[HN Gopher] Writing a Firmware-Only Keylogger ___________________________________________________________________ Writing a Firmware-Only Keylogger Author : jsnell Score : 165 points Date : 2021-07-05 17:54 UTC (5 hours ago) (HTM) web link (8051enthusiast.github.io) (TXT) w3m dump (8051enthusiast.github.io) | nikital wrote: | > 8051s love talking to each other after all, otherwise USB would | not exist. | | Can anyone explain what the author meant by that? I thought 8051 | is just an ISA, is there something special there for cross IC | communication compared to other ISAs? And what the the connection | to USB? | repiret wrote: | In my experience, most USB controllers use an 8051 to implement | the USB protocol at the level in between the link and URBs. | caust1c wrote: | I think the author's simply referencing the fact that it's a | common chip used in many usb controllers and make it easy to | build peripherals that work with USB standards. | segfaultbuserr wrote: | Due to its historical influences, 8051-based microcontrollers | and cores are still widely used in a huge number of embedded | devices and ASICs everywhere - motherboard EC, Ethernet, Wi-Fi | controllers, this also includes the peripheral devices that | plug into USB ports, like a mouse, a keyboard, a sensor, or | industrial controllers, or whatever, so the first part of the | joke is most communications via USB are just 8051s talking to | each others. The second part of the joke is that even USB ASICs | themselves, like USB hubs or host controllers, are often | powered by 8051 cores. | 0x0 wrote: | The RealWOW server appears to run an ancient windows php | distribution that is probably rooted to high heavens: | https://twitter.com/angelxwind/status/1410742393914023937?s=... | edgeform wrote: | When Jason Snell posts on HN, I sit up in my chair. | | Great read. That "technology" included in Realtek is absolutely | bonkers -- who asked for that functionality at a consumer level? | No one. | _Nat_ wrote: | This comment doesn't seem too related to the article except for | the words " _Jason Snell_ " and " _Realtek_ ", and both of | those appear misused. | | So I don't mean to be rude, but I'm guessing this is a chatbot? | Skimmed for proper-nouns, then generic shrills about how the | author and article are great and how technology's too | complicated? | gzer0 wrote: | Good catch. I must say I concur with your assessment. | edgeform wrote: | > So I don't mean to be rude | | He said, before being rude & condescending. Here, would a | chat bot pick apart your miserable comment like this? | | https://twitter.com/jsnell | | _Oh no I mixed up social media handles I must be a chat bot_ | | > Skimmed for proper-nouns | | _Oh no I mixed up social media handles I must be a chat bot_ | | > then generic shrills | | Huh? I'm complaining about the very real technology present | in the Realtek chips that enables any moron with access to a | web browser to send firmware-level commands anywhere in the | world. | | Did _you_ even read the article? | | > about how the author and article are great | | Are _you_ a chatbot? I didn 't even sing about the article | being great, I asked if anyone had a real consumer | application for the tech presented as an attack vector in the | article. | | Go outside. Talk to a human being. I'm betting it's been a | couple years for you if you're _this_ bad at not only | misjudging intention but going straight to "this must not be | a human being, only a bot would respond with something I do | not wholly understand". | | Again, what a _miserable_ comment. | _Nat_ wrote: | Hah, okay, that sounds human enough. Sorry for the | misunderstanding; I truly meant no offense. | | Thanks for clarifying! =) | bobthebuilders wrote: | Chatbot detection protection? Throws some whataboutism and | a human written paragraph attacking the comment to disguise | things. | yjftsjthsd-h wrote: | > That "technology" included in Realtek is absolutely bonkers | -- who asked for that functionality at a consumer level? No | one. | | What tech are we talking about? WoL is definitely appreciated | in all devices, although the "RealWoW" thing is very much | diminishing returns. Otherwise, everything is just normal | programmable chips and DMA-type data movement, both of which | are generally desirable. | edgeform wrote: | RealWoW. | a-dub wrote: | nah. i'll take wifi hardware that doesn't have buggy layer 4+ | features in firmware that hackers can exploit to turn my | keystrokes into udp packets, thank you very much. | | in fact, i think i'd prefer a computer that leaves all the | layer 4+ up to the operating system as at least it has a | chance of being audited. | | that said, this raises an interesting point. the only way to | really be sure is to sniff your own packets... but if | everything moves to being encrypted that's going to get a lot | harder... | miles wrote: | > When Jason Snell posts on HN, I sit up in my chair | | I believe the post is from Juho Snell: | | http://www.snellman.net/blog/archive/about/ | | https://twitter.com/juhosnellman | baybal2 wrote: | I like RealTek hardware for it being really barebones, without | overload from extraneous marketing department inspired features. | | They've been on the retreat from the WiFi space for years, both | WiSoC, and STA space. | | They even sell their latest router chips with third party WiFi 6 | chips these days. | captainmuon wrote: | Really interesting, this is the first time I hear anything about | what is in those Realtek firmwares. Keylogger aside, is there | anything fun or nefarious one could do with the radio? | | Also, we use them at work in our products, and usually just get | the firmware and driver binaries thrown over the wall by the | board vendor, withouy any description or changelog. I'm tempted | to throw a few different bins through Ghidra and see if I can | tell what changed. | gricardo99 wrote: | The funny thing is that this is effectively a keylogger that does | not run any code on the CPU while it is running. | | I already knew it, but this just reinforced how terribly | vulnerable pretty much every computer system is. Makes me think | ransomware/hacks are going to get a lot worse, and I can't see | how the situation can be improved, at least for quite some time. | matheusmoreira wrote: | Just make companies liable for any damage caused by their | crappy products. Make them pay billions in damages every time | somebody gets hacked because of their negligence. Then they'll | start caring about the quality of their software instead of | treating it as a cost center. | joe_the_user wrote: | The implication that software providers should be liable | seems to reappear eternally here and remains misguided. Even | when we're essentially discussing hardware here. | | Software is the perhaps that area where "good" or "crappy" is | most undetermined. A given piece of software can be bullet- | proof today and a catastrophic hole can appear tomorrow. And | even if the producer releases an update, there's no guarantee | it will be picked-up. | | Overall situation is that what's needed is standards of | software use for those companies which actually do damage. | Without standards, your use of "crappy" is meaningless. | matheusmoreira wrote: | > A given piece of software can be bullet-proof today and a | catastrophic hole can appear tomorrow. | | Sometimes you do everything you can and things still go | wrong. That's okay. | | What happens in practice is totally different though. Gross | negligence is endemic in the technology industry. Most | companies out there simply don't give a shit. Their | negligence is deliberate, calculated and pre-meditated. | They know exactly how much damage they're causing and they | don't care because caring costs money. | | > Without standards, your use of "crappy" is meaningless. | | It's not meaningless at all. For example, nearly every | laptop manufacturer I've ever seen has delivered to me | software that is unambiguously bad. This opinion is not | controversial at all. You just need to fire up some | manufacturer app to see just how incredibly bad they are. | | I've posted about that here many times and people explained | to me that the software is garbage because hardware | companies literally don't care about it. They see it as | just additional costs to be eliminated and as a result we | get products which are total crap. My laptop came with a | driver that intercepts my keystrokes and sends signals to | the keyboard so that it can light up the LEDs under the | keys I pressed. What caused an insane design like this to | even come into existence is beyond me, no doubt it came | down to saving a few cents in manufacturing. I replaced | this functionality with free software and I'm not sure if I | even want to know whether there are any vulnerabilities in | that driver. | gnopgnip wrote: | This is how malpractice qorks in every other injury. It | isn't just about damage being caused by the software, but | if there was a violation of the reasonble standard of care | Quekid5 wrote: | Exactly. Us engineering types tend to underestimate how | much intent and judgment matters when it comes to matters | of malpractice (and similar) laws. | smcameron wrote: | Open source stuff would disappear. | sonograph wrote: | I disagree. FOSS and commercially licensed (and sold) | software with EULAs are two very different things, and can | be distinguished in whatever legal language implements | these theoretical liabilities | swiley wrote: | Open source is the only stuff that doesn't reliably leave | gaping wholes laying around for years because anyone can | pay to have them fixed. | mschuster91 wrote: | > Make them pay billions in damages every time somebody gets | hacked because of their negligence. | | The downside is companies will lock down their hardware _even | more_ out of fear of getting sued. It 's utterly amazing this | person managed to get custom firmware executing on the WiFi | chip... stuff like Intel's or AMD's microcode is digitally | signed (and iirc, also encrypted) instead of using a plain | old XOR checksum, and I'd argue the world is off a lot less | safe as a result. | Teever wrote: | This natural desire to cut corners by locking down devices | will be mitigated by right to repair laws. | | With that said, it always irks me when someone suggests | regulation as a solution to misconduct by large | corporations and someone chimes in "But they'll just | misbehave in some other way." | | If the entity that is misbehaving has changed the way that | they're misbehaving in response to your regulation that | means that your regulations worked and that you merely need | to continue regulating the offender. | johncolanduoni wrote: | This isn't a "crappy product", unless you consider every | product that allows users to provide their own firmware | crappy. | zionic wrote: | Imagine having your cryptocurrency wallet's private key | exfiltrated in this way. | | Hell, it wouldn't surprise me if a few less than ethical NSA | hackers are doing exactly that in their spare time. | Osiris wrote: | You should never type your seed phase on any computer. | Hardware wallets will give you a randomized keymap for you | to recover a seed phrase without using any of the real | letters. | 1vuio0pswjnm7 wrote: | "... and I can't see how the situation can be improved, at | least for quite some time." | | I can. But no one is going to listen to either of us, so what | does it matter. | | Here is how I would start to improve the situation. | | Disconnect untrusted computers from the internet. | | In other words the only computer that is allowed to access the | internet directly is a computer that has all the properties | desired for adequate security. Those properties could be things | like the hardware being repairable, having an open BIOS and the | bootloader and OS being open source and able to be compiled | from source by the user easily. Call this computer a "gateway" | if you like, or call it a "firewall", or call it whatever you | want to call it. The esential point is that it is the one | computer you believe you can best understand and control. | | I would be willing to bet any amount of money that just | disconnecting all Windows computers from the internet, i.e., no | direct connection, would result in a dramatic drop in security | problems. | | Keyloggers are not very useful on a mass scale if they cannot | transfer the keystrokes over the internet. | | There was a time when not all computers had unfettered direct | access to the internet. They worked just fine. Maybe even | better than ones today that are incessantly trying to connect | to some server. | est31 wrote: | Most popular Linux distros are in many ways _more_ vulnerable | than Windows. Microsoft employs actual security engineers for | Windows. To give one example, X11 is still in wide use. | | The secure Linux distros are all of the locked down kind, | like Chrome OS and Android. | | The reason why we aren't seeing widespread desktop Linux | malware campaigns is because almost nobody uses desktop | Linux. The year of the Linux desktop, whenever it will be, | will be followed by the year of the Linux desktop malware. | | I love open source and free software, but it's not inherently | more secure. | iratewizard wrote: | Linux is still under 2% of the market share for anyone | wondering. | 1vuio0pswjnm7 wrote: | Are you making any assumptions. I never mentioned Linux. | marcodiego wrote: | A firmware for the wifi/bluetooth can convince the embedded | controller to pass the keys that are pressed on the keyboard and | pass this data using wifi, is that? | | If that is the case, my list of reasons to like open-source | firmwares and dislike intel IME has just increased a bit more. | johncolanduoni wrote: | The EC has to be flashed too, so it's not really convincing it | of anything. It's also worth noting that since the wifi | firmware isn't persistent you need to keep the compromised WiFi | firmware in your Linux install. So wiping your disk would | remove this hack. | [deleted] ___________________________________________________________________ (page generated 2021-07-05 23:00 UTC)