So be wary fastfood workers

This week a friend brought me the new ipod nano which her son locked and she couldnt figure out the password. It’s a real simple fix. Connect the ipod to your computer. makes sure hidden files and folders option is set and browse to “\iPod_Control\Device\_locked” Change the file name from _locked to _unlocked. Save. disconnect. Reset your ipod by holding down the menu and center button. At this point your ipod will be unlocked but you won’t be able to set a new password without first entering the old one(which you don’t know). To set a new password, go back into _unlocked and erase all of the characters in the file and save again. Reset once more. You can now set a new password if you choose.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

The machine and keyboard in the demo

K. Chen demonstrated the hack to S|A at Defcon today and it worked quite well. You start out by running GDB, and set a breakpoint in Apple’s HIDFirmwareUpdaterTool. This tool is meant to update the firmware in human interface devices, hence the name. The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That’s it.

The breakpoint, code and presentation

Nothing is encrypted, decrypted, and the process is simple. You then resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won’t do you any good, the code is in keyboard flash. There are no batteries to pull, no nothing, the keyboard is simply compromised.

While you can re-flash a keyboard, that is fairly hard to do if you don’t have a keyboard. Apple internal keyboards are USB devices, as are the external ones, so the same hack works for them too. Think about that when you count the dwindling number of external USB ports on modern Macs.

The new firmware can do anything you want it to. K. Chen demo’d code that you put in a password, and when you hit return, it starts playing back the last five characters typed in, FIFO. It is a rudimentary keylogger, a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently. If you want the code, it is on page 170 of the PDF presentation linked above.

This exploit is simple and does things by the rules. K. Chen is very careful not to do anything in an illegal way, and you have to do all the steps manually. It can’t easily be done remotely. That said, bad guys intent on stealing your data probably won’t have the same high moral standards, and it probably wouldn’t take much to exploit the same vulnerability remotely, silently, with code from a compromised web page.

Apple needs to patch this problem ASAP. It is completely remotely exploitable, and almost impossible to remove, especially if you don’t know it is there. This huge hole that Apple has in it’s hardware turns any remote exploit, Apple is full of them, into a huge security problem.

We would have called Apple to let them know about this, but the last few times we did, they would not so much as return our phone calls. Until Apple releases a way to detect the validity of keyboard firmware and patches this huge hole in their system, anyone using Apple hardware, regardless of the OS running, is vulnerable. Don’t believe them when they try to spin this as minor, owning a keyboard gives you ownership of a system.

VIA:semiaccurate.com

These start-up modes include booting from an install DVD and resetting the password, using Target Disk Mode to use your Mac as an external hard disk, or booting into Unix-style Single User Mode.

There is a way to protect your computer by setting a firmware password. The password is written into the computer’s firmware chips on the motherboard and if anyone tries to use a special start-up mode, they will be prompted for that password.

Apple provides a utility for setting a firmware password called Firmware Password Utility.

For Mac OS X 10.5.x, start from the Leopard Install DVD and choose Firmware Password Utility from the Utilities menu.

1. Click to select the checkbox for “Require password to change Open Firmware settings”, as shown below.

2. Type your password in the Password and Verify fields.

3. Click OK

4. Click lock icon to prevent further changes

5. Choose Quit from the application menu

Now, if anyone attempts to use any of the special start-up modes, they will be prompted for the firmware password you set.

via: mac101.net

/Applications/1Password.app/Contents/Resources/SupportedBrowsers.plist

Find the Key named Safari and look for MaxBundleVersion underneath. You will see 5528.1 as the maximum version. Change that to 5528.16, save and quit. Now you can reenable Safari from the 1Password preferences and then start Safari 4 and add the button to the toolbar. Voila!

Open up System Preferences –> Network –> Airport –> Configure…:

Pick the network you need and click on the little “EDIT” button and a new window pops up with specific information on this network:

Click on the “Show Password” checkbox, and ….

The password is shown in hex but dont worry it’ll still work when you paste it into your new WIFI profile if you choose to create one.

First off, open Keychain Access.app (located in /Applications/Utilities/).

Once there, scroll through the list of keys until you find the one that you’re looking for. Double click on it and check the box that says, “Show Password.” Once you authenticate with your user credentials, your forgotten password will be displayed in the text box.

• Business owners needing to monitor employees
• Parents needing to monitor children
• People who might need backups of things they type (writers etc)
• Private investigators, law enforcement, hackers, James Bond

Why would someone want a hardware keylogger as opposed to a software based one? Well this question has it’s pros and cons:

The pros are:

• It’s dead simple to install , just unplug the keyboard,plug this device in , and plug the keyboard into the device ,that’s it!
• No need for root/admin level permissions to install
• It can be installed on any system that has a USB port (Windows,Mac,Linux etc)
• Since it’s hardware-based it wont be detected by antivirus/malware programs ever
• It picks up EVERYTHING typed, even bios password passwords and log-ons

The cons are:

• Since it doesn’t interact with the operating system it can’t get the name of windows where the text was typed so it makes it a chore to scan the logs for the juicy information
• Easy to prevent logging by just removing the logger form the computer (which most people won’t be aware of anyhow, who actually crawls behind their computer everyday?)
• Recovery of logs might be more difficult because they are stored physically on the device and not sent to a remote location. But if you were able to install it in the first place , then recovering it shouldn’t that much harder.
• If the person has a PS/2 keyboard you can’t use an adapter because the device needs power from the USB port to work

Recovering the logs from the device can be done on any computer even though they offer the software to recover the logs faster, it’s not needed which makes this device a good tool to have in your arsenal. To recover the logs alls you you need to do is open any text editor (notepad etc…) and type in the password (default password is phxlog) and the device goes into menu mode, where you have a few options to choose
you have open so it’s best to open notepad or wordpad or any *nix/MAC equivalent before typing this. This menu will give you various options for the device ,which are:

1. Partial/Full Log download
2. Erase logs (quick or thorough)
3. Setting the default password (alphanumeric only,under 17 chars)
4. Firmware upgrade
5. Diagnostics
6. Speed (that the logs are typed)

Once you choose read the logs it starts auto typing the logs onto whatever window is open has the main focus (which is why you need to open a text editor).  If you don’t like to wait for it to auto-type (you might have days of saved logs) you can get the software to download it in one swoop. The only problem with the software that as of now it’s only compatible with windows.

Detection of the Device:

Because the device doesnt install into the operating system its pretty much insvisible to the normal user. Only a trained computer expert would notice the device it because the only sign it’s there is that it is seen as a USB hub by the OS. It shows up as a “generic 4 port hub Vid_0451&Pid_2046″ Vendor id of 0451 and a product id of 2046, which comes up as a generic Texas instruments device which wont raise many eyebrows. Because it’s a USB 1.1 hub it is possible that it may be discovered if someone plugs a USB 2.0 keyboard inline with it. (They might get a warning message telling them that their device can perform at a higher speed if they use a different port.) But the chances are slim of someone needing to replace their keyboard.

All in all this device is a stable tool to use, it logged with no problems at all with every keyboard/OS i used with it.  Although the price is a little high for most people, it’s well priceless for businesses who need to keep an eye on employees, or a parent who needs to monitor their children’s internet activity. I want to thank Keycarbon for giving me the opportunity to review and test this device. Check out their site for other devices they offer that I didn’t get to review , but are another great alternative to stealth hardware logging.

Need to secure your usb drive? Click Here!

Here is how to protect yourself from this vulnerability:

1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
2. Press 4 to go to “Personal Options”.
3. Press 2 to go to “Administrative Options”.
4. Press 1 to go to “Password”.
5. Press 2 to turn your password “ON”.
6. Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.