How to detect a keylogger in a USB keyboard? Can a USB keyboard host a keylogger?

Question

I recently got an USB keyboard. I want to investigate if the microcontroller of the keyboard may host a keylogger and how could it interact with a Windows OS. My understanding is that, once Windows recognizes the USB device, it will get the appropriated driver from a secure Microsoft DB, so even if it is recording the key strokes, it cannot run by itself any SW to send them anywhere. I'm leaving aside the possibility of having a SW keylogger.

Is it possible that a USB keyboard could host a keylogger and that Windows could give it control to run a process to send the information to an address?

Answer 1

Regular USB key loggers that exfiltrate their data via Bluetooth or WiFi can easily be hidden inside a keyboard. The Bluetooth loggers require the attacker to come into range to dump their contents, but a WiFi based adapter that's pre-configured with a network key doesn't even require the attacker to be present to win. He can plug it in and let it sit there forever. Such keyloggers have been commercially available for many years. There are even open source implementations available from the NSA Playset project, which are devices designed to emulate the spy devices found in NSA's leaked and now infamous ANT catalog. But now, there are new options that are even more sophisticated.

The BashBunny is a commercially available hardware implementation of a USB chameleon that performs these kinds of tasks; the USB Rubber Ducky is simply an Evil Keyboard Simulator. The BashBunny works by running a small Linux computer that emulates generic USB keyboards, USB mass storage devices, USB serial ports, and/or USB network adapters. The emulated devices leverage the existing signed Windows drivers that are used by generic chipsets. Such devices can exfiltrate captured data via the victim PC simply by emulating a USB keyboard and typing instructions to send it elsewhere.

Here's a simplistic example of how they could exfiltrate data through the victim PC. Imagine that the hidden USB device contains a data logger, and records your secrets for a day or two. (The BashBunny does not contain a keylogger; it gets its data from scanning the host system. Of course it could install a key logger, then harvest the data at a later time.) When it's time to send the data, it generates USB messages that contain keystrokes, but the user isn't typing them. By hitting <Windows>R, then typing http://www.evilhax0rs.invalid/key_logger_dump_page.php* it can bring up a mostly empty-looking page with a hidden input box located so far down the screen that you need scroll bars to find it. Now, imagine the rogue keyboard hitting <Windows><Shift><Down-Arrow> to slide the browser window completely off the screen, hiding it from the user's view. Next, the fake keyboard starts typing all its logged keystrokes into the input box (base64 encoded, naturally), and hitting <Enter> when finished. Finally, after all the secrets have left the building, it types <Windows><Shift><Up-Arrow> to restore the browser, then quickly types <Control>F4 to close the tab. Even if the user noticed the windows popping up before sliding out of view, it can happen so fast the typical victim won't have the chance to figure out what's happening.

As I said, these are commercially available and open source products you can buy today; the source code for the evil devices and the "ducky scripts" that do the phantom typing are all hosted on github.

* not a real page.

Answer 2

I'm reading the question and seeing "could the keyboard" and what comes to mind is that most keyboards I've cracked open have an Atmel32u[4,8,X] controller, these controllers are running a firmware that is field programmable (though they may not have easy to reach breakouts for jtag/uart.) There are open source projects (Openhardware) that keyboard hobbyists have been building now for the better part of a decade based around the Atmel32u series processors.

It would not be trivial, but is totally possible to write a keylogger using the open source codebases as a starting point (TMK being the most established: https://github.com/tmk/tmk_keyboard) You could then use the same methodology as a rubber ducky and send commands through the keyboard itself to create the agent that sends the keystrokes to the remote location.

Some keyboards firmware have been reverse engineered already (again Keyboard enthusiasts) and vendors have even tried encrypting the firmware packages to prevent this. Still, it's not outside the realm of possibility.

Answer 3

TL;DR: Is possible but not probable. Your keyboard is way more trusted than your cellphone.

Is it possible that a USB keyboard could host a keylogger and that Windows could give it control to run a process to send the information to an address?

Yes. If you press keys to start programs, and type things on the program, that's the keyboard running and controlling a process. It's so simple that we don't think about it.

Running on the hardware, there's nothing on Windows indicating anything: no delays, no extra traffic on the USB cable, no strange control messages anywhere, no custom drivers. Windows will never see anything different about it.

The problem is the exfiltration. The keyboard can type back everything that he captured, but it have no visibility of the computer. The keyboard only can talk to it. It can send keystrokes and hope that they will get out.

It's possible, for example, to send Win+R, type an URL for something that will capture everything server-side, wait a little, and type the log. If there were enough time to the browser to load the page, and it is still in focus, the exfiltration is possible.

As the keyboard can know with some extent how long you are not using the computer, it can wait for 3 to 5 minutes after the last keypress to start the payload. The keyboard knows if you locked the screen with Win-L or Ctrl-Alt-L. Unless you are only navigating with the mouse or watching a video, this means you are away. 5 minutes is short enough to not engage the screen lock, and long enough that most people won't stare at the screen for that long.

But what's the probability of this happening? Very, very low. This is not an easily targeted attack. It's way easier to phish you into installing software than to count on you visiting his site to buy his altered keyboard.

Pentesters usually resort to this, when they have physical access to the computer: pop open the keyboard, install the keylogger and leave. Get back the other night, pop open the keyboard, get the log and leave.

Answer 4

Seems possible to detect if you develop a sort of fingerprint of your USB device - and have software notify you if it changes. I plan to test this idea by buying a USB key logger and seeing if Linux can see a difference with and without it.