Is a hardware keylogger possible on a laptop?

Discussion in 'privacy problems' started by krustytheclown2, Nov 18, 2014.

  1. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Normally hardware keyloggers are spoken of in the context of desktops, and I haven't heard much about them being installed on a laptop. Is it generally possible to install one within a relatively short time frame of physical access (1-2hrs) on a late model PC laptop?

    It seems to be the easiest way to get around full disk encryption if one were a target.

    To be clear, I don't want to do this to anyone, I'm suspicious of my computer having one installed...
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Yes it is very easy to do and would take a few minutes at most. Your thinking is spot on in one respect. Users will spend days creating the perfectly secure super encrypted computer with vpn's, tor, etc..... but then they leave the house where anyone can simply grab the machine and install a logger. Then sit back and wait.

    The first thing is to have a good look at it, but candidly if its a pro job you wouldn't see the modification even while looking at it. Try running Wireshark because that is tough to beat, but can be done.

    What makes you think your laptop has been compromised by a logger??
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Anything that can be done in software (keylogger), can be done in firmware - i.e. and anything that can be done in firmware can be reduced to hardware.

    -- Tom
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    True. So one must ensure that all changes in software, firmware and/or hardware can be detected :)
     
  6. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    So the laptop in question has Ubuntu with fde and a BIOS password set, and of course only ever connected through vpn's, Tor, etc. A few weeks after I installed Ubuntu I looked at the firewall and found Vino running, a remote administration program- meaning that there can be someone at the other end can see what is on my screen in real-time and can make changes to my system. It's not installed by default and I didn't put it there, so my guess is that an attacker got ahold of my passwords in some way, then got into my computer and installed the program. A physical keylogger would seem to be the obvious route to get this done, short of a pinhole camera in the ceiling...

    And some keyloggers don't need to communicate with the net, they just store keystrokes in memory to be retrieved upon physical access, which means Wireshark wouldn't be of help there
     
    Last edited: Nov 19, 2014
  7. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    To ask the obvious - have you unscrewed the keyboard to look for anything (checking the screws as you go...)? The obvious thing would be a little inline in the ribbon cable.

    Personally, I fear remote compromise much more often than physical, and I've no idea what your remote threats are!
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I can't tell how exposed your machine is based upon "lifestyle". If you live in a dorm or share living quarters with a number of folks that have access to your place the odds go up! I am not looking to invade your privacy but before you fix this issue I would pause and consider how to avoid it in the future.

    I don't know what kind of backup protocol you have, if any, but without question I would blow away the drive contents and wipe the platter at least once. This would allow you to remove the software logger threat - BUT - not the threat of a physical invasion if that happened. You mentioned that the machine was being used with vpn's, tor, etc.... so you obviously are trying to remain private in your pursuits. That's good from where I sit, but it does draw attention.

    I am not going to mislead you here. You have some decisions to make. Do I flash back a clean bios to eliminate that possibility? I have no fear but I have done them a bunch. Make a mistake and you have a brick. What have you used the machine for? If its only privacy I could live with cleaning it up, but if its MORE THAN THAT, I would personally replace the machine and move on. Just a paranoid fart at that point.

    Along with the OP's concerns this is an obvious one. Let me encourage all reading along here to run VM's at the end of your connection chain. Properly configured you will keep any activity inside the VM protecting your host and any VM's chained before the last one. Preventing a break out by malware, logger, etc.. is an important counter measure. When you create that last VM (the internet activity one) make sure and create a clean snapshot of it. Then when you log on you can "snap" your VM back to perfectly clean removing any "crap" from the previous session. In addition clone that VM back around once a week or so just as a double measure. Once prepared those actions take less than a minute and you always start "clean". Worth it I think!!
     
    Last edited: Nov 19, 2014
  10. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Yes, I know all that, and I have been running anything remotely risky through a VM (all flash, any risky site, and all email), and NoScript should block most possible exploits on my host (which I feel is unlikely in the first place since the host only goes to very safe sites).

    I tried reinstalling the OS with a live CD on that machine, and it turns out that the BIOS has been configured to block booting from live media. It wasn't set that way a few months prior when I first installed linux on the system, so it must've been changed since then. Apparently there is an admin password set in BIOS that is preventing me from changing that setting (not set by me), which has confused the hell out of me, and a computer professional told me that the only way he knows how to fix it would be replacing the physical BIOS chip. This leads me to suspect that my very BIOS has been tampered with, which is out of the scope of any software type infection that I know of, meaning a physical compromise seems to be the likely culprit here. Thoughts?
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    You could just claim that it's stylish :)
     
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Or say that it helps you to visually distinguish your device from similar looking devices belonging to others.

    The last thing you should be concerned about is what ignorant people think. Legitimate concerns would be things like a) do I want others to know that I'm using tamper-evident protection, b) is this the best approach/product to use for that purpose.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, maybe something with a UV-fluorescent pattern?
     
  14. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    A keyscrambler program will help counter the recording of keywords being typed.
    But if the keylogger has automatic screenshot every few minutes, then that depends what you're doing on screen at those moments.
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Have you tried resetting the password set in BIOS, by removing the BIOS battery for about 10 mins. Switch off & Unplug the comp from any/all mains wall etc sockets first.
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    In my post above I expressed a hunch the bios may have been tampered with. If that is a fact, and its now locked as you state, you may have an adversary! Is there any chance that you forgot/changed the bios password? Higher in this thread you stated there was a bios password in play. I ask because if you had a bios password how did your adversary get in? Have to consider these things. Do you have any friends that know the bios password or was it written in some easy spot? Not trying to offend you but at times just hearing someone bounce off some ideas helps.

    You never mentioned the model (you don't have to) but lots of machine have reset pins/schemes that can be "crossed" quite handily. I don't see how an adversary could access your bios with a password set by you unless it got compromised - OR - the machine has a reset "scheme" available on the internet. i.e. - If the adversary can do it so can you!

    Rhetorical:

    1. You have to be asking yourself what information did I send out during this time?

    2. Who did this/how was this accomplished? This second question is critical because even if you melt down this machine and get another one, how will you protect it from the same thing?

    In my world that machine is sold and I would pay the difference to start fresh. You still have to find the source, or majorly change the physical security when you are away.
     
  17. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210

    Yes, there's a BIOS password that I set. I didn't share it, write it down, or use that same password for anything else. So I think that it was compromised by a hardware keylogger or something else involving physical access.

    I imagine that with physical access, it would be possible to remove the original BIOS chip and insert a malicious BIOS that can give an attacker total root control. I guess this would be a bit better than a keylogger since it's visually indistinguishable from a normal BIOS.

    And I have a very good idea of who's targeting me, it's not exactly a new or unknown threat for me, being paranoid about physical security seems to be the only way going forward
     
  18. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    A replaced chip would be an adversary on "another level". They have wires/connectors that look exactly "normal" which contain loggers inside. There are some seriously devious devices out there if you are combating a physical security issue. I lock my laptop in a vault when I am not on it. Over protective maybe, but I don't have to worry about these issues.

    We all have internet/software attack issues, but those I feel OK about. Someone physically messing with my laptop in my absence would creep me out!!
     
  19. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    "Another level" equals a government agency, and no doubt that they know what they're doing and do it well especially if they're dealing with somebody who isn't exactly a noob.

    Software attack is easy to avoid, easy to detect 99% of the time if you know your system, and fixing with a reinstall is pretty much foolproof, so that's really not a huge concern
     
  20. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I am going to have to vote for a replacement machine.

    Paranoid question: Did you walk into a store and buy that machine OR did you order it online? You know where I am going on this don't you? I no longer order computers/IT stuff in my name online. I have Grandma, a Priest, or whoever order anything I want. Get it? I better stop before some here try to commit me. LOL!!
     
  21. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Yeah that's been my conclusion for a while now, I haven't touched it in awhile, I think that that computer is only good either for parts or for things I really don't care if anyone saw.

    It was in cash in a store but I had to wait a day before it was ready to pick up (small shop). Meaning that if someone were watching me, they could go to the store and compel the owner to put a keylogger on the system he's about to give me, or even pay him to do that if they don't have the authority...

    I think some things are probably fine to buy online, nobody's going to mess with headphones or RAM sticks, but computers are definitely an in-person on-the-spot buy imo

    After all the NSA stuff in the news, I wouldn't see that as particularly crazy lol especially if you're an "interesting" person to them
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    If the stakes are so high, maybe it's best to buy only what's available immediately when you walk in randomly with cash. Then do the final assembly yourself.
     
  23. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Sounds like we are all on the same page then. I have nothing else to add unless more questions arise. Good Luck!!
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I would open the laptop, there is not a whole lot to them. It should be easy to see a device that is not supposed to be there. I never had a hardware keylogger but I imagine it goes between the keyboard and the motherboard, if the keyboard is not connected directly to the motherboard be suspicious.
    Any device that is not properly screwed down, or doesn't appear to have a proper space where it fits be suspicious, laptops are usually well thought out to make it all fit neatly in the small space available. Any soldering that is not neat and tidy be suspicious, aftermarket soldering rarely looks neat like factory soldering.
    If you never worked on a laptop before look online for the disassembly instructions you usually have to do it in a specific order and take pictures as you go so you can remember how to put it back.
    Also you could compare your internals to pictures online to reveal anything that shouldn't be there, like in repair tutorials etc.
     
    Last edited: Nov 29, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.