macworld news antenna

Apple keyboard firmware vulnerability demonstrated

Apple keyboards (both portable and external USB versions) have a small amount of RAM and flash memory, enough to run a simple keylogging program.

Since Apple’s keyboard firmware updater is apparently not encrypted and does not require validation, it is therefore not possible to inject an exploit into an apparently innocuous program.

Once the keylogger is in the keyboard firmware, it is virtually undetectable by common malware detection tools. The creator of such an exploit has shown how it can be used to easily recover passwords entered by a user.

This is no less serious vulnerability than the iPhone SMS-related exploit. You can read the full document or view the presentation slides on the Black Hat website.