Defeating Hardware Keyloggers «

Code: , ,

Last week I saw a nice article on building hardware keyloggers and today I saw a response on how to defeat them.

As it goes, the article presents a decent solution: if the keyboard might be insecure, use the mouse and some free software to enter your password. Of course, this solution makes a shoulder-surfing attack far easier, and creates a new opportunity for hardware video interception. (Both of these attacks are, admittedly, not as cheap and subtle as hardware keylogging.)

The key to this problem is the word “insecure” in the last paragraph. Hardware keyloggers intercept plaintext communication. Except for a few security products, all computer peripherals communicate in unencrypted plaintext.

Perhaps USB3 (just guessing randomly at the Next Big Standard) could implement some kind of public-key cryptosystem. When you plug in a device you’d be given a prompt like “Does your Initech 104-key US-English Ubertype Keyboard have 5524 44F2 0CF6 3FB8 CB03 458C 6BA3 D6BF AF80 2CAA engraved on it somewhere?” (You’ve got to have it engraved by the manufacturer, otherwise you’ll be defeated by a ten-cent sticker. Even high-tech solutions have to exist in the real world.)

The technology for this already exists (though there’s some hurdles to clear for peripherals plugged in after boot time), but the biggest problems are price and user education. It’s very unlikely that most users will ever be targets for this attack, so the cost of establishing a new standard for peripherals and buying hardware that meets it is unreasonable.

More important than this is that users won’t know what this is or why it matters. It would be worth the extra training in situations that require a high degree of security (banking, the military, etc.) but most users would never bother to check the PK fingerprint and would just click “Sure, I checked it” to get on with their work (leaving them open to man-in-the-middle attacks). After a decade or two the understanding would probably percolate to the user community at large. (Or we could switch to wireless peripherals — we’ve had enough war/spy movies that everyone understands radio is trivial to intercept.) Anyone see other significant flaws with this approach?

Of course, security is an arms race and the next attack is to perform the interception in the hardware itself, calling for transparent cases and tamper-evident seals. And so on, and so on…


  1. I like the idea of using mouse-based security prompts to defeat keyloggers, and I think there are definitely simple ways to account for the increased vulnerability to shoulder-surfing. I think you could address this problem with something as simple as a calculator-style interface using as few as six buttons. Just make your only characters M,N,W,V, /, and \. Lenthen your password to ten characters or so, and put the buttons/characters in a font that makes them even more difficult to distinguish.

    However, that’s not the most complete solution to the problem, especially if you’re worried about video surveillance. A better solution might just be a combination lock style interface. Put the characters you need on the dial, and randomize their order every time the prompt opens up. Also, set up the prompt to randomize the point at which the character is registered (i.e., not always at the top of the dial). Even with a simple 6 character password, I think this would be extremely difficult for a shoulder surfer to pick up without many passes (by which they should make themselves obvious, and which you could prevent by periodically prompting mandatory password resets).

    As a sort of final protection against video surveillance, you can shrink the actual characters down to point-whatever font (or make the dial’s size user-definable) and add radii to the characters on the dial to make manipulating it with the mouse a little bit easier.

    I know this is a bit simple, but I think it could work as a cheap countermeasure (and a cool-looking interface). I can draw it up if you have any questions.

Leave a Reply

Your email address will not be published.