Study: Keyboards Could Be Easily Bugged

Keyboards and other devices plugged into computers could be easily bugged to covertly transmit passwords or other sensitive data, researchers warned today.

University of Pennsylvania Associate Professor Matthew Blaze proposes calling the devices JitterBugs, for both the way they transmit stolen data in "jittery" chunks by adding nearly imperceptible processing delays after a keystroke and for the "jitters" such a bug could inspire in anyone with secure data to safeguard.

The threat, which has not actually been realized in the real world, was outlined by Penn graduate student Gaurav Shah, who presented his work recently at the USENIX Security Conference in Vancouver, B.C., where it was designated the "Best Student Paper" by conference organizers.  

Internet Security Poll | Great Inventions | Great Minds

As proof of the potential problem, Shah and his colleagues built a functional keyboard JitterBug with little difficulty. The work was funded by the National Science Foundation's Cybertrust program.

"This is spy stuff," Shah said. "Someone would need physical access to your keyboard to place a JitterBug device, but it could be quite easy to hide such a bug in plain sight among cables or even replace a keyboard with a bugged version. Although we do not have evidence that anyone has actually been using JitterBugs, our message is that if we were able to build one, so could other, less scrupulous people."

JitterBug devices are conceptually similar to keystroke loggers, such as the one famously used by the FBI to gather evidence against bookmaker Nicodemo Scarfo, Jr.  

But keystroke loggers have to be installed into a subject's computer and then physically retrieved. A keyboard JitterBug only needs to be installed.  The device itself sends the collected information through any interactive software application where there is a correlation between keyboard activity and network activity, such as instant messaging, SSH or remote desktop applications.  

The bug leaks the stolen data through short, virtually unnoticeable delays added every time the user presses a key, Shah and his colleagues explained.

Internet Security Poll | Great Inventions | Great Minds

A JitterBug could not log and transmit every touch of the key due to limited storage space on the device, but it could be primed to record a keystroke with a particular trigger.

"For example, one could preprogram a JitterBug with the user name of the target as a trigger on the assumption that the following keystrokes would include the user's password," Shah said.  "Triggers might also be more generic, perhaps programmed to detect certain typing patterns that indicate some sort of important information might follow."

Blaze worries about a "supply chain attack," in which a large number of JitterBugged keyboards hits the market.  

Efforts to thwart JitterBugs, assuming anyone ever tries to make them, could involve the use of cryptographic techniques to hide the use of encoded jitter channels.

"We normally do not think of our keyboard and input devices as being something that needs be secured; however, our research shows that if people really wanted to secure a system, they would also need to make sure that these devices can be trusted," Shah said.  "Unless they are particularly paranoid, however, the average person does not need to worry about spies breaking into their homes and installing JitterBugs."