Defeating Hardware Keyloggers

Keyboards Last week I saw a nice article on building hardware keyloggers and today I saw a response on how to defeat them.

As it goes, the article presents a decent solution: if the keyboard might be insecure, use the mouse and some free software to enter your password. Of course, this solution makes a shoulder-surfing attack far easier, and creates a new opportunity for hardware video interception. (Both of these attacks are, admittedly, not as cheap and subtle as hardware keylogging.)

The key to this problem is the word “insecure” in the last paragraph. Hardware keyloggers intercept plaintext communication. Except for a few security products, all computer peripherals communicate in unencrypted plaintext.

Perhaps USB3 (just guessing randomly at the Next Big Standard) could implement some kind of public-key cryptosystem. When you plug in a device you’d be given a prompt like “Does your Initech 104-key US-English Ubertype Keyboard have 5524 44F2 0CF6 3FB8 CB03 458C 6BA3 D6BF AF80 2CAA engraved on it somewhere?” (You’ve got to have it engraved by the manufacturer, otherwise you’ll be defeated by a ten-cent sticker. Even high-tech solutions have to exist in the real world.)

The technology for this already exists (though there’s some hurdles to clear for peripherals plugged in after boot time), but the biggest problems are price and user education. It’s very unlikely that most users will ever be targets for this attack, so the cost of establishing a new standard for peripherals and buying hardware that meets it is unreasonable.

More important than this is that users won’t know what this is or why it matters. It would be worth the extra training in situations that require a high degree of security (banking, the military, etc.) but most users would never bother to check the PK fingerprint and would just click “Sure, I checked it” to get on with their work (leaving them open to man-in-the-middle attacks). After a decade or two the understanding would probably percolate to the user community at large. (Or we could switch to wireless peripherals -- we’ve had enough war/spy movies that everyone understands radio is trivial to intercept.) Anyone see other significant flaws with this approach?

Of course, security is an arms race and the next attack is to perform the interception in the hardware itself, calling for transparent cases and tamper-evident seals. And so on, and so on...