Rootkits in a keyboard? Really?

A recent ZDNet blog entry mentions probably the most bizarre type of exploit I have ever run across in about a quarter-century of computer use. Apparently, a firmware update for an Apple keyboard can be infected with such things as keystroke loggers and nearly undetectable rootkits.

From the post:

Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.

Now, this may sound pretty damned scary to those of you who usually glaze over the technology-related articles I write and happened to land on this, and yes, it’s pretty scary stuff. What I really find scary about this whole thing, is the question that goes completely unanswered in this article and the other articles I have read about this.

That question is: Why the hell does a keyboard need to have a software-updatable firmware capability to begin with?

The function of a keyboard is so simple that it barely needs to have a microcontroller. There has traditionally been no way for PC keyboards with PS/2 connectors to have their firmware updated. I don’t get why Apple would open up their customers to such a gaping security hole, either knowingly or recklessly.

This security exploit highlights the very real risk of having updatable firmware where it is not needed. If Apple’s engineers get firmware programming wrong to the point where keyboards have to be software updatable, I think a manager at Apple needs to start firing engineers and replacing them with people more capable of doing their jobs in a competent fashion. Unfortunately, I don’t see any revolving door installations happening in Cupertino any time soon, as badly as they may be needed.

FCC takes aim at Apple and AT&T re: Google Voice app rejection

Fred von Lohmann, writing for the EFF Deeplinks blog, reports on the FCC’s investigation regarding the highly dubious and potentially anti-competitive rejection of a Google Voice app for the iPhone.

And my not-so-humble opinion, of course, can be summed up thusly: About damn time. Hopefully, a decision on this will be at least useful as some kind of precedent so that Apple’s out-of-control rejections of iPhone apps are at least reined in a bit.

One of the more interesting quotes from the blog entry:

When a dominant hardware platform vendor teams up with a dominant network services provider, and then selectively blocks or hobbles software applications on the platform, consumers should smell an anticompetitive rat. After all, if Microsoft had a veto right over every app that ran under Windows, and used that power to selectively ban competitors who “duplicate” functionality offered by Microsoft’s own apps, we’d expect competition regulators to be up in arms.

Indeed, even Microsoft knows they would never be able to get away with locking down Windows to the extent Apple has locked down the iPhone platform. Of course, it’s much easier and nowhere near as risky (legally and otherwise) to install an alternative operating system on a PC compared to jailbreaking an iPhone.

Hopefully, the FCC will see Apple’s for what they are: anticompetitive, unfair, and unacceptable.