[unisog] Keyboard sniffers

Jonathan Glass jonathan.glass at oit.gatech.edu
Mon May 2 23:19:01 GMT 2005

Hash: SHA1

I personally am fond of the locking cases which keep all the cables
bundled behind some form of protection.  An example is the Dell
280?c=us&cs=RC956904&l=en&s=hied), with the rear cable cover, and a
padlock.  We use these in a few labs around campus, and with
everything plugged in and locked down, it makes it a bit more
difficult to unplug the keyboard.  Although the question becomes can
a key logger be plugged INTO the usb hub ports on USB keyboards, and
intercept the keyboard signals?  I'll have to dig through the USB
specs to see how the bus handles communications.

Just my $0.02 US.

Jonathan Glass
Information Security Engineer III
Georgia Institute of Technology
Atlanta, Georgia 30332 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Peter Van Epp
> Sent: Monday, May 02, 2005 6:11 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Keyboard sniffers
> On Mon, May 02, 2005 at 04:36:20PM -0400, 
> Valdis.Kletnieks at vt.edu wrote:
> > On Mon, 02 May 2005 13:21:12 PDT, Brandon Enright said:
> > > Unfortunately the AT-PS/2 interface is a non-plug-n-play legacy
> > >  interface so you aren't going to be able to receive a signal 
> > > notifying you of the device being unplugged or plugged 
> in.  One way 
> > > to accomplish the detection would be to send periodic 
> commands to the keyboard and wait for the acknowledgement.
> > 
> > You'd have to poll literally every few seconds - fast 
> enough so you'll 
> > notice if somebody pulls the cable, pops a recorder on the end,
> > and  plugs it back in....
> 	I'd expect Windows (where this will happen in BIOS) to 
> be the main problem. The Unixes (Linux and the BSDs) 
> implement their own driver and it will get (although it may 
> not currenly log) the keyboard reset sequence when the 
> keyboard processor reconnects. However as Michael pointed out 
> this is defeated by powering down, inserting the key logger 
> and powering up. You won't be able to detect the key logger 
> at that point and the software ones are as much or more of a 
> threat anyway..
> Peter Van Epp / Operations and Technical Support Simon Fraser 
> University, Burnaby, B.C. Canada 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Version: PGP 8.1


More information about the unisog mailing list