Apple keyboard firmware vulnerability demonstrated

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

Apple may have rolled out a security patch for the iPhone SMS vulnerability demonstrated at last week’s Black Hat security conference, but it wasn’t the only Apple device under attack. One hacker demonstrated a way that a keylogging application—a piece of malware that keeps track of what you type—could be installed in the firmware of Apple’s keyboards.

As it turns out, Apple’s keyboards (both the laptop and external USB versions) include both a small amount of RAM and flash memory—plenty of room to run a simple keylogging program. And because Apple’s keyboard firmware updater is apparently unencrypted and doesn’t need to be validated, it’s not very difficult for such an exploit to be injected into a seemingly innocuous program. Once the keylogger’s in the keyboard firmware, it’s virtually undetectable by the usual malware-scanning tools—after all, it’s not on your hard drive. The exploit's creator demonstrated how it could be used to easily retrieve passwords entered by a user.

This is no less serious a vulnerability than the iPhone SMS exploit, even if it isn’t quite as prominent as a flaw invovling Apple’s hottest new device. You can read the full paper or view the presentation slides at the Black Hat site.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon