[HN Gopher] Writing a Firmware-Only Keylogger
___________________________________________________________________
Writing a Firmware-Only Keylogger
Author : jsnell
Score : 165 points
Date : 2021-07-05 17:54 UTC (5 hours ago)
(HTM) web link (8051enthusiast.github.io)
(TXT) w3m dump (8051enthusiast.github.io)
| nikital wrote:
| > 8051s love talking to each other after all, otherwise USB would
| not exist.
|
| Can anyone explain what the author meant by that? I thought 8051
| is just an ISA, is there something special there for cross IC
| communication compared to other ISAs? And what the the connection
| to USB?
| repiret wrote:
| In my experience, most USB controllers use an 8051 to implement
| the USB protocol at the level in between the link and URBs.
| caust1c wrote:
| I think the author's simply referencing the fact that it's a
| common chip used in many usb controllers and make it easy to
| build peripherals that work with USB standards.
| segfaultbuserr wrote:
| Due to its historical influences, 8051-based microcontrollers
| and cores are still widely used in a huge number of embedded
| devices and ASICs everywhere - motherboard EC, Ethernet, Wi-Fi
| controllers, this also includes the peripheral devices that
| plug into USB ports, like a mouse, a keyboard, a sensor, or
| industrial controllers, or whatever, so the first part of the
| joke is most communications via USB are just 8051s talking to
| each others. The second part of the joke is that even USB ASICs
| themselves, like USB hubs or host controllers, are often
| powered by 8051 cores.
| 0x0 wrote:
| The RealWOW server appears to run an ancient windows php
| distribution that is probably rooted to high heavens:
| https://twitter.com/angelxwind/status/1410742393914023937?s=...
| edgeform wrote:
| When Jason Snell posts on HN, I sit up in my chair.
|
| Great read. That "technology" included in Realtek is absolutely
| bonkers -- who asked for that functionality at a consumer level?
| No one.
| _Nat_ wrote:
| This comment doesn't seem too related to the article except for
| the words " _Jason Snell_ " and " _Realtek_ ", and both of
| those appear misused.
|
| So I don't mean to be rude, but I'm guessing this is a chatbot?
| Skimmed for proper-nouns, then generic shrills about how the
| author and article are great and how technology's too
| complicated?
| gzer0 wrote:
| Good catch. I must say I concur with your assessment.
| edgeform wrote:
| > So I don't mean to be rude
|
| He said, before being rude & condescending. Here, would a
| chat bot pick apart your miserable comment like this?
|
| https://twitter.com/jsnell
|
| _Oh no I mixed up social media handles I must be a chat bot_
|
| > Skimmed for proper-nouns
|
| _Oh no I mixed up social media handles I must be a chat bot_
|
| > then generic shrills
|
| Huh? I'm complaining about the very real technology present
| in the Realtek chips that enables any moron with access to a
| web browser to send firmware-level commands anywhere in the
| world.
|
| Did _you_ even read the article?
|
| > about how the author and article are great
|
| Are _you_ a chatbot? I didn 't even sing about the article
| being great, I asked if anyone had a real consumer
| application for the tech presented as an attack vector in the
| article.
|
| Go outside. Talk to a human being. I'm betting it's been a
| couple years for you if you're _this_ bad at not only
| misjudging intention but going straight to "this must not be
| a human being, only a bot would respond with something I do
| not wholly understand".
|
| Again, what a _miserable_ comment.
| _Nat_ wrote:
| Hah, okay, that sounds human enough. Sorry for the
| misunderstanding; I truly meant no offense.
|
| Thanks for clarifying! =)
| bobthebuilders wrote:
| Chatbot detection protection? Throws some whataboutism and
| a human written paragraph attacking the comment to disguise
| things.
| yjftsjthsd-h wrote:
| > That "technology" included in Realtek is absolutely bonkers
| -- who asked for that functionality at a consumer level? No
| one.
|
| What tech are we talking about? WoL is definitely appreciated
| in all devices, although the "RealWoW" thing is very much
| diminishing returns. Otherwise, everything is just normal
| programmable chips and DMA-type data movement, both of which
| are generally desirable.
| edgeform wrote:
| RealWoW.
| a-dub wrote:
| nah. i'll take wifi hardware that doesn't have buggy layer 4+
| features in firmware that hackers can exploit to turn my
| keystrokes into udp packets, thank you very much.
|
| in fact, i think i'd prefer a computer that leaves all the
| layer 4+ up to the operating system as at least it has a
| chance of being audited.
|
| that said, this raises an interesting point. the only way to
| really be sure is to sniff your own packets... but if
| everything moves to being encrypted that's going to get a lot
| harder...
| miles wrote:
| > When Jason Snell posts on HN, I sit up in my chair
|
| I believe the post is from Juho Snell:
|
| http://www.snellman.net/blog/archive/about/
|
| https://twitter.com/juhosnellman
| baybal2 wrote:
| I like RealTek hardware for it being really barebones, without
| overload from extraneous marketing department inspired features.
|
| They've been on the retreat from the WiFi space for years, both
| WiSoC, and STA space.
|
| They even sell their latest router chips with third party WiFi 6
| chips these days.
| captainmuon wrote:
| Really interesting, this is the first time I hear anything about
| what is in those Realtek firmwares. Keylogger aside, is there
| anything fun or nefarious one could do with the radio?
|
| Also, we use them at work in our products, and usually just get
| the firmware and driver binaries thrown over the wall by the
| board vendor, withouy any description or changelog. I'm tempted
| to throw a few different bins through Ghidra and see if I can
| tell what changed.
| gricardo99 wrote:
| The funny thing is that this is effectively a keylogger that does
| not run any code on the CPU while it is running.
|
| I already knew it, but this just reinforced how terribly
| vulnerable pretty much every computer system is. Makes me think
| ransomware/hacks are going to get a lot worse, and I can't see
| how the situation can be improved, at least for quite some time.
| matheusmoreira wrote:
| Just make companies liable for any damage caused by their
| crappy products. Make them pay billions in damages every time
| somebody gets hacked because of their negligence. Then they'll
| start caring about the quality of their software instead of
| treating it as a cost center.
| joe_the_user wrote:
| The implication that software providers should be liable
| seems to reappear eternally here and remains misguided. Even
| when we're essentially discussing hardware here.
|
| Software is the perhaps that area where "good" or "crappy" is
| most undetermined. A given piece of software can be bullet-
| proof today and a catastrophic hole can appear tomorrow. And
| even if the producer releases an update, there's no guarantee
| it will be picked-up.
|
| Overall situation is that what's needed is standards of
| software use for those companies which actually do damage.
| Without standards, your use of "crappy" is meaningless.
| matheusmoreira wrote:
| > A given piece of software can be bullet-proof today and a
| catastrophic hole can appear tomorrow.
|
| Sometimes you do everything you can and things still go
| wrong. That's okay.
|
| What happens in practice is totally different though. Gross
| negligence is endemic in the technology industry. Most
| companies out there simply don't give a shit. Their
| negligence is deliberate, calculated and pre-meditated.
| They know exactly how much damage they're causing and they
| don't care because caring costs money.
|
| > Without standards, your use of "crappy" is meaningless.
|
| It's not meaningless at all. For example, nearly every
| laptop manufacturer I've ever seen has delivered to me
| software that is unambiguously bad. This opinion is not
| controversial at all. You just need to fire up some
| manufacturer app to see just how incredibly bad they are.
|
| I've posted about that here many times and people explained
| to me that the software is garbage because hardware
| companies literally don't care about it. They see it as
| just additional costs to be eliminated and as a result we
| get products which are total crap. My laptop came with a
| driver that intercepts my keystrokes and sends signals to
| the keyboard so that it can light up the LEDs under the
| keys I pressed. What caused an insane design like this to
| even come into existence is beyond me, no doubt it came
| down to saving a few cents in manufacturing. I replaced
| this functionality with free software and I'm not sure if I
| even want to know whether there are any vulnerabilities in
| that driver.
| gnopgnip wrote:
| This is how malpractice qorks in every other injury. It
| isn't just about damage being caused by the software, but
| if there was a violation of the reasonble standard of care
| Quekid5 wrote:
| Exactly. Us engineering types tend to underestimate how
| much intent and judgment matters when it comes to matters
| of malpractice (and similar) laws.
| smcameron wrote:
| Open source stuff would disappear.
| sonograph wrote:
| I disagree. FOSS and commercially licensed (and sold)
| software with EULAs are two very different things, and can
| be distinguished in whatever legal language implements
| these theoretical liabilities
| swiley wrote:
| Open source is the only stuff that doesn't reliably leave
| gaping wholes laying around for years because anyone can
| pay to have them fixed.
| mschuster91 wrote:
| > Make them pay billions in damages every time somebody gets
| hacked because of their negligence.
|
| The downside is companies will lock down their hardware _even
| more_ out of fear of getting sued. It 's utterly amazing this
| person managed to get custom firmware executing on the WiFi
| chip... stuff like Intel's or AMD's microcode is digitally
| signed (and iirc, also encrypted) instead of using a plain
| old XOR checksum, and I'd argue the world is off a lot less
| safe as a result.
| Teever wrote:
| This natural desire to cut corners by locking down devices
| will be mitigated by right to repair laws.
|
| With that said, it always irks me when someone suggests
| regulation as a solution to misconduct by large
| corporations and someone chimes in "But they'll just
| misbehave in some other way."
|
| If the entity that is misbehaving has changed the way that
| they're misbehaving in response to your regulation that
| means that your regulations worked and that you merely need
| to continue regulating the offender.
| johncolanduoni wrote:
| This isn't a "crappy product", unless you consider every
| product that allows users to provide their own firmware
| crappy.
| zionic wrote:
| Imagine having your cryptocurrency wallet's private key
| exfiltrated in this way.
|
| Hell, it wouldn't surprise me if a few less than ethical NSA
| hackers are doing exactly that in their spare time.
| Osiris wrote:
| You should never type your seed phase on any computer.
| Hardware wallets will give you a randomized keymap for you
| to recover a seed phrase without using any of the real
| letters.
| 1vuio0pswjnm7 wrote:
| "... and I can't see how the situation can be improved, at
| least for quite some time."
|
| I can. But no one is going to listen to either of us, so what
| does it matter.
|
| Here is how I would start to improve the situation.
|
| Disconnect untrusted computers from the internet.
|
| In other words the only computer that is allowed to access the
| internet directly is a computer that has all the properties
| desired for adequate security. Those properties could be things
| like the hardware being repairable, having an open BIOS and the
| bootloader and OS being open source and able to be compiled
| from source by the user easily. Call this computer a "gateway"
| if you like, or call it a "firewall", or call it whatever you
| want to call it. The esential point is that it is the one
| computer you believe you can best understand and control.
|
| I would be willing to bet any amount of money that just
| disconnecting all Windows computers from the internet, i.e., no
| direct connection, would result in a dramatic drop in security
| problems.
|
| Keyloggers are not very useful on a mass scale if they cannot
| transfer the keystrokes over the internet.
|
| There was a time when not all computers had unfettered direct
| access to the internet. They worked just fine. Maybe even
| better than ones today that are incessantly trying to connect
| to some server.
| est31 wrote:
| Most popular Linux distros are in many ways _more_ vulnerable
| than Windows. Microsoft employs actual security engineers for
| Windows. To give one example, X11 is still in wide use.
|
| The secure Linux distros are all of the locked down kind,
| like Chrome OS and Android.
|
| The reason why we aren't seeing widespread desktop Linux
| malware campaigns is because almost nobody uses desktop
| Linux. The year of the Linux desktop, whenever it will be,
| will be followed by the year of the Linux desktop malware.
|
| I love open source and free software, but it's not inherently
| more secure.
| iratewizard wrote:
| Linux is still under 2% of the market share for anyone
| wondering.
| 1vuio0pswjnm7 wrote:
| Are you making any assumptions. I never mentioned Linux.
| marcodiego wrote:
| A firmware for the wifi/bluetooth can convince the embedded
| controller to pass the keys that are pressed on the keyboard and
| pass this data using wifi, is that?
|
| If that is the case, my list of reasons to like open-source
| firmwares and dislike intel IME has just increased a bit more.
| johncolanduoni wrote:
| The EC has to be flashed too, so it's not really convincing it
| of anything. It's also worth noting that since the wifi
| firmware isn't persistent you need to keep the compromised WiFi
| firmware in your Linux install. So wiping your disk would
| remove this hack.
| [deleted]
___________________________________________________________________
(page generated 2021-07-05 23:00 UTC)