Risks of Keyloggers on Public Computers

Brian Krebs is reporting that:

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

It's actually a very hard problem to solve. The adversary can have unrestricted access to the computer, especially hotel business center computers that are often tucked away where no one else is looking. I assume that if someone has physical access to my computer, he can own it. This is doubly true if he has hardware access.

Posted on July 15, 2014 at 2:30 PM • 39 Comments

Comments

uh, MikeJuly 15, 2014 3:06 PM

If the Feds are advising the hotels to check for keyloggers, then does that mean the Feds aren't hacking the hotels? Or is it a polyscam?

Douglas KnightJuly 15, 2014 3:07 PM

What is the difference between "physical access" and "hardware access"?

Does the first mean typing at the keyboard, while the second means considering attacks like unplugging the keyboard and inserting new hardware?

uh, MikeJuly 15, 2014 3:09 PM

@Douglas, made me think, physical access could include video without touching the hardware. Or other forms of radiation that are local.

From the articleJuly 15, 2014 3:14 PM

@Douglas

From the article, I assume that physical access means that someone can put a cd-rom in the drive, restart the computer, load the OS he wants, install something in the computer, and go on.

And hardware would be opening the hardware to install some hardware keylogger, planting those Snowden-disclosed bugs that will capture data when are lit by some frequency, replacing the keyboard with another one...

delphicJuly 15, 2014 3:25 PM

So... take your own laptop with you and use their WiFi with your VPN, Tor TAILS, etc?? Why does one have to use the computer they offer?

uh, MikeJuly 15, 2014 3:36 PM

@delphic, I used to carefully use the hotel computer to get at the printer with civility. Those days are over with the smartphone option.

K9July 15, 2014 3:42 PM

Why is there not a bricks-and-mortar business providing secure access to one's online accounts while traveling?

Name (required)July 15, 2014 5:40 PM

Off topic, but this is really a question for Mr. Schneier since I don't use email anymore...

So cryptologists can examine crypto code and determine whether it's secure etc. That's good, because I guess any paranoid prole with the dough can hire a cryptologist. But what about silicon chips? How can anyone be sure what is in a chip, short of being the owner of the fabrication plant that made it? Is this an issue that has been addressed? To "reverse-blueprint" an off-the-shelf packaged chip reliably is not easy at all, AFAIK. Seems to me it might even be close to impossible, at least sometimes.

AnuraJuly 15, 2014 6:13 PM

@Name (required)

That's been discussed in-depth in past squid posts. I suggest trawling through them, but if I understood correctly, the answer is "It's complicated" - but that's not really my area, I'm just a programmer, so don't take my word for it.

Nick PJuly 15, 2014 7:48 PM

@ Name (required)

It's hopeless for now without an incredible budget and years of work. The chips might have hidden functionality, they might have been altered before being put on silicon, and they might have been swapped out for functionally identical (subverted) chips. There are companies that can tear chips apart to analyze their features and look for backdoors. You'd need to (a) trust them, (b) send them regular samples from your batches, and (c) have a ridiculous amount of money. They might still not see clever attacks in analog and RF areas as there's less expertise there than digital.

These and more issues were covered in discussions with a chip designer with rather esoteric skills:

This comment contains a summary of RobertT and I's discussion of the issues
https://www.schneier.com/blog/archives/2013/12/friday_squid_bl_404.html

RobertT on why auditing chip processes takes as much faith as just trusting them
https://www.schneier.com/blog/archives/2013/12/friday_squid_bl_403.html#c2828013

RobertT on an example subversion area
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html#c1744173

RobertT discusses how and why hidden functionality is common in chips
https://www.schneier.com/blog/archives/2014/01/souffletrough_n.html#c3595520

My interim solution was to use really old hardware where they didn't waste resources, use only non-DMA I/O, have no Internet connection, use no risky files (eg PDF's), and port a highly secure OS on it. The idea is that these are less likely to be subverted, although they have all the usual risks from firmware to OS's to networking. So, start with non-subverted hardware, air gap it, increase that system's assurance, and then move simple to validate data to/from over simple to verify interfaces. More work than most people are capable of so they must all be assumed subverted or insecure at the least.

My previous list of chips to consider and tips for choosing:
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html#c1762647

Joshua Townsend July 15, 2014 11:05 PM

This is where a virtual desktop solution like VMware Horizon View is useful. Hardware access is locked down to a hardened zero client in the public location and the virtual desktop is secure in the datacenter or cloud, reset to a clean state after every use.

Homer SimpsonJuly 16, 2014 12:11 AM

File this under duh.

Who on earth would assume that, in 2014, a public computer is secure?

WaelJuly 16, 2014 2:17 AM

I assume that if someone has physical access to my computer...
If the attacker has physical access to the room, as is expected, It's much easier to attack guests, even if the computers are super-secure and locked down. I would simply bring my own computer with internet access through an LTE device for example, and leave it in the room for the duration of my stay. I'll keep an eye on it, so no one takes it. I would collect my commuter later on with all the information I need. Don't just think of the device, think outside the chassis ;)

So Brian Krebs advice is good. The attacker will still get information about the email address that forwarded the mail to the temp address -- they still can do something with it.

EightTwoOneJuly 16, 2014 5:52 AM

So you tell me the Secret Service warns about the NSA?

On the other hand, and before any one patents it: Here its publicity known and said first(?)...

A service provider could offer a "untrusted"/"holiday" access where you can login to your account with a different password. This login would provide lower than normal privileges. For example no change of password or other relevant settings. Only the e-mails from the last X days. Only e-mails from/to white listed addresses. Only certain sub folders accessible. Added bonus and security: Filtering out any You-requested-a-new-password-click-on-this-link-email's
To increase privileges a TAN/two factor system (paper/mobile/gadget) could be used.

A TAN system could also be used for the initial "untrusted"/"holiday" login. But it would prevent a login during emergency situation where you may have lost nearly everything.

RickJuly 16, 2014 6:41 AM

Read the post on Krebs blog earlier, I don't think physical hardware would be hard to spot, though most people wouldn't even bother checking... so... *sigh*

MeJuly 16, 2014 8:47 AM

I have to agree, they are just NOW getting around to telling people not to trust these things?

I use these for Googling things like restaurants and rent-a-cars near by. I would never trust one of them to be secure.

Jim Van ZandtJuly 16, 2014 10:50 AM

So don't do anything more sensitive than printing out your boarding pass.

Mr. EdJuly 16, 2014 11:26 AM

@Jim

Boarding passes are hugely sensitive information - it unlocks access to your frequent flier account, which in turn can hit your trusted traveler ID. That's one thing I'd NEVER do on a public computer.

Use the airlines mobile app, or a dedicated kiosk at the airport instead.

Andy WallsJuly 16, 2014 12:03 PM

The 100% solution is a hard problem to solve, but what about something less?

For example, wipe the disk and push a new image to the business center computer every day. Now an attacker only gets less than 24 hours worth of captured keystrokes, until he makes an effort to go reintall the keylogger on the computer.

Whatever is done will not be perfect, but one can mitigate the damage to some degree.

sena kavoteJuly 16, 2014 1:51 PM

Maybe hotels should use only live-DVDs, and instruct guests to reboot at start of new session. Maybe there could be a company that makes custom spins of some distro for hotels? Very light changes are enough for any hotel. Put picture of the hotel as wallpaper etc... Ubuntu 14.04 should be good enough as is without any changes, at least if language is english.

If the DVD is printed, not burned, it ads trustworthiness.

Maybe if hotel could ad some marking that is verifiably random and unique, it could be checked visually by staff, not just daily check of sha512 hash of the data. Maybe use glitter spray paint on the b-side, and then look it on standard illumination from the same angle every time.

It would be faster to use live OS on usb 3.0 stick, but then the staff would need to check it's hash between every customer. One stick on hash check, other in use then.

Second best to live OS would be to use Kubuntu in virtualbox with some kind of locking, and then revert to some snapshot after every session. I have no idea if there is any existing thing that allows to lock some virtual machine on.

PJJuly 16, 2014 1:51 PM

This is not a surprise, but frankly I don't think much of the traveling public either knows or cares. I can't count the number of times I've gone to use a hotel business center computer and previous users have either failed to log out of their email account, checked the "remember me" option, or even better, allowed the browser to save their login/password information. It makes me feel quite voyeuristic to type in mail.google.com into a hotel browser and have it take me straight to someone's inbox with hundreds of emails. Can't really say I hacked their account when I was never presented with a login prompt, can you?

Usually I'm polite about it and send them an email from themselves letting them know they've done this before I log them out, but it's hard not to be tempted when someone leaves their (Gmail, Gdrive, Yahoo mail, Onedrive, Outlook, Dropbox, etc.) logged on and completely accessible to the next guy who happens by.

Who needs a keylogger when people will happily hand you their accounts?

Nick PJuly 16, 2014 2:12 PM

Simple threat assessment for public-facing computers (2014)

Here's my attempt at a simplified (for lay people) view of how a public facing computer might be compromised. Here's what I'm seeing:

1. Attackers might hack and backdoor the firmware/software over a network.

2. Attackers might hack and backdoor the firmware/software at the device itself.

3. Attackers replace existing device with one they've backdoored, ensuring it looks and works the same via thorough copying of data/configuration.

4. Attackers replace newly ordered devices with backdoored devices, possibly with adding covert wireless or wired connectivity. This allows them to ensure they can get in regardless of how you configure or use it.

5. (old school) Attackers put a physical keylogger on the device and collect it later.

6. (new school, NSA) Attackers use an advanced keylogger or screen-scraper that's embedded into the keyboard, a connector, part of the internal unit, monitor, etc. It might be added in the field by a skilled technician or during an interdiction.

So, there's your threat matrix. Note that thin clients and kiosks alone don't protect the users against... any of this. They might protect stuff on the network so long as no user enters their credentials into the device or if thin clients are totally isolated on network from all sensitive systems (fat chance). In case of things like two factor, we've already seen bank attacks where the session is hijacked in real time to do things the user doesn't realize. The system could even secretly keep the session going while deceiving the user into thinking they're logged off. This is made easier because many of these machines stay on and connected. Of course, it would kill the session just before next user completed log-in so there's only one session coming from the machine at any time.

So, just like with your desktop at home, any public facing device might be attacked physically or digitally, before or after it gets there. Every part of its lifecycle must be designed to counter these risks in order to even stand a chance. If this is not the case, then the device must be considered by potential users as a man-in-the-middle with full access to their activities and even credentials. That's harsh reality.

asdf28July 17, 2014 1:24 AM

Surprised to see that so few people have yet mentioned, that by using off the shelf hardware accessories (http://www.amazon.com/KeyGrabber-USB-KeyLogger-8MB-Black/dp/B004TUBOKW) a keylogger can easily persist across a reboot or reimage of the host machine. Plug the hardware keylogger in once, then pick it up again a month later. This has become a pedestrian attack that anyone can do.

ThothJuly 17, 2014 2:10 AM

@Nick P
What are the chances of success to implement an open source secure hardware module ?

ThothJuly 17, 2014 5:24 AM

@asdf28, Nick P, Bruce
Everytime we try to get something right and the powerful ones who gets wind of such attempts would always try to stamp it out.

We are just trying to preserve our own rights, privacy and identity but there are always those who don't want that to happen... those who are very powerful... those who are jealous...

Are we really doomed to always be submissive to those who are in power and ourselves be powerless to them ?

Mike the goatJuly 17, 2014 8:07 AM

asdf28: you've also got to consider that someone could actually physically replace the keyboard with an identical model, but with a keylogger secreted within the case of the keyboard. This is actually pretty easy to do as inside many keyboards (e.g. the $20 ones you find at most office supply stores, e.g. the entry level logitechs) there is plenty of room to spare. In fact, in a large enough organization you could probably just get the staff to do the dirty work for you by FedEx'ing them a new keyboard with a note from their IT dept advising them to replace their keyboard with some b.s. excuse (ergonomics is a good one.. everyone knows how obsessed the modern workplace injury dial-a-suit people are with occupational health risks and corporate America is trying to mitigate this where possible). Chances are they'll be relieved to be getting an upgrade and plug it in for you.

I bought a heap of key logging devices a while back for pen-tests, and my favorite has to be a little Chinese made gadget which transmits key data over 900mhz (yeah FCC probably won't like that) to a distance of about 400 yards. The receiver unit has an RP-SMA connector on it so you could get fancy and perhaps use a directional antenna and get even better range - the receiver appears as a HID device so you can just open a text editor and watch the output. :-).

I've heard of even more fancy devices that use burst transmission to reduce the chance of detection and I have even heard that there is speculation that there are 3GPP enabled versions used in the commercial espionage industry which enable the radio only periodically both for practical reasons (it has to be self powered off a USB bus and thus it wouldn't make sense for it to be active constantly) and to make it less detectable. Whenever the buffer fills up, it switches on the radio and pushes the file to a ftp server of your choice via your local friendly GSM cellular provider. I've noticed the latter is a trend which many vendors of spy tools are picking up (case in point I saw a wall socket which I presume replaces a standard 110VAC outlet in the home and remains a functional outlet, but behind the unit there is a little module which has a high gain mic and can be 'called' - no doubt a further refinement would be to use G729 or similar to compress the audio captured and send it over 3G or LTE digitally whenever its buffer fills up. If you think about it, a few hours of ambient room noise could be transmitted in twenty seconds or so - and if you aren't listening for it during that window then you won't find it in a sweep unless you're employing other techniques like thermal scanning etc).

Nick PJuly 17, 2014 3:06 PM

@ Thoth

Prospects and Problems on Open, Secure Hardware Development

I'm sitting on a lot of designs. There are actually many open hardware models that can be turned into a functional computer on FPGA or ASIC's with *relatively* little cost. The problem is they aren't secure chips. There are routes to producing a secure system that's open or vetted. My shortcut is to basically throw existing work together into one compute processor, one I/O processor, a memory bus I.P., and a reference board that's easy to expand with functionality. These can be reused for about any major component in a larger system or network. The problem is that even one of I.P.'s can cost a considerable amount of money to prototype, verify, test on ASIC batch, and put into production. Doing all in parallel would be necessary to smooth integration and it would cost even more.

Plus, as asdf28 pointed out, there is a demand problem. Funders can't justify building continuously at a loss unless they have deep pockets (eg government) that they're happy to empty. On top of that, if it is built there will be legal attacks such as patent suits. The Apple vs Samsung battles show the suits don't just cost money: they can actually take products off the shelf. It doesn't take NSA nudging such companies' shoulders to give them motivation to get rid of competition. That's why I also developed nearly patent free secure computing designs, but I'd still have to defend them at considerable cost. And their user and hardware interfaces lead to another problem.

Compatibility is usually a must for a successful product. There are standards, libraries, protocols, languages, and more that one must be compatible with to ensure take up. Those that developed systems that discontinued compatibility often took a huge loss on that or went bankrupt. I've pointed out previously that Intel tried to ditch x86 three times for more secure and modern designs. Two were total failures in the market, with the third in the process of dying. Despite the advantages, even people who gripe about x86 and build open source stuff wouldn't buy the alternatives that much because they didn't support some existing tech or practice. So, this is a *tremendous* obstacle to *all* future developments, secure or not. And let's just say compatibility and security often don't mix.

So, a lack of actual paying customers, high cost of hardware development, legal risk, and compatibility requirements combine to keep many from making secure or open hardware. Each of these have to become a small or non-issue before one has incentives for such development. Demand and compatibility can be knocked out by focusing on special-purpose systems (eg appliances) based on reusable hardware, which can optionally be redone with software of one's choice. The use of government or private grants might help on cost. Best solution to patent issues is to ensure your design can make a patent horder a lot of money and let them shield you in return. Hiding the I.P. in products can stall the attacks, as well, although reverse engineering firms have a great track record of helping patent holders deal with that. So, despite huge problems, there's potential solutions that give some hope it could be done.

Nick PJuly 17, 2014 3:47 PM

@ Mike the Goat

This company sells the kind of keylogger we describe which can be embedded into a keyboard:

http://www.keelog.com/

This link is about building a tiny one with wireless transmission capability:

http://servv89pn0aj.sn.sourcedns.com/~gbpprorg/mil/keystroke/

It could be modified for your cellular design by adding something like this:

http://www.broadcom.com/products/Cellular/3G-Mobile-Platforms/BCM21553

Even more interesting are SOC's that combine a MCU/MPU, flexible I/O, and onboard baseband acceleration. Freescale recently EOL'd a chip like that. Such a chip could theoretically handle all the functions of both the keyboard and keyloggers. Anyone inspecting the keyboard would see just one chip. I can imagine a similar thing being done for the memory or I/O subsystems of a PC with a FPGA or dedicated ASIC. Although, NSA's approach of building that kind of thing into USB connector heads is pretty clever. ;)

BuckJuly 17, 2014 9:23 PM

@Nick P

Even more interesting are SOC's that combine a MCU/MPU, flexible I/O, and onboard baseband acceleration. Freescale recently EOL'd a chip like that.
I'm almost positive that you've probably posted this before, but would you happen to have a link handy??

Nick PJuly 17, 2014 10:10 PM

@ Buck

I actually haven't posted it. Here is the old one I referred to. I'm not sure how much resources are left with cellular processing going on, but it's just pulling keystrokes we're talking about. Their modern offering is the QorIQ Qonverge B-series chips. The linked one is 64-bit, has DSP, and handles 4G.

Of course, the lowest grade one should do. That certain products have been EOL'd might provide a cheap supply of throw away cellular keyloggers, as well. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.