Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Seriously, how safe is our keybaords?
- Thread starter UltraNEO*
- Start date
- Sort by reaction score
I think that has been patched now...
doesnt it have to be done locally? i.e. hacker dude comes to your house and then installs vulnerable firmware on keyboard.
yup but what is to stop them from buying the keyboard, then selling a bunch on ebay? bada-bing bada-boom hello credit card details! (etc)
Remember that one Java security hole that gave Java applets unrestricted access to your computer? It's as simple as running all the necessary code (patched firmware & gdb-stuff) through the JNI, and *PA-BOOM* your keyboard's compromised, completely remotely
And that's just an example, this probably applies to millions of security holes out there....
Consider this: For a remote exploit, the attacker must be able to download and run code on your Macintosh that will upgrade the keyboard firmware. If the attacker can download and run code to upgrade the keyboard firmware, they can download and run code to do anything.
So we have two facts: 1. A person with physical access to your computer can install a keylogger by changing the firmware on your keyboard. That person can much easier install a key logger that will work with any keyboard, not just an Apple one, by installing a tiny bit of hardware between the USB cable of the keyboard and the USB port on your computer.
2. A hacker who can convince your computer to download and run software on your computer can do anything. But they can't convince your computer to download and run software on your computer, and if they can, then the keyboard is the last of your worries.
3. A danger is that a hacker with access to your computer could install this on his own keyboard at home, then go to your machine and swap keyboards. They would still need a way to extract the information, so they would have to come back to your machine. And again, there are physical key loggers.
Summary: If Macs are vulnerable to viruses, then we have problems. And there are much worse things that a virus can do than installing a key logger. And if some malicious person has physical access to your Mac, then you have a problem, but this key logger in the Mac firmware is the smallest of your worries.
Or the virus from visiting a malicious site could also install a keylogger to the keyboard. So if you discover your virus and you format the drive the malware will still be in your keyboard and immediately compromise your machine and any computer you ever connect that keyboard to.
Yeah, I guess worst case scenario is that the hack would be put on used boards and then sold on ebay. Then some unsuspecting person would buy it and long story short the zombies attack and the world ends.
Yeah, I guess worst case scenario is that the hack would be put on used boards and then sold on ebay. Then some unsuspecting person would buy it and long story short the zombies attack and the world ends.
just saw zombieland, so nice one! (dreams)
but seriously this could end up being a pretty massive scam. especially if the buyers were popular and waited until they sold thousands of keyboards.
yup but what is to stop them from buying the keyboard, then selling a bunch on ebay? bada-bing bada-boom hello credit card details! (etc)
Except you have to have physical access to get the data back out. It's not like the keyboard has an internet connection.
wireless? this can happen with wired keyboards too.
and sensitive information is different for each person. bank logon details are pretty important to me!
nope but the computer its connected to would!
Not to sound obtuse, but...credit card details, bank details and other sensitive information?
Keyboard accumulates critical information and deliberately stops working. It would then be naturally returned to the seller for a [non-hacked] replacement.
Those are very interesting points but what is there stopping someone at, say a university technician, hacking it's keyboard and in an attempt of collecting private information? Then later, some student coming along and using that key-logged enabled keyboard for access his/her bank account? Surely that's a security risk right there!!
and... what if that key-logged keyboard finding it's way to ebay?
Apple.. please fix this flaw.
BTW... Why does our keyboard need firmware?
It's a keyboard, just give it a cheap microprocessor and leave it at that!
I always thought it was pretty silly, too. The first thin aluminum Apple keyboard I bought (replacement for a broken Pro keyboard that came with my white C2D iMac) wanted to do a firmware update almost immediately after I plugged it for the first time. Firmware for a keyboard? What for?
My only real guess would be that it's needed for the 2nd functions to work on the Fx keys, which were rearranged a bit from the previous generation keyboard. But I could be totally wrong. I'm only speculating. Even so, it still seems that this could be handled with a simple microprocessor.
Any keyboard had a microprocessor running its own firmware since first IBM PC days almost 30 years ago. The only difference today is that flash based microprocessors first became available and then cheap enough so that few OEMs bother to order mask-ROM parts anymore because 1) you need to order a lot of them at once and 2) they will be obsolete within a year. For an engineer not to leave himself a second chance of saving his design from a bug discovered after it hit production is too precious to pass by.
It's a rubbish news. With same effect one can implant bad code into a hard drive, wireless card, DVD drive, network router, USB stick and even SMC controller - they all run their own firmware.