Skip to main content
SpringerLink
Log in

Physical-Layer Detection of Hardware Keyloggers

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

Abstract

This work examines the general problem of detecting the presence of hardware keyloggers (HKLs), and specifically focuses on HKLs that are self-powered and take measures, such as passively tapping the keyboard line, to avoid detection. The work is inspired by the observer effect, which maintains that the act of observation impacts the observed. First, a model for HKLs is proposed, and experimentally validated, that explains how attaching a HKL necessarily affects the electrical characteristics of the system it is attached to. The model then motivates the selection of features that can be used for detection. A comparison framework is put forth that is sensitive enough to identify the minute changes in these features caused by HKLs. Experimental work carried out on a custom keylogger designed to conceal its presence, at the expense of reliability, shows that it is possible to detect stealthy and evasive keyloggers by observing as few as five keystrokes. Optimal attack strategies are devised to evade detection by the proposed approach and countermeasures evaluated that show detection is still possible. Environmental effects on detection performance are also examined and accounted for.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In Sect. 5.2 we do examine the case of an evasive HKL designed to defeat our detection method by reproducing the keyboard’s signal exactly.

  2. 2.

    In Sect. 5.3 we show that HKLs that do not affect line voltage—i.e. those with high input impedance—can still be detected because of their affect on the transient response of the system.

  3. 3.

    Properly speaking, we use a variant of the EMD for non-normalized histograms, where we have selected the \(l_1\) norm for the ground distance metric [27].

  4. 4.

    A slight change was made to our experimental setup to accommodate the duration of the data runs. Instead of the space bar being manually pressed, a program was written that toggled the NUMLOCK state. Since the OS state of this key and the NUMLOCK LED must be consistent, the PC would signal the keyboard that it had a scancode to send by bringing the clock line low, which would then cause the keyboard to generate a clock signal that we were able to subsequently capture.

  5. 5.

    We note that while 125 MS/s ADCs are more expensive than the 1 MS/s variety, they can still be had for less than $15, e.g. the LTI LTC2251 [23].

References

  1. ABC News: Former Cal State student gets year in prison for rigging campus election (2013). http://abcnews.go.com/US/cal-state-student-year-prison-rigging-campus-election/story?id=19682401

  2. Analog Devices: AD7265 Differential/Single-Ended Input, Dual 1 MSPS, 12-Bit, 3-Channel SAR ADC (2006), datasheet

    Google Scholar 

  3. Chahrvin, S.: Keyloggers–your security nightmare? Comput. Fraud Secur. 2007(7), 10–11 (2007)

    Article  Google Scholar 

  4. Chapweske, A.: The ps/2 mouse/keyboard protocol (2003). http://www.computer-engineering.org/ps2protocol

  5. Danev, B.: Physical-layer Identification of Wireless Devices. Ph.D. thesis, ETH Zurich, Zurich, Switzerland (2011)

    Google Scholar 

  6. Danev, B., Luecken, H., Capkun, S., Defrawy, K.E.: Attacks on physical-layer identification. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec 2010), pp. 89–98. ACM, New York (2010)

    Google Scholar 

  7. Danev, B., Zanetti, D., Capkun, S.: On physical-layer identification of wireless devices. ACM Comput. Surv. (CSUR) 45(1), 6 (2012)

    Article  Google Scholar 

  8. Daniels, T.E., Mina, M., Russell, S.F.: A signal fingerprinting paradigm for physical layer security in conventional and sensor networks. In: Proceedings of the International Conference on Security and Privacy for Emerging Areas in Communnication Networks (SecureComm), pp. 219–221. IEEE Computer Society (2005)

    Google Scholar 

  9. Edman, M., Yener, B.: Active attacks against modulation-based radiometric identification. Technical report, Rensselaer Polytechnic Institute, Department of Computer Science (2009), technical Report

    Google Scholar 

  10. Erbskorn, J.W.: Detection of Intrusions at Layer ONe: The IEEE 802.3 normal link pulse as a means of host-to-network authentication A preliminary performance analysis and survey of environmental effects. Master’s thesis, Iowa State University, Ames, IA (2009)

    Google Scholar 

  11. Gerdes, R., Mina, M., Russell, S., Daniels, T.: Physical-layer identification of wired ethernet devices. IEEE Trans. Inf. Forensics Secur. 7(4), 1339–1353 (2012)

    Article  Google Scholar 

  12. Gerdes, R.M.: Physical layer identification: methodology, security, and origin of variation. Ph.D. thesis, Iowa State University, Ames, IA (2011)

    Google Scholar 

  13. Gerdes, R.M., Daniels, T.E., Mina, M., Russell, S.F.: Device identification via analog signal fingerprinting: a matched filter approach. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). The Internet Society (2006)

    Google Scholar 

  14. Greene, M., Parker, M.: Method and system for detecting a keylogger that encrypts data captured on a computer, 25 July 2006, US Patent App. 11/492,581

    Google Scholar 

  15. IEEE: Standard for transitions, pulses, and related waveforms (2011), IEEE Std 181–2011

    Google Scholar 

  16. Karim, N., Agrawal, A.: Plastic packages electrical performance: reduced bond wire diameter. In: NEPCON WEST, pp. 975–980 (1998)

    Google Scholar 

  17. KeeLog: Open source DIY hardware keylogger (2012). http://www.keelog.com/diy.html

  18. KeeLog: Keygrabber Module (2013). http://www.keelog.com/

  19. KeyCarbon: Keycarbon Raptor (2012). http://www.keycarbon.com/

  20. KeyCarbon: Keycarbon PCI (2013). http://www.keycarbon.com/

  21. Kullback, S., Leibler, R.A.: On information and sufficiency. Ann. Math. Stat. 52, 79–86 (1951)

    Article  MathSciNet  Google Scholar 

  22. Linear Technology: LT1793 JFET Input Op Amp (1999), datasheet

    Google Scholar 

  23. Linear Technology: LTC2251/LTC2250 ADCs (2005), datasheet

    Google Scholar 

  24. Mihailowitsch, F.: Detecting hardware keyloggers, November 2010. https://deepsec.net/docs/Slides/2010/DeepSec_2010_Detecting_Hardware_Keylogger.pdf. [DeepSec 2010 Presentation]

  25. Nakra, B.C., Chaudhry, K.K.: Instrumentation Measurement and Analysis. McGraw-Hill Education (India) Pvt Limited (2009)

    Google Scholar 

  26. Nilsson, J.W., Riedel, S.: Electric Circuits. Prentice Hall, Upper Saddle River (2010)

    Google Scholar 

  27. Pele, O., Werman, M.: A linear time histogram metric for improved SIFT matching. In: Forsyth, D., Torr, P., Zisserman, A. (eds.) ECCV 2008, Part III. LNCS, vol. 5304, pp. 495–508. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  28. Salkind, N.: Encyclopedia of Research Design. SAGE Publications, Thousand Oaks (2010)

    Book  Google Scholar 

  29. Sapra, K., Husain, B., Brooks, R., Smith, M.: Circumventing keyloggers and screendumps. In: 2013 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE), pp. 103–108, October 2013

    Google Scholar 

  30. Texas Instruments: High Speed Analog Design and Application Seminar: High Speed PCB Layout Techniques (2004), presentation

    Google Scholar 

  31. Texas Instruments: LM35 Temperature Sensors (2013), datasheet

    Google Scholar 

  32. Texas Instruments: Tiva TM4C123GH6PM microcontroller (2013), datasheet

    Google Scholar 

  33. Texas Instruments: Use conditions for 5-v tolerant gpios on Tiva C series TM4C123x microcontrollers (2013), application Report

    Google Scholar 

  34. The New York Times: Credit card data breach at Barnes & Noble stores (2012). http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html?_r=3&

  35. Zaitsev, O.: Skeleton keys: the purpose and applications of keyloggers. Netw. Secur. 2010(10), 12–17 (2010)

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Li Yin and Heidi Harper of Utah State University for their assistance in collecting data.

Author information

Authors and Affiliations

  1. Utah State University, Logan, UT, 84322, USA

    Ryan M. Gerdes & Saptarshi Mallick

Authors
  1. Ryan M. Gerdes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saptarshi Mallick
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ryan M. Gerdes .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Appendix: Optimal Selection of HKL Input Resistance

Appendix: Optimal Selection of HKL Input Resistance

The attacker seeks to minimize the difference between the line voltage with and without the HKL in order to evade the level-based detection approach, while simultaneously minimizing the time constant associated with the HKL to lessen the increase of the rise/fall times of the clock signal. The former goal can be realized by choosing \(R_{kl} \gg R_{pc}\) to ensure that \(R_{eq}=R_{kl}\parallel R_{pc} = R_{pc}\). This, however, is achieved at the expense of the latter goal, as the time constant \(R_{eq}C_{kl}\) can only be decreased by selecting \(R_{kl}\) such that \(R_{eq} < R_{pc}\), due to the fact that the HKL capacitance is fixed. The minimum value of \(R_{eq}\), and by extension the optimal input impedance of the HKL, necessary to evade the level-based approach while minimizing the time constant of the HKL is calculated as follows.

Allow r to represent the minimum resolvable voltage drop of the ADC employed in the detector. Evading the level-based detection approach requires \(V_l-V'_l = r\), where r may be expressed in terms of the quantities controllable and/or known by the attacker as

$$\begin{aligned} r = V_l - \frac{R_{eq}}{R_{kb}+R_{eq}}V_{kb} \end{aligned}$$
(4)

Defining

$$\begin{aligned} V_m = \frac{R_{eq}}{R_{kb}+R_{eq}}V_{kb} \end{aligned}$$
(5)

and rearranging terms yields

$$\begin{aligned} V_l - r = V_m \end{aligned}$$
(6)

Furthermore, manipulation of (5) gives

$$\begin{aligned} R_{eq} = \frac{V_m}{V_{kb}-V_m}R_{kb} \end{aligned}$$
(7)

By substituting (6) into (7) we arrive at

$$\begin{aligned} R_{eq} = \frac{V_l - r}{V_{kb} - V_l + r}R_{kb} \end{aligned}$$
(8)

\(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Gerdes, R.M., Mallick, S. (2015). Physical-Layer Detection of Hardware Keyloggers. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation