Research done about modern hardware keyloggers
- Introduction
- Hardware Keyloggers vs Software Keyloggers
- Spacehuhn WiFi Keylogger
- KEYVILBOARD Keylogger
- Maltronics WiFi Keylogger
Hardware keyloggers serve as an alternative to software keyloggers. They are typically places in-line between a USB keyboard and a victim computer whether it be installed directly in the keyboard itself of sitting between the Male USB plug of the keyboard and the Female USB port of the computer. I have been googling my ass off for a while now looking at datasheets and forum posts trying to gather as much information I can about hardware keyloggers. I want to compile all of the information I can about this subject and place it here for anyone else who is interested. I have been developing and will continue to develop POCs for hardware keyloggers and I will post the information here. I am not an expert. I am just trying to compile as much information as I can.
To be honest, I am starting from scratch here. Relative to what there is to know about hardware keyloggers, complex microcontrollers, and the USB protocol in general, I know nothing. I have written software based keyloggers in the past. Some have been very awful and stay top level and others have been decent and use keyboard hooks. Software based keyloggers have their advantages and disadvantages.
Software Keylogger Advantages
- Physically undetectable (no physical presence)
- Victim keyboard functions as normal
- No physical access required for installation or exfil
- No hardware resources required
- Functionality not limited by space (unless you care about file size)
Software Keylogger Disadvantages
- Detectable by antivirus
- Only logs keys after OS loads
- Uses computer resources
I am really good at spelling and going down rabbit holes. I found out about hardware keyloggers when I went looking for alternate solutions. At first I saw Spacehuhn's wifi keylogger project and I was impressed. It was able to log keys and display them over WiFi via web browser. It has it's disadvantages which I will detail in specifics later. This was my first introduction to the concept of hardware keyloggers and I was hooked. No hardware keylogger is created equal, but they do have inherent advantages and disadvantages.
Hardware Keylogger Advantages
- Starts logging keys before OS Loads
- Undetectable by antivirus
- Does not use computer resources (other than power)
Hardware Keylogger Disadvantages
- Physically detectable
- USB Keyboard data can be misinterpreted and in some cases can causes missed keys on the computer
- Requires physical access to victim computer to install
- Microcontrollers and programming hardware required
- Functionality limited by space
This is only the beginning of the end.
Spacehuhn's solution to the USB keylogger employs an ATMega32u4-MU in the form of an Arduino Leonardo, an Arduino R3 style USB Host Shield, and an ESP8266. This keylogger accomplishes what all hardware keylogger need to accomplish to a point. It falls victims to the shortcomings of the Keyboard library and the behavior of the USB Host Shield in that some keys typed on the keyboard are not able to be translated properly and therefore do not pass on to the host computer. This would cause concern for any victim typing on their computer when they see characters that don't align with what they typed or no characters at all. For those who are comfortable working with Arduino but have not gotten into ARM or CPLD/FPGA microcontrollers yet, I recommend this project. You learn a little bit about WiFi, keyboard emulation, and the USB protocol.
The ATmega32u4-MU is incapable of hosting a USB device. It's functionality as a USB device is what makes it a valuable part of this setup. It's inability to host USB devices is compensated by the USB Host Shield which uses a MAX3421EE USB host controller to host the USB keyboard. The MAX3421EE is able to take the USB data from the USB keyboard an pass it onto the ATmega32u4-MU via the SPI bus. These keypresses are passed to the ATmega32u4 which "replays" them to the host computer using the Keyboard library. While these key presses are being relayed, all presses passed by the ATmega32u4 are additionally passed to the ESP8266 which logs the keys in flash memory and displays them on a web page. This web page can be accessed by connection to its hosted WiFi access point and navigating to http://192.168.4.1.
[KEYBOARD] -----> [MAX3421EE] -> [ATMEGA32U4] -----> [COMPUTER]
|
|
V
[ESP8266]
The next trick is to figure out how to place all of these components onto one small board. I have searched the internet to see if anyone has made an attempt at designing a custom PCB for this project and I have not found one.
Fast boats and even faster hoes
idfk
Somebody stop me!
This is my dream USB keylogger. I want to be able to create something like this, but I am still trying to figure out how this keylogger works. This is where it gets a little complicated for those who have not worked with CPLD/FPGA style microcontrollers. I fall under this category as I do not understand these myself. These microcontrollers are a bit outside of the relm of Arduino and we get into the world of JTAG and assembly(maybe). Unfortunately for the functionality we want, these microcontrollers seem to be the widely accepted solution among dime-a-dozen Chinese manufacturers who make USB keyloggers.
These microcontrollers may be complicated, but they still manage to pack a very tight footprint. I had to dawn every macro extension I had for my DSLR in order to photograph the vendor markings on the cap of the main chip.
- Intel Altera 5M160ZE64C5N: CPLD microcontroller
- Epsressif ESP8266EX: WiFi enabled microncontroller
- winbond 25q128jv: Serial flash memory
The CPLD itself is hidden within the body of the Male USB plug. It is able to analyze the USB traffic without altering it and pass it onto the ESP8266 so it can be stored in the serial flash memory and displayed over WiFi on its hosted web page. Unfortunately I have found zero documentation about these keyloggers in terms of firmware or circuit design and my reverse engineering skills are at level zero. This is the only information I can offer at the moment. I am hoping to acquire some sort of development board that has a CPLD on it so I can make a prototype keylogger to better understand these chips.
[KEYBOARD] -------------------------------------------------> [COMPUTER]
|
|
V
[5M160ZE64C5N] -------------> [ESP8266]
I imagine this keylogger works similar to the Integra Sources Keylogger, but this one uses an EPM3064 CPLD instead of a 5M160ZE64C5N and I believe this keylogger does not have WiFi capabilities inferred from the absence of an ESP8266 in the component listing.
Activate God Mode There is a really interesting pattent here detailing the functionality (at an intermediate leve) of a CPLD based USB keylogger.