14 DAY TRIAL // Slashdot reports that Apple keyboards are vulnerable to hackers' attacks due to the complexity of their inner workings, which include RAM and flash memory. According to the report, the hack can potentially place keyloggers and malware directly into the device's firmware.
To make matters even worse, the author of this “proof of concept” has also published the presentation and code in a PDF that's free to download for anyone on the planet. The vuln is undoubtedly enticing to hackers, some of which are likely to create one or more exploits for the flaw in question. To better understand how this discovery has turned into a potential security issue, we offer you a few excerpts from the published document.
For ethical reasons, the firmware modification we describe is benign. The firmware is modified so that the LED under the CAP S LOC K key of the keyboard will flash momentarily when the keyboard is first plugged into a system. However, malicious payloads can be developed by individuals with mal-intent.
Since the LED is active-low on pin P2.7 which corresponds to register 0x02 on the microcontroller, we searched the unobfuscated firmware image for instructions of the form MOV reg[0x02], expr which start with the opcodes 0x62 0x02. We found the sequence 0x62 0x02 0x80 in block 0x0c which did in fact turn out to be the instruction MOV reg[0x02],0x80. The final checksum for the entire firmware image was 0x4e41b. By replacing 0x80 by 0x00, the new checksum is 0x4e39b and so 0xe41b in the last block has to be replaced by 0xe39b.
As a proof-of-concept, the following edited gdb session performs the changes mentioned above and demonstrates code execution on an Apple Aluminum keyboard.
The rest of the description can be found here.
Discovered by K. Chen, the concept is simple: a modern Apple keyboard has about 8K of flash memory and 256 bytes of working RAM – more than enough for a primitive keylogger to run.