Apple + Security & Privacy

SemiAccurate is reporting a keyboard firmware hack that could allow hackers to instert custom software on Apple keyboards, and which could record keystrokes, including passwords. Using HIDFirmwareUpdaterTool, an Apple tool for updating the firmware in different devices, K. Chen, who gave a talk about this at Black Hat, demonstrated how this works.

While this sounds scary, it’s more a proof of concept than anything serious. First, the hacker needs physical access to a keyboard. Assuming that one has physical access, they can do pretty much anything. The article on SemiAccurate is, well, semi-accurate; they claim that the exploit can be done remotely, but what was demoed was done locally, with the compromised keyboard connected to another Mac to load the poisoned firmware.

Also, it’s worth reading some of the comments on a Slashdot story about this exploit. Commentors point out that this is not an Apple-specific hack, that all keyboards these days contain flash memory for firmware, and that Apple was chosen because it would probably garner more media attention.

While we “normal users” certainly don’t need to worry about this, you can be sure that the spooks have made a note of this and are examining it in their labs. Security professionals worry about computers and storage devices, not keyboards, and this could be a vector for infiltrating criminal organizations and foreign embassies.