Linggo, Nobyembre 6, 2011

New Tools for Hacking: Hardware Keylogger

      There are a lot of software keyloggers available, and I have even done some work on one. This article however is on hardware keyloggers, specifically those that work with USB keyboards. While the PS/2 keyboard may still be more popular, it seems to me that it's on its way out so I thought covering USB keyloggers would be more useful. If I ever get the hardware and time, I may cover PS/2 loggers as well.

      I used to say that the easiest way to break in to an organization was through submitting an outstanding CV.  Nowadays I’d be inclined to say giving away free USB memory-sticks to a targeted organization’s staff as they were about to begin their working day. With USB sticks containing a stealthily disguised keylogger, you’re practically guaranteed that someone will plug it in…
Of all the nefarious techniques that can be used to gain access to a hosts’ data, the keylogger continues to be a perennial favorite.  Whether it’s deployed in hardware or software formats, for as long as people rely upon password protected authentication processes, the keylogger will continue to be a reliable hacking tool.

   Over the years, I’ve personally only had cause to make use of hardware keyloggers a handful of times – mainly due to the fact that very few penetration tests have required surreptitious social engineering techniques, and those that did had objectives focused upon gaining entry to a specific hosting environment (rather than a user account).
Software-based keyloggers – particularly those associated with spyware and banking Trojans – have hogged the limelight for quite some time.
That said, hardware keyloggers seem to be an oft-forgotten aspect to hacking (for fun and profit).  Consequently, whenever I publicly present on the hacking trends and include state-of-art hardware keyloggers, there’s always a lot of startled faces and expressions of “you’re kidding, it’s that easy?”

Why use a hardware keylogger?

      With so many software keyloggers, spyware and malware out there offering the ability to silently install and operate stealthily, why would anyone opt for a hardware keylogger?  Lots of reasons - depending on who you are, and what you’re trying to achieve.
While it is certainly true that hardware keyloggers are undetectable by any existing anti-virus solution or software based malware detection, and that they are operating system and language independent, the main reason why an attacker will opt for a hardware keylogger is because it may be substantially easier to plug one in rather than trying to install a piece of software.
To install a hardware keylogger you just need to have physical access to the host for a few seconds and it doesn’t involve any technical skills.

Consider two scenarios, the office receptionist’s computer and the cash registers used by major retailers.

As you walk in to almost any commercial office, you’ll typically be confronted with the receptionist.  He’ll have a PC which he uses to keep track of visitors, manage door access keycards, respond to email and interact with other internal systems – with the monitor turned away from visitors.  It only takes a couple of seconds for the attacker to reach down behind the screen, pull out the keyboard cable, insert the keylogger, and plug back the keyboard while the receptionist is temporarily distracted in a conversation.
Meanwhile, at a store - since just about all modern cash registers are based around a standard desktop PC configuration - the attacker can insert cheap keyloggers in to any cash registers not currently in use. 

      Thereafter capturing login credentials, customer address details and manually keyed credit card details whenever that register gets used.
To retrieve the captured data the attacker merely returns to the premises when convenient, unplugs the keylogger(s) and exits the building.
To top it all off, how many people check the back of their PC’s for extra cables or dongles each time they sit down to use it? How many people even know what a keylogger looks like?

  Hardware keyloggers fill a few niches:
Uses/Target Audience
1. Writers: Users can install them on their own systems as a backup for the work they've typed. My personal feeling is this is not the most practical use. Maybe if you type in long continuous strings and rarely copy and paste or backspace over mistakes it would work well for you. Because of the way I work on my articles I doubt it would be very useful to me since my writing style is hardly linear. I go back over the same article many times making little changes here and there, making the key log rather unreadable. However, if you are a better typist than I, and your thought processes more coherent, this form of backup may work for you.
2. Businesses: Some companies may use keyloggers for monitoring employees for misconduct. At the high price tag of many hardware keyloggers, this is probably the major market for them. In my opinion large companies might be better off rolling out a custom software keylogger via a GPO since it can give much greater detail about when and in what application the keystrokes were made. Only the highest end hardware keyloggers support time/date stamping, and even then they can't tell you in what application or context the typing was made. If you were doing a serious investigation into misconduct, time/date stamping would be a must. The keylogger I'll be reviewing in this article does not have these time/date stamping features, but the same vendor does sell higher end models that do.
3. Parents: Some parents may choose to use a hardware keylogger to monitor their kids. My thoughts on the subject are that parents would be better served by using filtering software, since the kid does not have to be very bright to just physically remove a hardware keylogger if they know it's installed.
4. Pen-testers/Crackers/Spies: If an attacker is trying to get someone else's password or proprietary information hardware keyloggers can come in quite handy. The high price tag and difficulty of gaining physical access to the monitored machines may limit this use to only internal corporate spies and well financed tiger teams, but it's still a valid use.

        Now that your aware of why someone might want to use a hardware keylogger I'll cover some of their pros and cons. Since I'm a negative sort of person, I'll cover the downside of hardware vs. software keyloggers first:

1. There's no chance of emailing or grabbing the keystroke logs from over a network; the device has to be physically recovered to obtain the logs. Having to have physical access can be a serious obstacle to installing and retrieving the keylogger.
2. The hardware keylogger gives little to no information on what app was active when the keystrokes happened. With out knowing the context of the keystrokes it's much harder to tell if a string of characters is from a document, an IM session or a password.
3. Hardware keyloggers are rather expensive. One of the cheaper USB models I've found was $79.99; the one I'm reviewing from KeyCarbon is $189 - and it's not even the higher end model.
4. If found, external hardware keyloggers are much easier to remove than software keyloggers. You just pluck them off the keyboard's cord. Removing software keyloggers depends on the users privilege level, or how knowledgeable they are about how to gain a higher privilege level. ☺
Now for the positives:
1. Most software keyloggers are detected by anti-malware apps. Depending on which software package is used, the anti-virus system will likely detect the keylogger and remove it, or at the very least report it to the user. Hardware keyloggers, on the other hand, are very hard to detect without physical inspection. That's not to say it's impossible, and I'll write more on that subject a little later in this article.
2. Hardware keystroke loggers can get keystrokes from before the OS is even loaded (hello bios password), or from around software that limits what processes can access the keystrokes (like the Windows GINA logon after the old three finger salute of Ctrl-Alt-Del).
3. Hardware keyloggers can support logging of almost any OS, as long as the keyboard is a fairly standard USB HID (Human Interface Device). Windows, Linux, Mac OS X - it makes little difference to a hardware keylogger.

Hardware Keylogger Types


Regular Hardware Keylogger is used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer. It logs all keyboard activity to its internal memory which can be accessed by typing in a series of pre-defined characters. A hardware keylogger has an advantage over a software solution; because it is not dependent on the computer's operating system it will not interfere with any program running on the target machine and hence cannot be detected by any software. They are typically designed to have an innocuous appearance that blends in with the rest of the cabling or hardware, such as appearing to be an EMC Balun. They can also be installed inside a keyboard itself (as a circuit attachment or modification), or the keyboard could be manufactured with this "feature". They are designed to work with legacy PS/2 keyboards, or more recently, with USB keyboards. Some variants, known as wireless hardware keyloggers, have the ability to be controlled and monitored remotely by means of a wireless communication standard.

Wireless Keylogger sniffers- Collect packets of data being transferred from a wireless keyboard and its receiver and then attempt to crack the encryption key being used to secure wireless communications between the two devices.

Firmware - A computer's BIOS, which is typically responsible for handling keyboard events, can be reprogrammed so that it records keystrokes as it processes them.

Keyboard overlays - a bogus keypad is placed over the real one so that any keys pressed are registered by both the eavesdropping device as well as the legitimate one that the customer is using.

How much does a keylogger cost?
      Typing “hardware keylogger” in to Google will yield several hundred thousand results, and dozens upon dozens of keylogger manufacturers and resellers. The prices and specifications of the keyloggers vary widely, and it can quickly become quite confusing.
Hardware keyloggers are typically priced on four factors:
  1. The type of keylogger. PS2 barrel connectors are the cheapest, while a complete keyboard with an embedded keylogger is the most expensive.  Typically, USB-based keyloggers are about 50% more expensive than their PS2 cousins.
  2. The number of keystrokes the keylogger can store. Hardware keylogger comes in sizes based upon their storage capacity.  It can be confusing sometimes as vendors mix Bits with Bytes and keystrokes with pages.  In general sizes range from 64kB to 2MB – which corresponds to 10,000 words (30 pages) through to 350,000 words (about 5 large novels).
  3. Whether logged keystrokes are encrypted and/or timestamped. Some keyloggers encrypt the stored data so that anyone discovering the presence of the keylogger cannot extract the stored keystrokes and/or reuse it on a different host.  Encrypted keyloggers are often used by law enforcement or internal security teams for evidence gathering, and often combine keystroke timestamping so that the captured data can be used for legal proceedings.
  4. The tools and software bundled with the keylogger to speed up downloading or facilitate analysis.While almost all keyloggers can have their data extracted through their default connector (i.e. PS2 or USB), some vendors offer connector tools that can accelerate the process along with software for dynamically rebuilding the documents created upon the monitored host.
      Buying a bare-bones 64kB PS2-based hardware keylogger is going to cost you something between $30-$40, while a USB-based version will set you back $50-80.  Meanwhile, a 1MB PS2-based keylogger complete with a hardware accelerator, encryption, timestamping and advanced software analysis tools, will likely come to $200-$400.
The latest generation of laptop Mini-PCI keylogger boards start around $200 for 2MB of capacity.
      Prices vary considerably, and most sites can offer big discounts for buying in bulk.  For example, if you’re prepared to buy one thousand 16kB PS2-based keyloggers (such as the ones often given out at security trade shows as gifts) you can pick them up for $3-$5 each.
Meanwhile, commercial keylogger modules are pretty cheap – often retailing for about 50% off the price of an equivalent capacity PS2 keylogger.
Failing that, if you’re prepared to break out the soldering iron and do a little DIY, you can make one yourself for only the cost of the components.  Checkout for details.

Retrieving Keystrokes
      Retrieving the keystrokes from the keylogger is an extremely simple process.  In most cases with PS2-based barrel connectors, all that is required is the typing of a particular password while the barrel is connected to a keyboard and PC.  Once the password is typed (e.g. “Open Sesame”), the keylogger will reply all the keystrokes it recorded – usually in to an open document – just as if a ghost were at the keyboard (with control and non-printable characters converted in to something readable).  Obviously, the person who installed the keylogger would want to choose a password that is unlikely to be inadvertently typed by the monitored victim.

      The process is just as simple for most USB-based keyloggers.  The person extracting the data plugs in the device, types the password, and the computer then registers the presence of a flash media drive.  A folder pops-up, and the person just copies a file from the “USB Drive” to wherever they want.

      It’s all very well pretending that a ghost is repeating all those collected keystrokes serially, but 2MB of keystrokes done this way can take a VERY long time. As such, USB accelerators are available for PS2 barrel-type keyloggers which greatly speeds up the extraction of the collected keystrokes.  An example is pictured below:

      In the case of hardware keyloggers that offer encrypted data storage, there may be some additional passwords or software-aided extraction tools necessary for decrypting the keystrokes.

Keyboard Language
      One thing to remember when using hardware keyloggers is that the data collected is bound to the language of the keyboard in use and (to a lesser degree) the language of the operating system.  The arrangement of keys and the alphabet presented on the keyboard is typically country specific.  In order to correctly retrieve the captured keystrokes and understand their meaning, the analyzer needs to know what country keyboard was used.  For example, [SHIFT]-3 on a UK keyboard is the £ symbol, while on a US keyboard it is the #symbol – and the keys for “ and the @ symbol are transposed.
      Things get a little more complex with double-byte languages such as Chinese and Japanese, but many of the better commercial keyloggers come with extraction software that can easily handle them.  For example, the screenshot below of the KeyGhost software shows the correct rendering keystrokes obtained from an Arabic keyboard.

Combating a Physical Keylogger
      The nature of hardware-based keyloggers means that they will always elude software-based detection systems.  Protecting against their unwanted use really comes down to a handful of methods:
  1. Physical blocking - preventing physical access to the keyboard connectors through case design and system location.
  2. Interruption Detection - more sophisticated keyboard peripherals that maintain a constant “I’m attached” signal to the host computer, which triggers an alert of some kind if the keyboard is ever physically detached. This kind of system would have to operate even when the host is in an unpowered state.
  3. Regular inspection - trained staff need to regularly inspect the back of the host for the addition of new wires and connectors.
      While not particularly glamorous, method (3) is the most reliable method of detecting unwanted keyloggers.

What does the future hold?
      I think that the future for hardware-based keyloggers as a significant hacker technology is strong - much stronger than the future of their software-based cousins.  Their lowering purchase cost, increased miniaturization and absence of any kind of necessary technical knowhow, means to me that they will become more popular with organized criminal teams seeking to steal confidential or personal information from retailers and other large organizations.

      Their proven track record at stealing login credentials and other “keys” critical to accessing valuable data and penetrating deeper in to an organization, means that they will always be useful in the first stages of an organized attack.

      These keyloggers may even become simpler too.  At the moment the commercially available keyloggers require their installer to physically break the keyboard-to-PC connection in order to install the keylogger.  Already there is talk of more advanced “strap-on” keyloggers that wrap around the keyboard cable and record keystrokes – designed to look like every-day ferrite cores (commonly used to reduce electromagnetic or radio frequency interference).

Register and Win Prizes like IPhone,PSP Piano Black Edition,Money and lots a prizes. 
Join Now Just Register Below.

This Contest is limited till November 25, 2011 
Thank You!