Slashdot Mirror
The Keyboard That Could Phone Home
An anonymous reader writes "University of Pennsylvania researchers have developed a keylogger they call the JitterBug that can modulate passwords or other information into normal traffic by adding imperceptible delays to keypresses as people use keyboard and network-intensive apps like telnet and remote desktop. The idea is that the delays in keypresses cause delays in packets, and data can be encoded in those delays. There's no software or extra network activity that the victim can see, but anyone who can see the traffic (even if it's encrypted) could grab the data. Here's the scary part: the researchers say that it could be manufactured into a keyboard, making these keyloggers widespread and virtually undetectable."
My question is why are University of Pennsylvania researchers developing keyloggers!!??
Error 2101: all your sig are belong to us
There was a talk at the university I was at about the security measures on US government firewalls, for particularly secure computers. Covert timing channels are one clear class of things that a very security firewall needs to protect against (not just for JitterBugs... trojans/viruses could try to communicate this way as well), and they did just that... changed the timing of the packets at the firewall to try to prevent covert timing channels from being possible.
meh, maybe sorta.
On reflection, I don't see how it'd be so out of the question for some engineer somewhere to add in a delay in the firmware unbeknownst to the employer. All he'd have to do then is install some free shell and/or IRC machines somewhere, maybe some altered game servers, something like that, and wait for someone with his compromised keyboards to walk in.
Seems pretty straightforward, if you buy the initial premise that someone would do this. I don't see it working for a company. A person is smart and could pull this off. A group of people is stupid and would fuck it up somehow.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
If the information is contained in the 'gaps' between the traffic, buffer the traffic in hardware as it leaves the system. (Buffering and clocking the keypresses in hardware to remove the jitter may cause a percieveble lag). If the keyboard is the suspected source of the hidden jitter, then an inline clocked buffer could remove this, releasing the keypresses to the system at a uniform interval. If the system is suspected, buffering and clocking can be added at the system router.
There is a similar concept in advanced TEMPEST, analysis but we cant talk about that here....
...that US corporations would install these. The American government/corporations (same thing really) has clearly demonstrated their belief that people exist for them to prey upon.
The thing I don't get is how you distinguish the miniscule delay introduced with this system from the much larger delay between subsequent keypresses the user makes. I don't think most people type at such a consistent rate that you could plug this in and immediately start observing traffic. (I wouldn't be too surprised if you could do it after observing the person's typing habits for a long time... but that would be different for every person, so most likely impractical.)
Correct me if I am wrong but from how I understand it the rate at which you type does not matter. The jitter is added to network traffic and it probably has to do with the timing between two packets. The program could just make the jitter be in the off position when no data is being sent and in the on position when there is data to phone home with. It's very analog but it works.
A keyboard keylogger? "Scary". I think not. It's not like these people are going to bust into internet cafe's, pick the lock and change the keyboard without anybody noticing. Nor are they going to do it to somebody's personal PC ("Hey, my keyboard's different. Oh well..."). The only market I see for this is for corporations, and they can either use a hardware dongle, or have a software keylogger. They can also run the user in a sandbox that prevents them from detecting the software one, and the software one probably has more power in it anyway.
Undetectable data transfer is at least worrying, not the fact you can embed it in the keyboard. Also, external hardware devices can't be plugged in and execute arbitrary code, which means you require software installed, which can be detected. Not such an undetectable spy device now, is it?
I'll subscribe to Slashdot when I see a month without a dupe, a typo, or an article the "editors" didn't read.
I recall a story of someone who determined a co-workers password by listening to the timing of her keypresses.
"mickeymouse" m i c k e y mou s e
"I always thought it was easier to just torture somebody for the password? "
I thought that it was easier and more reliable to just bribe somebody who has hte password. There was an article a while back that indicated that some people will divulge passwords for something as trivial as a latte' or chocolate -- the cost goes up from there.
On a more serious note though..
;)
I always thought it was easier to just torture somebody for the password?
Who needs torture when there is vodka? Also, if they're like me you have two passwords, one overwrites the hard disk
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
It's not that hard, actually. The logger can simply check for typing sequences that are likely to be followed by or enclose a password. For example, "ssh username@host\npassword\n", or even "username\tpassword\n" if the target uses a web form or a popup password prompt.
Just remember to compare the suspect keyboard to one of those 1980's keyboards without NSA chip. And remember to program your standard keyboard comparison robot to trigger the covert channel sending mode as it might be in regular keyboard mode at first. Yes, detecting hidden hardware features is really, really easy (on Slashdot).
How much jitter has to be introduced into the packet stream to be detected as inserted delay and not network latency?
Pinging my own wireless router:
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.611/2.823/3.343/0.233 ms
--- google.com ping statistics ---
11 packets transmitted, 11 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.530/10.839/11.361/0.251 ms
--- yahoo.com ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 61.703/65.211/68.176/2.781 ms
Maybe the sample size isn't big enough, but how does one differentiate inserted delays from network latency? If the difference between the keystroke and the packet is the modulated data, how do you get this information to a recipient with to reference to when the keystroke was pressed? Maybe there's some fancy signal processing involved similar to spread spectrum, but that's never been a strong suit.
(Asked by a network simpleton)
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Another example: The keyboard could also send out the first 32 characters typed after a long delay, assuming that the user had their screensaver lock the computer automatically, or that the computer was starting up. With a kilobyte or two of flash memory, the keyboard could even check out which parts of these "after a long delay" sequences are identical with each other, in order to filter out the user simply using the mouse for a while, or not using screensaver passwords at all.