Apple may have rolled out a security patch for the iPhone SMS vulnerability demonstrated at last week’s Black Hat security conference, but it wasn’t the only Apple device under attack.
One hacker demonstrated a way that a keylogging application - a piece of malware that keeps track of what you type - could be installed in the firmware of Apple’s keyboards.
As it turns out, Apple’s keyboards (both the laptop and external USB versions) include both a small amount of RAM and flash memory - plenty of room to run a simple keylogging program.
And because Apple’s keyboard firmware updater is apparently unencrypted and doesn’t need to be validated, it’s not very difficult for such an exploit to be injected into a seemingly innocuous program.
Once the keylogger’s in the keyboard firmware, it’s virtually undetectable by the usual malware-scanning tools - after all, it’s not on your hard drive. The exploit's creator demonstrated how it could be used to easily retrieve passwords entered by a user.
This is no less serious a vulnerability than the iPhone SMS exploit, even if it isn’t quite as prominent as a flaw involving Apple’s hottest new device. You can read the full paper or view the presentation slides at the Black Hat site.
Check out our new Macworld Mobile site.