George Ou has an anonymously sourced scare article up, claiming that, “OMG, your Mac can be destroyed by evil gremlins living in your keyboard!”

Personally, I think this attack as described is ludicrous; here’s the reply I posted to Dave Farber’s IP list:

George Ou does not exactly have the sort of standing credibility on Mac issues which would allow him to get away with an anonymously-sourced attack. I can’t say that this attack is impossible, but here’s my initial take on the article referenced:

1) “The researcher explained that he goes by the name “K. Chen” because he feared harassment from staunch Apple fans who actually believe those Mac versus PC security commercials.” Ou’s implied ridicule of such people does not exactly support the contention that his views are unbiased — and I’d wager that 90% of said group gathered that impression long before the commercials were aired, mostly from first- and second-hand experience.

2) “I had Mr. Chen demonstrate his possessed keyboard on my computer.” This and other references in the article implies a firmware hack, which says nothing about the vector for getting the hacked firmware onto the keyboard. Yes, I’m willing to gather that there are many security flaws which can be exposed by someone who can arbitrarily connect hardware to your computer — but this would be considered a low-probability threat.

3) “To infect your keyboard, the attacker only needs to exploit one of the many weaknesses in Mac OS X and Apple applications.” I’m aware of no security flaws which would allow installing new keyboard firmware (that is, without already having root-level access to the Mac), and further, I’d love to see a list of the “many weaknesses” in OS X and Apple applications. (Does Apple publish many applications for OS 9? System 7?) There aren’t any issues I’m actively tracking for my clients that aren’t related to Flash and Java — and those have been patched.

4) “This type of attack which is resilient against a full hard drive wipe is considered the holy grail of computer hacking because the hardware has been infected.” The holy grail of computer hacking is a rootkit which the user is not aware of — infinite use of the targeted computer is better than one which the user is actively trying countermeasures.

5) “The cleaner solution Mr. Chen is proposing is that Apple should simply lock the Keyboard firmware from any future modifications since the keyboard doesn’t implement any digital signature protection.” Which would likely kill the aftermarket for 3rd-party keyboards (and perhaps other USB devices), and would expose Apple to a great deal of user blowback that they were implementing an iPhone closed ecosystem on the Mac. If Mr. Chen’s analysis is as good as his hacking, I’m even less worried about this threat. If I had any idea who Mr. Chen was, I’d be able to confirm this myself.

In short — Ou is a known yahoo, and this strikes me as more FUD. I’ll believe this when I see confirmation from a respectable source.