One way to detect hardware keyloggers

Sep 14, '07 07:30:00AM

Contributed by: lincd0

Hardware keylogging devices create serious issues for all security-conscious computer users. A hardware keylogger is a small, inconspicuous USB device that can be hot-plugged into any computer between the keyboard and the host controller. Some actually function as USB hubs that can be connected anywhere in the bus. A keylogger may be physically indistinguishable from a USB extension cable or some other innocuous device. Once installed, it automatically begins to capture all keystrokes into its internal NVRAM, which may be up to 2MB in capacity. The device is completely self-contained and platform independent, needing no software to operate apart from its own firmware. It works just as well on a Mac as on a Windows box.

The weakness of the hardware keylogger, at least the kind that's available on the open market, is that it's not remotely accessible. The attacker who installed it has to return to retrieve the device or the data. Therefore, if you detect the keylogger before the attacker comes back for it, you can defeat the attack. Physical detection isn't reliable, because as noted above the device may look just like a component you already have, such as an extension cable, or may be hidden inside a keyboard enclosure or out of sight behind a desktop computer. What you need is some sort of warning that the topology of the USB bus has changed unexpectedly.

While there is no perfect solution to this problem, it's easy to take a first step that will eliminate most of the threat. The POSIX utility system_profiler is the command-line equivalent of the System Profiler application that runs when you select "About This Mac" from the Apple menu, and click the "More Info..." button in the resulting dialog. The advantage of system_profiler is that it allows finer control over the output.

In a Terminal window, type or paste the following command:

system_profiler SPUSBDataType
When you press Return, you'll see a descriptive list of all USB devices connected to the host. It's the same information you get from System Profiler by selecting Hardware » USB. Save this output to a file with this command:
system_profiler SPUSBDataType > ~/.usb
This creates an invisible file named .usb at the root level of your home directory; you can change the name or the path to anything you like. Now suppose you come back to your Mac after it's been out of your sight for a while. Run the following command:
system_profiler SPUSBDataType | diff ~/.usb -
This will give you the difference, if any, between the saved state of the USB buses and their present state. (Note that the BSD package must be installed for this to work. It's installed by default in Mac OS X 10.4.x, but not in earlier versions.) If a USB device has been added or removed, you'll know. If there's no good reason for such a change to have taken place in your absence, you can investigate further.

Instead of having to retype these commands every time, you can use Automator to create a saved workflow, or the freeware CLIX to create a pallette of saved POSIX commands. You will, of course, have to re-save the state of your USB buses whenever you make an intentional change, such as adding a storage device or replacing a mouse.

[robg adds: As best as I can recall, the BSD Subsystem has always been installed by default (though it can be disabled) -- certainly at least since the days of 10.1; someone please feel free to correct me if I'm wrong.]

Comments (21)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20070913090237854