Apple may have rolled out a security patch for the iPhone SMS vulnerability demonstrated at last week’s Black Hat security conference, but it wasn’t the only Apple device under attack. One hacker demonstrated a way that a keylogging application—a piece of malware that keeps track of what you type—could be installed in the firmware of Apple’s keyboards.
As it turns out, Apple’s keyboards (both the laptop and external USB versions) include both a small amount of RAM and flash memory—plenty of room to run a simple keylogging program. And because Apple’s keyboard firmware updater is apparently unencrypted and doesn’t need to be validated, it’s not very difficult for such an exploit to be injected into a seemingly innocuous program. Once the keylogger’s in the keyboard firmware, it’s virtually undetectable by the usual malware-scanning tools—after all, it’s not on your hard drive. The exploit’s creator demonstrated how it could be used to easily retrieve passwords entered by a user.
This is no less serious a vulnerability than the iPhone SMS exploit, even if it isn’t quite as prominent as a flaw invovling Apple’s hottest new device. You can read the full paper or view the presentation slides at the Black Hat site.