Brute force used to crack a key logger’s security code

The USB device seen plugged in on the right of this image was found in between the keyboard and USB port of the company computer belonging to a Senior Executive. [Brad Antoniewicz] was hired by the company to figure out what it is and what kind of damage it may have done. He ended up brute forcing an unlock code to access the device, but not before taking some careful steps along the way.

From the design and placement the hardware was most likely a key logger and after some searching around the Internet [Brad] and his colleagues ordered what they thought was the same model of device. They wanted one to test with before taking on the actual target. The logger doesn’t enumerate when plugged in. Instead it acts as a pass-through, keeping track of the keystrokes but also listening for a three-key unlock code. [Brad] wrote a program for the Teensy microcontroller which would brute force all of the combinations. It’s a good thing he did, because one of the combinations is a device erase code hardwired by the manufacturer. After altering the program to avoid that wipe code he successfully unlocked the malicious device. An explanation of the process is found in the video after the break.

Comments

  1. mohonri says:

    Interesting! However, I’m not sure what they might have expected to find on the keylogger. After all, the only thing stored on it would be the keystrokes of the executive.

    Since the device is useless unless/until you retrieve it, it would have been better for them to quietly leave it in place an put in a motion-sensitive camera to catch the culprit if/when he/she returns to collect the device.

  2. fartface says:

    ” A colleague scoured the Internet and notified me he found a very similar device manufactured by a company who specializes in hardware keystroke loggers.”

    They are not very good at forensics, 3 seconds with google goggles or taking a photo and uploading it to google images would have given them several hits of where to buy one and lots of other information.

    • Jay says:

      But what if the conspiracy goes all the way to the top? If Google was behind the key logger then you wouldn’t want to use Google and show your hand.

      LOL, I agree though. Sounds like a great description to justify your pay check to the people hiring you. :D “I went through each line in the document and stored it permanently on the hard disk so that it could be retrieved at a later date”… AKA I pressed Save.

    • Alex Rossie says:

      It was my first result when I searched keylogger my first search ahah

  3. Jon says:

    This is awesome! I agree with mohonri — they should’ve kept a dummy device there, along with a hidden motion-sensitive camera active when the exec was out of his office. Then we find out the janitor got a big bribe =)

    • Garret says:

      no need to leave it installed, just wait for someone digging behind the computer for it.

    • Robot says:

      The should have filled the dummy device with a lot of “interesting” keystrokes. Troll the spy.

      • Jay says:

        Then if Janitor-Bill (as an example) is seen checking the device but returns it to gather more data, fill it with a detailed 1-sided conversation about how the hit men have already been paid $80,000 to kill Janitor-Bill, and he doesn’t seem to suspect a thing. A few one-sided jokes about how he should get a friend to start his car, sleep with 1 eye open, or get an official food taster, and let him sweat for a week before busting him.

      • Ren says:

        @Jay,
        Unfortunately in today’s litigious environment, Bill’s lawyer(s) could sue the employer for employee harassment, and spying on employees or whatever, and probably get away with it.

        B^)

  4. supershwa says:

    Awesome hack!

  5. Thanks everyone for the interest in the blog post! just one quick point of clarification – Mike Spohn was actually the person assigned to the project and really should be given credit for all the *real* work – my contributions were all after the fact. Thanks again for picking up the post and all the great comments!

  6. Justin Case says:

    give em some three-key key strokes to try out that trigger something on the screen like turns on a web cam showing himself live on the screen and a still photos of him accessing the keyboard being taken of him, then an email client opens and emails the photos to “attention IT security, unathorized access attempted” and the keyboard is locked out when it does this, but he can see but not stop it.
    He’d shattner his pants !!

  7. Galane says:

    I hope they handled it with gloves to preserve any fingerprints on it the person who plugged it in may have left.

  8. wowme@wtf.com says:

    The ohmmeter also indicated the devices had resistive/capacitive (RC) characteristics due the obvious RC time constant resistance behavior. At this point, I knew the device was not passive – it has an electronic brain.

    WOW! A Capacitor for a brain! C’mon Watson, how do you deduce that?
    I *almost* quit reading the OSR report at this point!

  9. Forensics 1 / Anti-Forensics 0…

    Offensive/defensive Anti-Forensics for your Anti-forensics, offensive/defensive forensics for your forensics.

    What a wonderful place this turned out to be!

  10. Dave says:

    Is it illegal to wire it to the mains and wait for a body to appear one day on the floor next to the PC with their hand wrapped around the logger?

  11. M4CGYV3R says:

    It was probably an IT guy hooking this logger up.

    Just saying, not likely someone else is going to sneak into the exec’s office and plant something on his computer – at least not unnoticed.

    • Daniel says:

      Why would IT need to hook up a key logger? They already have everything they need to either reset, guess or crack his password. Plus likely IT has admin rights so they could technically push a software keylogger to the machine for pesky encrypted files.

  12. Bob Thing says:

    Basically the Rube Goldberg method of forensics. All this brute forcing and investigation was entirely pointless compared to setting up a camera to catch whoever collected it. Meanwhile the culprit returned to retreive the device, saw that it was missing and knew to lay low.

  13. yorak says:

    No need to spycams etc. Just disable the port after filling with dummy data and planting a http.company.com/intra/secret_prototype.html to the logger and montor who stmbels at the tripwire.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,102 other followers