DeepSec 2010: Detection of Hardware Keyloggers

Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube.

Speaker: Fabian Mihailowitsch, Independent Researcher

Hardware keyloggers are tiny devices that are plugged between a computer keyboard and a computer. They are available for PS/2 as well as USB keyboards. Once plugged, they are able to record all key strokes and store them using an internal memory. Current models have various megabytes of memory, store the recorded data encrypted, support timestamping of the keyboard events and some even can transfer the key strokes wireless. However the main focus of hardware keyloggers is to stay undetected. Most manufacturers promote their models cannot be detected by software and thus have an advantage over software based keyloggers. But not just the manufacturers' claim hardware keyloggers to be undetectable, even the common belief is they cannot be detected. However that's not correct. Hardware keyloggers make slight changes to the interaction between the keyboard and the computer. These changes can be detected by software and used to determine whether a hardware keylogger is present or not. For example some USB keyloggers change the USB signaling rate or act as USB hub. These changes are quite obvious and can be detected easily. When trying to detect PS/2 keyloggers, things gets more difficult. Nevertheless it is possible. For example whenever PS/2 keyloggers tap the wire actively (this means the data is redirected via the microcontroller of the keylogger), this influences the transfer rate between the keyboard controller (KBC) on the motherboard and the microprocessor of the keyboard. Measuring this time delay, PS/2 hardware keyloggers can be detected too. During the talk an introduction to hardware keyloggers will be given. This introduction covers their features, how they work and gives a short market overview. Afterwards various techniques will be described to detect hardware keyloggers. Some of them are theoretical as they didn't work for the tested models. However others are practical and can be used in real case scenarios. For each technique a detailed presentation will be given, explaining the basic idea, the necessary technical background and the results in practice. Finally a proof of concept tool will be released, that implements some of the techniques to detect PS/2 and USB hardware keyloggers.

For more information visit: http://bit.ly/DeepSec_2010_information
To download the video visit: http://bit.ly/DeepSec_2010_videos

---

Closed Caption:

okay so let me welcome you to my
talk to them it's about detecting
hardware keyloggers
in software I'm LePage start with a
short
introduction of myself my name iz
problem highly which
I've worked as a form of software
developer of foreign
German energy combine and
am now working ass IT security
consultant
for a German company called your psyche
in Bihar
during penetration test source code
reviews and
my contact details you can find on the
bottom of the slide
if you want to contact me of the
presentation so
today we are going to talk about
hardware-based you over space ically
ps2 and USB based loverz
and in general people think hardware
keyloggers
cannot be detected in software and for
example you have to
nice quote on Wikipedia which is like
visual inspections
primary means of detecting hardware
keylogger since there are no known
methods
of detecting them through software
however today
I'm going to show you how to actually
detect them
in software why have I done the whole
stuff basically you because the few
Google and try to find information about
how you can detect them
you will find less information their
spin down less research on the whole
topic
and you won't find any yet practical
waste that
actually can be used to detect them so
box they are threats youth
this famous case in the year of 2005
which walks in Great Britain with the
sumitomo bank
where attack us some paper clean install
of
to install hardware keyloggers in the
banking
in order to get past hurts and try to
use
you for 123 million US told us and
maybe some of you guys also had
incidents in their company with hardware
keyloggers
I've heard of two companies yeah so
it is a threat I'm furthermore
you const 2002 every client
in the company try to detect hardware
keylogger spy physical inspection if you
have
multiple hundreds of clients you just
need to have a software which you can
roll out
and try to detect and software so that
was basically
you why I'm let's start with a short
introduction of hardware keyloggers
basically they are available for use
pMP's to
like a mansion they are available this
keyboard module which you can sold or
it's basically a chip which consoled her
into your keyboard or you can buy units
completely and just plug it in they are
available s many and
PCI card switch try to get keystrokes
yet %um a and stuff ants but basically
we will focus on USB and ps/2 base once
their place between the keyboard and the
computer
and records every keystroke thats type
on the keyboard
later on they have to be retrieved of
course and
there are %um different possibilities
like
some models provide software
which reads out the memory of the queue
over for most of the models to actually
type
in the password on the keyboard and fuck
you over damn
acts as a ghost keyboard and starts to
sent the record keystrokes back to the
client
some models have
WiFi access and send emails I'll send
the keystrokes via bluetooth
so there are plenty of possibilities and
few trust of current keyloggers
art they are up to choose your bike to
flash memory so you can lock basically
plenty of data
am they provide encryption so the
keylogger gets lost nobody can recover
memory
unless he has to write password they
have time stamping functions for every
key presses assigned a timestamp
and you can create I use charts to see
when was the computer use
its search functions to locked 2/3
through the locks
you have models where you can upgrade
few where
so its them yet quite complex
you have those devices have plan your
functionalities
but they are quite cheap they thought
with a pricing of 32
US dollars for peace to %um like 58 US
dollars for use
be so yeah quite cheap
am another interesting thing i guess its
who is on the market which companies of
their
actually you just have to the company's
they are air
she carbon from the US and human
them which has various names that is
also
know when they ask you lock which is
from poland & stills to companies
basically
yep have most models which can be bought
and the key demand models are quite
often rebrand that for example if you
look at models like a cobra
and Q lama in most of the cases it's
Justin rebrand its key demand product
then you have to hold up but also famous
keylogger switcher out there in the wild
like a key capturer jeff Teague 0 shark
and then you have some other key Lagos
like X of the QRS from China
you have like 2003 open source QR verse
which you can find on the internet and
put together yourself
on yeah so that's basically
the market's on before I
starts to detect keyloggers I would like
to give you a short introduction of how
pieced works and how use he works am
let's start with US it with peace to you
I'm if you think peace to you okay it's
it's not that interesting since
currently most people use use YUM okay
yeah but it's
it's still in the wild for example on
that computer it's a
two-month-old think pat's the internal
keyboard actually
connect thats s ps/2 keyboard so it is
still there and
I think it makes sense to have a look at
it too so
for peace to you basically have a
keyboard which is they wire ma tricks
and once you press a key
the circle disclosed the microcontroller
which is
inside the keyboard register key press
and sense the specific ask am told
to the keyboard at UT computer once you
press the key
same a cold once you release the key
sense a break old
which basically the same like to make
coat but just for Speed
switch on the PC hand side you have a
keyboard controller that actually
receives
all the keystrokes and stop and can be
accessed via the port sixty you
in order to retrieve the data and port
64 which basically says that a sport
the obvious communication of course this
the keyboard sense scam counts to the
KBC
sure and not that of just actually yes
there are plenty of other
communication channels for example the
computer yet a KBC can set the repeat
rate of the keyboard
it can tell the keyboard to do a reset
or perform South test
it can basically paying the keyboards
which you can see
here you sent the to the keyboard
and a response with the it's basically
like a PM
and yeah plenty of other functions
the peace tour in the face I'll just go
Creek over its
I guess most of you know the port have
seen that one
interesting %uh basically just 2 p.m.
the data p.m. at the clock
him I'm which are used to transfer data
pat's D clock is defined by two
keyboards
which camp between 30 and 50 nom seconds
am the data that are actually transfer
to be a ps2
transferred in 11 bits of frames from
the keyboard side to a PC
just like a star bit followed with their
8
beats of data which actually them are
bite that's
transferred which see then yes in parity
bits and they stopped it down
40 Kb see-saw I just basically the same
but with
an additional acknowledge it sense by D
keyboards
here you can see how it looks like on
the wire basically you have to clock
and you basically have to date on which
are transferred rights you so it's quite
simple for ps2
okay the first thing when I try to
detect them I came up with this
current measurement you plug in
additional hardware
so you half additional electron a comp
announce which
consume power and you basically can
measure it
if you Joe on the line physically you
can measure key demand consumes like 65
million piercing key capturer 54 on
so you can detect more current strong
but sadly you can't measure it
in software since the motherboard just
doesn't provide any sense or source
stuff too
actually measure it so the next idea
I came up with is them like a Sat
to August password-protected and
typically
you clocked 2min you type the password
on your keyboard
they on lock act the skills he worked on
some fake keystrokes
or the records keystrokes anthem I think
about the fact this most cue overs
are shipped with default passwords which
probably
won't be changed some vendors even
recommend not to change them
because the problem this want to forget
password you can simply receptor
just sent the hardware back to the
vendor and he will
reset that for you so there's quite a
good chance
people won't change the default password
so my idea was to you perform a brute
force attack of that password
in software and check on the PC hand
side
web I can recognize skills typing
problem I came up here yes the test
hardware keyloggers
I had didn't ap the data line passively
in Stat
they were place in sight line I try to
visualize it in that picture
you can see the keyboard and PC which
have two tied up in the clock lied
at the hopper longer which is placed in
line really
is placed in line it doesn't intercepted
pass the flea anyway but
its in line so the hopper keylogger
actually knows how to data flows that
can recognize whether
keystrokes are sent from the PC had side
work to keep worksite
and so you can't simply inject
Fe keystrokes you to KBC
but the cool thing about that stuff
first
during my test so I found out that
certain keyboard come on stance
to the keyboard actually leads to fake
key presses
which probably is because of the
response of the keyboard
yes interpret that s keypress so
you can send certain keyboard commands
from the Cape the tricky part
and you can provoke fake keystrokes
which a record
by text you over so what you can do now
is you can create a translation table
which
work mock leads which keypress and then
you can try to perform a brute force
attack
yet software and its it that's work
the problem about the practical use of
that this
you only have a limited amount of chars
you just have like 10 Charles
and so that way you can brute force all
passwords
and it just works for stop models
however
since it does look quite nice at least
them
I want to show your shorts demo
on what I'm going to show you is
basically I wrote a small program
that tries to brute force password of
the warts just hope its nominal
and fifty cue over with the unlocked it
would send its fake keystrokes
non so if we have no Q over present we
won't see anything
30 can see no to order present
quite Larry would stop brute force
program Momo
nothing happens tour why should so if
the keylogger
this president's that you can see it's
black box here
if it is present and now
we stop brute force program 90
you can see it it actually was unlocked
right now and send its fake keystrokes
you were
nano so just quite nice to show
although it's not that practical
okay to next idea I have walked maybe
there are changes some data line 60
hardware keylogger is actually placed
in line it might change signaling online
which would result in eight different
data set them
which can be which is or retrieved on
the
KBC site maybe there are some own clock
since it gets the data
and a possible on and the clock is
defined by the keyboard and can be
between thirty and fifty not seconds
maybe just
thats own transmission with another
clock
maybe data and the clock signals
dislocated in some way
or any other stuff you actually can see
so what I did yes I took a
logic analyzer and them
I try to tap the signals directly at the
keyboard so
once the keyboard sends the signal I get
them and
I try to tap the signal author the Q
over so I can see
how the data looks when the keyboard
censored and how it actually looks like
after it has passed the keylogger and
you get a
mice graphical like this you can see
the Q over which is basically the clock
and the data
you can see the keyboard state o'clock
and
you can see anything about should take a
closer look at them to try to zoom in
analyze it in more detail you can see
%um
when the clock in that example is cool
too low
you can see the keyboard pulls the clock
too low at the keylogger dust the same
that with a slight delay right your
want to the school's back to hi the
clock
that sample it iz at the same time
so what we can see out of this actually
is
the am clock cycles are shorter
once the keylogger its present I'm
which like I mention it's probably
because the hopper keylogger
just since the date again it's just us
his own clock signal and stop
and you can detected on the wire I just
showed you it
and problemas you count detected via
software
and the keyboard controller thats
actually use has the possibility to
check him
the clock state but it isn't them acrid
enough
during a transfer your comp of that
accurate
how the current clocks that is to
determine thats clock cycles are short
so your comp again to death measurement
in
software back another cool thing we
actually saw us
the clock signal started later when the
clock was pulled low
and like you already can imagine it's
basically
if you say I want to detect hardware
keyloggers every guy said the first
hay un do try to do it with tightening
and so
we saw there so delay and yeah maybe
tried it
timing approach so since the harbour
clockers like a Sat are placed in line
the Micra process arrest get the signup
yes to
processed signal right to choose memory
he has to
right back sent to decline and this
additional logic to actually some truths
increase
the signal propagation time am
in that example I have a data transfer
basically it starts and
yeah you can see there's at this
location we hats in the previous crop to
but one of the whole transfer is and its
you can see right here there are some
small delay
you have the Keyport
16 stop sending and the keylogger 16
stop sending and just
the small delay so
what you actually can try to do now is
to
perform time measurements or not to
determine whether
additional hardware AK the harbour
killer its place
in line between the keyboard and the KBC
so
the idea I had a son we have various
keyboard commands like I mentioned
earlier
am which we can use ass kind of up being
like you know from
TCP IP networks so I just wrote small
some black coat which sense the
identify key for Kaman which actually f2
yup port 60 which if the output port of
KBC
and that kind of stuff justice checking
whether we can write
and down I go into a loop and
weights until I get the response of the
keyboard for
f2 which actually Steph a
to hold stock your I'm doing in a loop
like
10,000 times and so I basically said
take a mock
wait for a response and they come on
wait for a response and two at various
times
so I can measure how much time it takes
a to overspread
and if no longer is present
problem about that had many problems
and is deaths actually the delay
introduced by the hopper kill over its
very very small that means running the
cold from you so that won't work at all
running the cold from colonel and/or
stuff won't work ease up because you
have flight schedule I just interrupt
and you don't get and exact measurement
it just doesn't work
demeans you have to run your coat
completely exclusive
to get the most accurate measurements
you you can get out of it
so what ideas yes them
I wrote say small loadable kernel module
for Linux and tried to get the CPU
exclusively therefore I disabled colonel
preemption
I disabled interrupts for a process or
I got the pic colonel lock a.m.
and all kinds of stuff just to get the
CPU exclusively and
than Ron my sampler checking cold I
showed you on the previous slide
am once the coats
running I'm to measure the time
its takes to run actually and since we
disable interrupts we don't get
ek retirement stuff anymore so what I
basically did this I just read out the
processors
types to encounter which is Rd TC
register which is increased every clock
cycle
and we just can't count the number of
clock cycles
takes to run our coat if you want to we
can calculate
based in our city %um number of clock
cycles back again the time
it takes to run the code but we don't
need it either we can just work with the
clock cycles and weights
can't get more accurate so yet just use
that one
after works my after my measurements I
write the result to the crew message
buffer so I can retrieve it from your
cell ad
and just restore everything and you're
fine
and that's actually the results
you can see em in the setup the keyboard
am
three-piece to based Q lo verso use key
goals
Catimini catch Magnum at the number of
clock cycles it actually took two
run the code on my CPU and what you can
see right now what's that for
keyboard to take 3381 and once the
these are present you can see this
increased 3385 3386
and it actually takes more clock cycles
to run the code em
its reproducible I mean it's not just
one test left on
up in various tests and its works
reliable on
might system so we actually
cam detect piece to base hopper clover
switch up based
in line using at time measurement with
the code I wrote
am at first we basically went to a
measurement without a
hopper a keylogger then we which define
a baseline and example we could you 3382
space line then we can run the code
again
like yet checks for an AV software and
once it is about the well you we can say
okay there some stuff was plucked in
line here and yep
detected
1 status detectives we maybe even would
like to
defeat for keyloggers so
the idea when if you think you'll over
my first idea was
just feel the keylogger memory as I
stepped the Q over
locks all stuff to memories so if you
feel up the memory
something will happen and what actually
happens depends on the model
some models just stop blocking once
memory is full
other model stop to overrides the memory
at the
beginning and yeah anyway
its doesn't work anymore it overwrites
the keystrokes or
it doesn't look it also yep and as i sat
during the brute forcing I showed you
the video we had
York monster interpreted as keystrokes
so
what we can do is some we can use those
Comox
malt brute force the passport but just
inject keystrokes which the key logger
once it does not rec must pass for will
just try to use memory
and I did so and tried out and
I managed to write 100 lock keys in 10
seconds which means like 10 keys per
second
am if you take the peace two models that
are on the market
like him the ones I had hats like 64k
bytes of memory
and if you calculate how much time it
meets you come to 109 minutes
it takes to feel the complete memories
new I thought okay that's
too long you have to find another
solution and I tried to look at the
keyboard
mom there say come on which is called
the the recent come on
which actually dick KBC can tell the
keyboard to respond with the last sem
bite but that didn't work either it sir
even longer
I just managed to write four keys in 10
seconds
so yeah timber am
so depressed is a practical on no
it isn't I mean it it works and the cool
thing as
most use to base model since they are
develop anymore
that hot like to use P based ones they
don't have up to like to go bytes of
memory
most peace to base models have a few K
bytes so
you can feel them within one hour it
works but true
wants to wait one hour before each
actually starts to use the computer
and that's the reason why this just not
practical
about you will be even cooler if we
could stop the key logger from
reading our keystrokes instead of just
over items memory
and we can do that too
like us at once you press a key on your
keyboard the Keyport
generates a scam code which is sent to
the PC ants
yes I'm a cult breakouts and
all those scam Colts are defined in a
so-called scan Colts at
the cool thing about that against scan
coats at campus up by the KBC
and them you have to come on
f0 to set this can cope and just three
scam called sets
which are available basically a 123 we
normally use chemicals that to you
and the cool thing about this all the
hardware keyloggers
I had just understood scam called set to
and three
so if you switch to scan coke 71 ya
particular
doesn't see what's going on and 1000
block and stuff actually
so its lines it doesn't see what's
happening
and yes so the idea just this the tell
the KBC
to say the keyboard troops can cope said
one
and we're fine however am some our
operating system
doesn't see anything either we have to
define a new mapping of can kill two key
Colts at
pot for Linux we can use this due to
with tools like
H def haal set key code so it's it's no
problem at all
okay that's it for peace to you um now
let's
see what's with usb-based you over Sam
like for peace to I would start with
them
maybe annoying but I think it's
necessary in
production of how to use P actually
burke's in order to see how we can
detect you speak you loggers
I'm for USB you have like a host
controller
your hops which a plot to that host
controller
down to the haps you have certain
devices and so you create a tree
structure
each device on has various and points
in return and and point basically just
like a
offer you can imagine if input buffer or
output buffer
and that's basically just one and point
is and each device has
and points0 which is use to set and two
gets the device configuration just
configure it
interesting for us are especially
low-speed devices since
keyboards you speak you ports are
normally use pillows
devices from there you have the 8.0 to
configure it
and you have Flycam two end points with
8
bytes am another interesting thing is
only host controller Manchester
communication with the device
the device doesn't send any data the
host controller polls today to
now you might say okay for and keyboard
but once a press a key
it must be recognized by the operating
system right now
am that's done in the device
configuration one of the key word is
plugged in and changed its device
configuration it has to be fine of
wants to be Paltz on all keystrokes are
missed
and the data transferred for USB are
transferred ass
packets in for different transfer types
interested for us are only interrupt
and control transfer you basically if is
a promise transfer about
transfer to but we'll just skip them
interrupt transfer ass used once the a
key is pressed
and ascent to the system ants they
are used for a small amount of data ants
it is sry transmissions supported by use
B one-step Packers lost or anything
happened
it three transmit three times and then
you have to like the control transfer
which issues choose sets forgets the
device configuration
and the cool thing about it we will see
later is its acknowledged in both
directions
okay am for USB for them or have
different device class
which is the reason you actually can
plug in and USB stick or keyboard and it
will just work out of the box
and relevant for us the human in to
fight this device class
and etc lost actually defines how the
keyboard communicates with the computer
and we basically have two following
communication
the keyboard can send 8 fight import
rapoport
input reports 2d client to the computer
am they are sending interrupt transfers
called
by the host for sure like a set and it
looks like that's just eight bytes
yes modifier keys for MU's and 6
bites force ke khote
I'm six key code fights actually are
also the reason why you only compressed
6 keystrokes on a USB keyboard
simultaneously because the package just
takes like six keys
and its that's it with no make old small
break cults once a key is pressed
it is in that package once it is
impressed
the entries trusts year old
the PC to the keyboard in return can
send one bite
output Rep forks they are sent susp
control transfers
and our basically just use to some
set the LED soft keyboard
they don't f any up to use and the
packet looks like this one bite 8-bit
you can see one platform on your caps
lock
and so on you don't have any additional
24 Comox like we have for peace to
the transfer is handled use 73
transmission stuff isn't necessary here
and the type met a great and stuff isn't
configured on the keyboard
microcontroller either but all the logic
is implemented on the client side in the
operating system
so basically I have some similarly ideas
like a hat for peace to when it comes to
use P
I thought if you look at the device
manager at that school you actually can
see how much current
a device drawl so maybe we can detect
cue over spot problems
the device manager doesn't show how much
currents really drawn
just shows the value the device sent
during its conflagration
in its control transfer once it is
configured excess how much
current it wants to consume it that's
the value displayed in Device Manager
you don't have any sense or so stop on
your motherboard
either to measure of how much current
strong
by use so forget it you calm do it with
current measurement for USB to its
doesn't work with current operator
so the next thing I stumble across as
for the QR Bourque carbon that's
actually a software
used to read out the keystrokes and the
cool thing is once there say software to
retrieve the keystrokes
maybe I can use the same technique the
software dust to get a
and stop detected so what I did
I got a software-based USB protocol
analyzer and analyzed
what or how exactly the software
communicates with the keylogger
and yep that's actually a top from it a
small one
you can see the control transfers
the PC consent to one bite control
transfers I use to communicate with the
keyboard
that's also the reason all the LED
splaine cop while you run the software
on your keyboard and yep you can see
how it's use am issue
look deeper into it and analyze year
output reports use you can determine
their safe fixed header
book here we are there's a fixed header
then we have to keep password of the
hardware keylogger cent
and then we have like a former for the
password
tests and that communication every
possible or char
is encoded with them for control
transfer switch actually means for
bites that are transferred so what you
can do you have to be
header you have to falter and you just
can create a lookup table for the
password charms
and you can to try to brute force the
model ya software basically
and yep it works but it just works for a
key carbon model since it's the only
bender I found that actually provides a
software to read out the keystrokes
yeah Sat the neck
thing it is more of just yet can can can
we do to questions that the app
okay did
nope nope yet that that would be cool
if it would respond if the password is
wrong but that just doesn't normally the
software
a.m. sense its past work and if nothing
happens
just the same stuff again and again and
again because maybe doctor might be lost
cue over doesn't respond at all sadly
yet it would be cool
for will be that way then we could
detect it very
yep the next thing am which is more of
just
are changed in use P properties and
topology that's like it looks for my
notebook we can see
ru top with pork swap 42 and poor to
the keyboardist block in now if we play
gonna kill over
it looks like that to see it
the key carbon
what actually happens on poor to it just
places
a use P hop with 4 ports on that port
a plucks in my keyboard to that pork one
so just introduced in you hop
yeah okay potsdam that's no problem
yeah the vet assessed whites the device
undetectable in practice by software
the device shows up in Windows Device
Manager SH in Eric use P hop
this generic USB hub has no ID strings
and is indistinguishable from the
generic USB hub
found in ninety percent of all US the
house I mean at first thats
that's pretty cool that you say we r
undetectable
okay we introduce a hop but we are still
undetectable because it looks like all
types
I mean should don't plug it might help
to your keyboard your
probably get suspicious at that time
already but anyway
the statement is incorrect either
because if you take a closer look at the
device descriptor or
you actually can find the vendor id: and
the product id:
then dried Texas Instruments product id:
that one
and guess what if you open the hot where
and look at the chipset inside their
you will find the USB help control it
that's used as a Texas Instruments
to USB 2046 be at
okay so if a new hop comes
up in your Keyport apology and a task
debt that's host controller probably I
we'll take a closer look at it
the next thing am yes the key goals
model it changes device properties: like
if you own the clock in your keyboard I
have a packet size
of eight bytes which is like a low-speed
USB device
however if I plug in key ghost my device
properties: suddenly change
to a packet size 64 bytes which
represents a full speed device
furthermore the device that has changed
only my keyboard just like him
its boss part which is correct because
it is am
if I plug in the key Coast it suddenly
set/sets self-powered quite
quite interesting for a key part but
okay I will be a few more details
on this later on why it actually looks
like
that the next idea
similarly I get to peace to you can see
the similarities
its high measurement since the hopper
keylogger someplace
in line you can see it here too the cube
or stop the transfer
keyboard stops a transfer and defeat
this location at the Q over so you can
yep
basically the ideas the same like for
peace to you
to measure its and the only problem is
before we have various KBC come ons we
could use for use P
we don't have to ask mom's the cool
thing is i sat
215 output report the computer sensed a
keyboard
send us control transfer and control
transfers
are acknowledged in both directions so
that means we can send data
technology which basically is like a
thing again
which we can use and so we can apply to
peace two techniques to use PS welp
and the implementation that's basically
look like that
send output rep for two keyboard wat
onto a sec marched
good at various times like we did for
peace to and
just measured the runtime of it and we
are fine
the cool thing about that it's you don't
even have to go to colonel and because I
thought
timing differences are bigger and you
can do it from use the land
using the PSP these are my results for
debt you can see the keyboard at the
amount of milliseconds takes
to do so and with the key loggers in
place
so you can see there's that slight
yep amount of time to it it takes just
more time
so we can protect you space hopper cue
overseas anti-missile meant to basically
we have to create a baseline
and that we have to consider whether we
plugged in up some stuff because if you
would
introduce hops an hour to apology later
on the time would increase to
and we would have false positives and
yeah
then we can measure again a certain
moment and detected
another cool thing I came across is
different keyboard behavior
for the key ghost if I do the following:
i doing
interrupt read on USB 485 I get that
data
then I stand and US reset to that device
and of course if I to interrupt read
again all the stuff he wrote the device
has been reset
if the key ghost hardware keyloggers
present
I don't interrupt rude I get the data
there but they don't like we got
your than I do in whose your is that
ira to interrupt Rita gam I get the same
data
which is quite strange because state
should be /c road right now
so what i did i again I looked on the
wire and you have to note during and use
purists at
both that aligns the plus in t-minus are
pulled
0 for in certain amount of time and you
can see
before to keel over their pool 20
and of the queue over there's nothing
so basically the device
dust just doesn't cost USB reset
to the keyboard the keyboard never
received to use be reset and that's the
reason
it doesn't behave like I think it should
behave
and if you take a close look at the
hopper again you can see that I
USB single-chip host and device control
this
use which is I ski 11 61
a one BD ants yep
it basically exit device on the
for the PC and it acts as a host
controller for to keep work
now you might imagine why the device
configuration change like I told you on
this license before
the reasons just it acts as a
own device and it is a full speed device
and its s
it is impossible our but its part
otherwise and
yet so thats that's the reason for the
whole behavior
and the stuff with the you spurious I
just showed you you can
measure to architect to in software just
you slip you speed to interrupt read
send in your spirits at to interrupt
read again
and you can detect it furthermore you
can use high-pressure meant for
that back to because since the
so much for posting device control
issues and it is a full speed device
and doesn't cost the US beer is set to
the keyboard you can reset it
and the amount of time it takes on to
you can access it again
yes less than it is for keyboard so
doing and you spurious at
and enumerating the device against
foster
want the Q overs present so yeah
my conclusion about the whole stuff this
four-piece to
all model I got into my hands for place
in line somehow
you killed tight use high measurement
essay
general technique to detect
all the models that's the cool thing us
you can even defeat them by switching to
scam called said one
it worked for all the models I got into
my hands
for use P it's a little bit different
I would say most of the models you can
detect fight changes in
use behavior like we've seen additional
hop store chain just a device
configurations
mom passed through spurious at Step that
kinda stuff but you have also
more individual box since those devices
are
more modern have more logic more
functionality
so you can also start to look for
individual box like we've seen with the
software to read all keystrokes pots I'm
currently on that topic am
probably more research is to come
what you can say as a complete
conclusion
am all keyloggers I got into my hands
could be detected
ever generic box ever individual parts
once you combine them
and like for example I showed you for to
keep both key goals to speak you over
your house like
three techniques to detect it and if you
combine them
you can create like a pattern to and
truer it really is president it's not a
false positive
and maybe you can even say which model
is present
if you want to try out all the stuff I
always say
II will release the cold through I
didn't yes I'm
I hope I will find time in the next
week's maybe your
your caps lock and I
am the project at school code is already
register them
yeah i i think maybe I'll uploaded
within the next week
so that's it thank you for your interest
and if you have
any further questions feel free to ask
I guess we one right here
are you had the statistics about the
timings
i'm for the response of keystrokes yeah
I'm home
stable Rd across different key ports
what's in laptops let's say it is a Dell
disease HD
how stable are teas numbers yep
that's a good question on the problems
like I said I
implemented it for my computer and a
break from my system basically depends
account number of clock cycles some
stuff on the CPU
to on the keyboard controller you have
on your main port
and on the microcontroller with in the
keyboard
so basically the CPU you could see
eliminate
by just depending on the CPU speed
measuring the time so you have to two
factors: keyboard controller
and microcontroller with them that he
worked for dose to
you always would have to define a
certain
timing for this combination so
basically yet you have to take a
measurement for your cleaning system
and define a baseline once you use
another keyboard
or another mother bought with another
KBC its it won't work
yet we have one question
ones know first
questions and ship had been will yep
what Hess so to continue on this
this means you really have to her
fingerprints of different keyboard sold
what you have done in this direction is
only for your privately on seeing the
keyboard
right right it's only for my keyboard
you would have to be fine like a
database for each combination and stuff
and the problem is
I'm for peace to you you can't detect
which
keyboard its present for you see you
have the vendor id: device
but for peace to you can't determine
which he works present so you would have
to define manually
that's my keyboard in order to get the
correct
tightening yeah sadly it's it's like
that it's just a proof-of-concept for
my system yep
which week saying
with GC differences between different
people who have the same make
jeez bill told you know no I I actually
had various
cherry keyboards when playing around and
it's that worked with them as well that
they have the same time
where once you have the same breath and
stuff there there were no problems
as we're running out of time
I'm sure Harian will be around for the
rest yep
thanks a ton again States