Chen showed that the firmware of certain keyboards can't be secured enough, because the keyboards lack the calculating power to contain cryptografic signatures or something like that. So it's not that hard to edit the firmware, and, for example, put a keylogger on the thing, or a rootkit-install script. These programs will do their job unnoticed, and in the case of rootkit installers even formatting your drive won't help you when you use the same keyboard.



The vulnerability is showed by Chen with the Apple Alu Keyboard as an example. This keyboard was shipped with iMacs and Mac Pro Desktops until March 2009, but could also be bought seperately. Of course this doesn't limit the damage, Apple's new keyboard was built in the exact same way, and it doesn't look like any other keyboard with it's own firmware can be secured properly. This keyboard contains a Cypress CY7C63923 microcontroller with 256b ram and 8k flash memory for the firmware, according to Chen and his white paper; 'Reversing and exploiting an Apple firmware update'.

With Chen's proof of concept it's possible to store up to 1k of keyboard strokes. This same concept can also be used to house a program that can install a rootkit on the PC, rendering the only true way to get rid of a rooktit useless; formatting your drive!