Brute force used to crack a key logger’s security code

The USB device seen plugged in on the right of this image was found in between the keyboard and USB port of the company computer belonging to a Senior Executive. [Brad Antoniewicz] was hired by the company to figure out what it is and what kind of damage it may have done. He ended up brute forcing an unlock code to access the device, but not before taking some careful steps along the way.

From the design and placement the hardware was most likely a key logger and after some searching around the Internet [Brad] and his colleagues ordered what they thought was the same model of device. They wanted one to test with before taking on the actual target. The logger doesn’t enumerate when plugged in. Instead it acts as a pass-through, keeping track of the keystrokes but also listening for a three-key unlock code. [Brad] wrote a program for the Teensy microcontroller which would brute force all of the combinations. It’s a good thing he did, because one of the combinations is a device erase code hardwired by the manufacturer. After altering the program to avoid that wipe code he successfully unlocked the malicious device. An explanation of the process is found in the video after the break.

29 thoughts on “Brute force used to crack a key logger’s security code

  1. Interesting! However, I’m not sure what they might have expected to find on the keylogger. After all, the only thing stored on it would be the keystrokes of the executive.

    Since the device is useless unless/until you retrieve it, it would have been better for them to quietly leave it in place an put in a motion-sensitive camera to catch the culprit if/when he/she returns to collect the device.

    1. Unlocking it and viewing the keystrokes would allow them to determine when it was attached, narrowing down the list of suspects.

    2. They should also do this. Mostly likely though they blew the chance when someone walked around asking everyone WTF is this.

  2. ” A colleague scoured the Internet and notified me he found a very similar device manufactured by a company who specializes in hardware keystroke loggers.”

    They are not very good at forensics, 3 seconds with google goggles or taking a photo and uploading it to google images would have given them several hits of where to buy one and lots of other information.

    1. But what if the conspiracy goes all the way to the top? If Google was behind the key logger then you wouldn’t want to use Google and show your hand.

      LOL, I agree though. Sounds like a great description to justify your pay check to the people hiring you. :D “I went through each line in the document and stored it permanently on the hard disk so that it could be retrieved at a later date”… AKA I pressed Save.

      1. It’s the next step after Google Streetview called Google Everything, where they strive to collect any data about everything everywhere and make it searchable by anyone!

  3. This is awesome! I agree with mohonri — they should’ve kept a dummy device there, along with a hidden motion-sensitive camera active when the exec was out of his office. Then we find out the janitor got a big bribe =)

      1. Actually, the thief would have the plausible deniability argument of “I thought I dropped a coin behind this desk” or something similar. If he/she actually went to obtain the device and was caught red-handed, then that would be much more solid evidence.

      1. Then if Janitor-Bill (as an example) is seen checking the device but returns it to gather more data, fill it with a detailed 1-sided conversation about how the hit men have already been paid $80,000 to kill Janitor-Bill, and he doesn’t seem to suspect a thing. A few one-sided jokes about how he should get a friend to start his car, sleep with 1 eye open, or get an official food taster, and let him sweat for a week before busting him.

      2. @Jay,
        Unfortunately in today’s litigious environment, Bill’s lawyer(s) could sue the employer for employee harassment, and spying on employees or whatever, and probably get away with it.

        B^)

  4. Thanks everyone for the interest in the blog post! just one quick point of clarification – Mike Spohn was actually the person assigned to the project and really should be given credit for all the *real* work – my contributions were all after the fact. Thanks again for picking up the post and all the great comments!

  5. give em some three-key key strokes to try out that trigger something on the screen like turns on a web cam showing himself live on the screen and a still photos of him accessing the keyboard being taken of him, then an email client opens and emails the photos to “attention IT security, unathorized access attempted” and the keyboard is locked out when it does this, but he can see but not stop it.
    He’d shattner his pants !!

  6. The ohmmeter also indicated the devices had resistive/capacitive (RC) characteristics due the obvious RC time constant resistance behavior. At this point, I knew the device was not passive – it has an electronic brain.

    WOW! A Capacitor for a brain! C’mon Watson, how do you deduce that?
    I *almost* quit reading the OSR report at this point!

    1. There would be no reason for a bypass capacitor unless there were active circuitry inside. It is a completely reasonable deduction.

  7. Forensics 1 / Anti-Forensics 0…

    Offensive/defensive Anti-Forensics for your Anti-forensics, offensive/defensive forensics for your forensics.

    What a wonderful place this turned out to be!

  8. Is it illegal to wire it to the mains and wait for a body to appear one day on the floor next to the PC with their hand wrapped around the logger?

  9. It was probably an IT guy hooking this logger up.

    Just saying, not likely someone else is going to sneak into the exec’s office and plant something on his computer – at least not unnoticed.

    1. Why would IT need to hook up a key logger? They already have everything they need to either reset, guess or crack his password. Plus likely IT has admin rights so they could technically push a software keylogger to the machine for pesky encrypted files.

  10. Basically the Rube Goldberg method of forensics. All this brute forcing and investigation was entirely pointless compared to setting up a camera to catch whoever collected it. Meanwhile the culprit returned to retreive the device, saw that it was missing and knew to lay low.

  11. No need to spycams etc. Just disable the port after filling with dummy data and planting a http.company.com/intra/secret_prototype.html to the logger and montor who stmbels at the tripwire.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s