19

I see that Apple patched OS X to mitigate against K. Chen's famous Apple keyboard firmware hack.

However:

  • Apple keyboards can be used with computers running other operating systems; and
  • in any case, other manufacturers' keyboards may be similarly vulnerable.

What protection does Linux have against:

  • A remote attacker attempting to deploy malware onto a computer's keyboard (e.g. would the attacker be unable to do this without root)?
  • A compromised keyboard being plugged in to a clean computer?
sampablokuper
  • 1,961
  • 1
  • 19
  • 33
  • The Apple corrective code require a priviledged access to upgrade the firmware. But what is protecting **your** keyboard from a bad guy runnning a firmware upgrade on **his** system where he is `root`? – dan Dec 14 '13 at 18:03
  • 2
    I think the same question about all OS (not only MacOS X or Linux) is highly relevant. – dan Dec 14 '13 at 18:06
  • @danielAzuelos, you ask, "what is protecting **your** keyboard from a bad guy runnning a firmware upgrade on **his** system where he is root?" Do you mean a scenario in which the bad guy has physical access to the keyboard, or not? – sampablokuper Dec 14 '13 at 18:51
  • 1
    → sampablokuper: I imagined 2 scenarii. The one where the bad guy will borrow my keyboard for half an hour. Ths other one where he will switch my keyboard with a clean and **upgraded** one. This one is he easiest one unless I have a really dirty keyboard ☺. – dan Dec 15 '13 at 15:40
  • 2
    My primary concern when I wrote the question was whether Linux could prevent an attached keyboard from being compromised in the first place (e.g. by a remote attacker). Your primary concern seems to be that your computer might be exposed to a compromised keyboard. And I'm grateful to you for clarifying that, because these are both valid concerns :) I'll update my question accordingly. – sampablokuper Dec 17 '13 at 04:41

1 Answers1

9

Nothing.

If you cannot trust your hardware, you cannot trust it.

There does not exist a universal way of updating keyboard controllers, and certainly there is no universal introspection for them. While you could reflash those keyboards that are reflashable every time the system boots or a keyboard is plugged in, you'd have to come up with a way to do this for every flashable keyboard, not to mention trust the "clean" firmware, and then you'd have built into your system a way for an attacker to flash the keyboard. This is likely not a productive use of time.

The hack described merely causes the keyboard to act as a hardware keylogger, if I read correctly. Apple's patch requires that users have elevated privileges to update the keyboard's firmware, as it should be. Linux, to my knowledge, doesn't have widely-used drivers for doing such an update, and if you don't want one to ever be done, don't compile such things into your kernel (or load modules for it). You already need root to load modules or update the kernel (typically).

The best way to guard against such things as these is to protect access to your hardware (to prevent retrieval of logged keystrokes). If there were a way to inspect the data in the keyboard remotely without the user noticing, that would be its own bug to be patched.

This problem is somewhat unique to Apple, who have created a high level of homogeneity for attackers, given attackers access to exploit it with only normal user rights (since patched, as cited), and created keyboards complex enough to facilitate such an attack. You could guard against it by using a simpler keyboard without flashable firmware, if you're worried about such things as this.

Falcon Momot
  • 1,140
  • 6
  • 15
  • You have, as part of your answer, articulated a strategy that probably occurred to most people who read my question, but which is easier said than done: "guard against it by using a simpler keyboard without flashable firmware." How would you recommend establishing, for a given keyboard, whether it can have firmware flashed to it? You say there is no universal introspection. The only other universally viable technique I can think of would be to open the case and examine the controller circuitry for writable components capable of storing more than a byte or two. Thanks :) – sampablokuper Dec 26 '13 at 02:33
  • Well, if you are worried about this that much, auditing the hardware at least by physically inspecting it for flashable ICs isn't all that unreasonable. PoS keyboards would be the worst choice as almost all of them are programmable; anything with macro keys is probably out. Other stuff, you'd most definitely have to look inside to be sure. But, keep in mind that in most cases an attack would have to be developed for your specific model of keyboard. – Falcon Momot Dec 26 '13 at 07:29