Apple Keyboard Hack Proved Possible
Slashdot reports that Apple keyboards are vulnerable to hackers’ attacks due to the complexity of their inner workings, which include RAM and flash memory. According to the report, the hack can potentially place keyloggers and malware directly into the device’s firmware.
To make matters even worse, the author of this “proof of concept†has also published the presentation and code in a PDF that’s free to download for anyone on the planet. The vuln is undoubtedly enticing to hackers, some of which are likely to create one or more exploits for the flaw in question. To better understand how this discovery has turned into a potential security issue, we offer you a few excerpts from the published document.
For ethical reasons, the ï¬rmware modiï¬cation we describe is benign. The ï¬rmware is modiï¬ed so that the LED under the CAP S LOC K key of the keyboard will flash momentarily when the keyboard is ï¬rst plugged into a system. However, malicious payloads can be developed by individuals with mal-intent.
Since the LED is active-low on pin P2.7 which corresponds to register 0×02 on the microcontroller, we searched the unobfuscated ï¬rmware image for instructions of the form MOV reg[0x02], expr which start with the opcodes 0×62 0×02. We found the sequence 0×62 0×02 0×80 in block 0×0c which did in fact turn out to be the instruction MOV reg[0x02],0×80. The ï¬nal checksum for the entire ï¬rmware image was 0×4e41b. By replacing 0×80 by 0×00, the new checksum is 0×4e39b and so 0xe41b in the last block has to be replaced by 0xe39b.
As a proof-of-concept, the following edited gdb session performs the changes mentioned above and demonstrates code execution on an Apple Aluminum keyboard.
The rest of the description can be found here.
