 2007
17,497
27
Singapore
None of you have anything worth keylogging.

If you do, a smart user wouldn't be using anything wireless to transmit sensitive information.
wireless? this can happen with wired keyboards too.

and sensitive information is different for each person. bank logon details are pretty important to me!

Except you have to have physical access to get the data back out. It's not like the keyboard has an internet connection.
nope but the computer its connected to would!
 

lbodnar

macrumors regular
Jan 5, 2004
236
0
UK
Except you have to have physical access to get the data back out. It's not like the keyboard has an internet connection.
Keyboard accumulates critical information and deliberately stops working. It would then be naturally returned to the seller for a [non-hacked] replacement.
 

UltraNEO*

macrumors 601
Original poster
Jun 16, 2007
4,048
12
近畿日本
Consider this: For a remote exploit, the attacker must be able to download and run code on your Macintosh that will upgrade the keyboard firmware. If the attacker can download and run code to upgrade the keyboard firmware, they can download and run code to do anything.

So we have two facts: 1. A person with physical access to your computer can install a keylogger by changing the firmware on your keyboard. That person can much easier install a key logger that will work with any keyboard, not just an Apple one, by installing a tiny bit of hardware between the USB cable of the keyboard and the USB port on your computer.

2. A hacker who can convince your computer to download and run software on your computer can do anything. But they can't convince your computer to download and run software on your computer, and if they can, then the keyboard is the last of your worries.

3. A danger is that a hacker with access to your computer could install this on his own keyboard at home, then go to your machine and swap keyboards. They would still need a way to extract the information, so they would have to come back to your machine. And again, there are physical key loggers.

Summary: If Macs are vulnerable to viruses, then we have problems. And there are much worse things that a virus can do than installing a key logger. And if some malicious person has physical access to your Mac, then you have a problem, but this key logger in the Mac firmware is the smallest of your worries.
Those are very interesting points but what is there stopping someone at, say a university technician, hacking it's keyboard and in an attempt of collecting private information? Then later, some student coming along and using that key-logged enabled keyboard for access his/her bank account? Surely that's a security risk right there!!

and... what if that key-logged keyboard finding it's way to ebay?

Apple.. please fix this flaw.



BTW... Why does our keyboard need firmware?
It's a keyboard, just give it a cheap microprocessor and leave it at that!
 

CaptainChunk

macrumors 68020
Apr 16, 2008
2,142
6
Phoenix, AZ
BTW... Why does our keyboard need firmware?
It's a keyboard, just give it a cheap microprocessor and leave it at that!
I always thought it was pretty silly, too. The first thin aluminum Apple keyboard I bought (replacement for a broken Pro keyboard that came with my white C2D iMac) wanted to do a firmware update almost immediately after I plugged it for the first time. Firmware for a keyboard? What for?

My only real guess would be that it's needed for the 2nd functions to work on the Fx keys, which were rearranged a bit from the previous generation keyboard. But I could be totally wrong. I'm only speculating. Even so, it still seems that this could be handled with a simple microprocessor.
 

lbodnar

macrumors regular
Jan 5, 2004
236
0
UK
BTW... Why does our keyboard need firmware?
It's a keyboard, just give it a cheap microprocessor and leave it at that!
Any keyboard had a microprocessor running its own firmware since first IBM PC days almost 30 years ago. The only difference today is that flash based microprocessors first became available and then cheap enough so that few OEMs bother to order mask-ROM parts anymore because 1) you need to order a lot of them at once and 2) they will be obsolete within a year. For an engineer not to leave himself a second chance of saving his design from a bug discovered after it hit production is too precious to pass by.

It's a rubbish news. With same effect one can implant bad code into a hard drive, wireless card, DVD drive, network router, USB stick and even SMC controller - they all run their own firmware.