Keyboards Followup / Paranoia

Michael Havens bmike1 at gmail.com
Thu Nov 7 11:28:55 MST 2013 

paranoia keeps us safe!

:-)~MIKE~(-:


On Thu, Nov 7, 2013 at 10:42 AM, Matt Graham <mhgraham at crow202.org> wrote:

> On 2013-11-07 09:54, Nathan England wrote:
>
>> what if someone were to intercept the keyboard I purchase and
>> place a keylogger in the firmware?  Is it possible to detect a
>>
>> keylogger built in the firmware of a keyboard? Do all keyboards
>> have firmware?
>>
>
> This seems like a *really* high level of paranoia, but anyway:  All
> keyboards have at the very least a microcontroller that does debouncing,
> translates keypresses into scancodes, and sends those scancodes down the
> wires.  USB keyboards have that stuff and chips that translate keypresses
> into packets that conform to the HID specs.
>
> Theoretically, a USB keyboard could be not just a HID device, but another
> USB device (mass storage?) containing an executable.  Some devices have
> done similar things; there were some USB disks that presented themselves as
> both a CD-ROM device containing Windows device drivers and a mass storage
> device.  There's a standard for this behavior though, something like
> "Multi-LUN storage device", and I don't know if there's a similar thing for
> HID.
>
>
>  Could the USB cable itself be a keylogger?
>> How would you go about detecting that?
>>
>
> The cable could have a small logging device in it.  However, a logging
> device would make the cable a *lot* more expensive than a regular cable.
> Retrieving data from a logging device like that would probably require
> someone to physically touch the cable or at least get very near it.
>
> As for detecting something like this, it's really difficult to prove a
> negative.  I suppose you could take high-res X-ray photos of a known good
> USB cable and a suspect one and compare them.  This would not be cheap.  Or
> you could make it so there's only 1 USB device plugged in (the suspect
> keyboard), run a USB snooper, and look for suspicious USB packets.  This
> would take a lot of time.
>
> (Also, I've tried to do USB snooping on some things, and none of the
> Windows USB snoopers I used seemed to work that well.)
>
> --
> Crow202 Blog: http://crow202.org/wordpress
> There is no Darkness in Eternity
> But only Light too dim for us to see.
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20131107/097cc188/attachment.html>

More information about the PLUG-discuss mailing list