I love how the infosec community is already paranoid and now with this report (the veracity is somewhat disputed by Apple, etc) people are going to be extra careful about their hardware.
I’m waiting for this sort of thing to show up in more IoT devices.
From the story, it does seem Bloomberg has something wrong, there are a better ways to do similar things that don’t involve this high of a level of hardware expertise and logistics. We’ll see if Apple or any of the other companies involved put out any more explanation - it could be that National Security folks got involved too, so we’re dealing with finding the truth amid corporate trying to portray the security of customer data, NatSec trying to keep what they discovered quiet (I don’t know if you could sandbox or honeytrap such hardware?), and reporters trying to not only find the truth, but understand and explain the more obscure hardware explanations for what exactly was found.
Now if you excuse me, I’m going to tear apart my microwave and check for hidden spy chips…
I wonder why no one has created an easily accessible solution to this? I get that it would be kinda hard to do with how much information is transferred between devices but I think it is fully do-able. Granted I’m pretty sure that this would have to cause some sort of latency if you have it running all the time.
There’s an additional Bloomberg piece today about another hardware implant, but this time it is an Ethernet port that’s been modified: Bloomberg - Are you a robot?
“One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.”
But it’s not.
You can practically record macros,
which can be played again later. So you could
set up to record a password someone else enters with the keyboard.
Or you could just flash a fork or another program to the microcontroller.
How should one check that it’s just plain QMK?
Also most employers won’t do that hassle do research that there is a piece of software running on
the board just because someone wants to ‘use their own keyboard’, that’s a joke to em.