Physical-Layer Detection of Hardware Keyloggers

Abstract

This work examines the general problem of detecting the presence of hardware keyloggers (HKLs), and specifically focuses on HKLs that are self-powered and take measures, such as passively tapping the keyboard line, to avoid detection. The work is inspired by the observer effect, which maintains that the act of observation impacts the observed. First, a model for HKLs is proposed, and experimentally validated, that explains how attaching a HKL necessarily affects the electrical characteristics of the system it is attached to. The model then motivates the selection of features that can be used for detection. A comparison framework is put forth that is sensitive enough to identify the minute changes in these features caused by HKLs. Experimental work carried out on a custom keylogger designed to conceal its presence, at the expense of reliability, shows that it is possible to detect stealthy and evasive keyloggers by observing as few as five keystrokes. Optimal attack strategies are devised to evade detection by the proposed approach and countermeasures evaluated that show detection is still possible. Environmental effects on detection performance are also examined and accounted for.

Appendix: Optimal Selection of HKL Input Resistance

The attacker seeks to minimize the difference between the line voltage with and without the HKL in order to evade the level-based detection approach, while simultaneously minimizing the time constant associated with the HKL to lessen the increase of the rise/fall times of the clock signal. The former goal can be realized by choosing \(R_{kl} \gg R_{pc}\) to ensure that \(R_{eq}=R_{kl}\parallel R_{pc} = R_{pc}\). This, however, is achieved at the expense of the latter goal, as the time constant \(R_{eq}C_{kl}\) can only be decreased by selecting \(R_{kl}\) such that \(R_{eq} < R_{pc}\), due to the fact that the HKL capacitance is fixed. The minimum value of \(R_{eq}\), and by extension the optimal input impedance of the HKL, necessary to evade the level-based approach while minimizing the time constant of the HKL is calculated as follows.

Allow r to represent the minimum resolvable voltage drop of the ADC employed in the detector. Evading the level-based detection approach requires \(V_l-V'_l = r\), where r may be expressed in terms of the quantities controllable and/or known by the attacker as

$$\begin{aligned} r = V_l - \frac{R_{eq}}{R_{kb}+R_{eq}}V_{kb} \end{aligned}$$

(4)

Defining

$$\begin{aligned} V_m = \frac{R_{eq}}{R_{kb}+R_{eq}}V_{kb} \end{aligned}$$

(5)

and rearranging terms yields

$$\begin{aligned} V_l - r = V_m \end{aligned}$$

(6)

Furthermore, manipulation of (5) gives

$$\begin{aligned} R_{eq} = \frac{V_m}{V_{kb}-V_m}R_{kb} \end{aligned}$$

(7)

By substituting (6) into (7) we arrive at

$$\begin{aligned} R_{eq} = \frac{V_l - r}{V_{kb} - V_l + r}R_{kb} \end{aligned}$$

(8)

\(\square \)