Keyboards Followup / Paranoia

Matt Graham mhgraham at crow202.org
Thu Nov 7 10:42:22 MST 2013 

On 2013-11-07 09:54, Nathan England wrote:
> what if someone were to intercept the keyboard I purchase and
> place a keylogger in the firmware?  Is it possible to detect a
> keylogger built in the firmware of a keyboard? Do all keyboards
> have firmware?

This seems like a *really* high level of paranoia, but anyway:  All 
keyboards have at the very least a microcontroller that does debouncing, 
translates keypresses into scancodes, and sends those scancodes down the 
wires.  USB keyboards have that stuff and chips that translate 
keypresses into packets that conform to the HID specs.

Theoretically, a USB keyboard could be not just a HID device, but 
another USB device (mass storage?) containing an executable.  Some 
devices have done similar things; there were some USB disks that 
presented themselves as both a CD-ROM device containing Windows device 
drivers and a mass storage device.  There's a standard for this behavior 
though, something like "Multi-LUN storage device", and I don't know if 
there's a similar thing for HID.

> Could the USB cable itself be a keylogger?
> How would you go about detecting that?

The cable could have a small logging device in it.  However, a logging 
device would make the cable a *lot* more expensive than a regular cable. 
Retrieving data from a logging device like that would probably require 
someone to physically touch the cable or at least get very near it.

As for detecting something like this, it's really difficult to prove a 
negative.  I suppose you could take high-res X-ray photos of a known 
good USB cable and a suspect one and compare them.  This would not be 
cheap.  Or you could make it so there's only 1 USB device plugged in 
(the suspect keyboard), run a USB snooper, and look for suspicious USB 
packets.  This would take a lot of time.

(Also, I've tried to do USB snooping on some things, and none of the 
Windows USB snoopers I used seemed to work that well.)

-- 
Crow202 Blog: http://crow202.org/wordpress
There is no Darkness in Eternity
But only Light too dim for us to see.

More information about the PLUG-discuss mailing list