Rootkits in a keyboard? Really?

A recent ZDNet blog entry mentions probably the most bizarre type of exploit I have ever run across in about a quarter-century of computer use. Apparently, a firmware update for an Apple keyboard can be infected with such things as keystroke loggers and nearly undetectable rootkits.

From the post:

Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.

Now, this may sound pretty damned scary to those of you who usually glaze over the technology-related articles I write and happened to land on this, and yes, it’s pretty scary stuff. What I really find scary about this whole thing, is the question that goes completely unanswered in this article and the other articles I have read about this.

That question is: Why the hell does a keyboard need to have a software-updatable firmware capability to begin with?

The function of a keyboard is so simple that it barely needs to have a microcontroller. There has traditionally been no way for PC keyboards with PS/2 connectors to have their firmware updated. I don’t get why Apple would open up their customers to such a gaping security hole, either knowingly or recklessly.

This security exploit highlights the very real risk of having updatable firmware where it is not needed. If Apple’s engineers get firmware programming wrong to the point where keyboards have to be software updatable, I think a manager at Apple needs to start firing engineers and replacing them with people more capable of doing their jobs in a competent fashion. Unfortunately, I don’t see any revolving door installations happening in Cupertino any time soon, as badly as they may be needed.