To build the compromised keyboard, the PCB had to be replicated, so instead of embedding the USB controller (Figure 4), only the connection of the plastic layers had been reproduced, making it easy to connect them to the Raspberry Pi.
As seen in Figure 3, the keyboard matrix is organized into 8 rows and 18 columns, so 26 connections (for the 26 letters of the English alphabet) need to be mapped into the Raspberry Pi GPIOs. The Raspberry Pi Zero has exactly 26 configurable GPIOs, so it was a perfect choice for this application.
Figure 5 shows the complete keyboard with the 26 jumper wires coming from it and going into the Raspberry Pi’s GPIOs. From the Raspberry Pi, only one USB cable is connected to the PC, so the operating systems will detect only the “fake” HID generated by the Raspberry. Once the USB is connected, the Raspberry Pi sends a set of predefined inputs (i.e. Powershell commands) that will be executed into the target machine. It is sufficient to plug in the compromised keyboard just once for the malicious payload to start executing in the target machine, thus enabling the Raspberry Pi to proxy the keystrokes through its GPIO with the keyboard remaining undetectable.
Of note, the purpose of this research study is to focus on the best ways to detect compromised HIDs in multiple attack scenarios, hence why we decided to use visible hardware outside of the keyboard. One important step in our roadmap is to build hardware small enough to be placed inside the keyboard, ensuring that the malicious components are completely hidden.
Findings
Below, Figure 6 shows the output of the List USB command lsusb before the malicious keyboard is connected to the PC, while Figure 7 shows the output of lsusb after the malicious keyboard is connected to the PC. Figure 7 lists the compromised keyboard, connected to the PC via a Raspberry Pi, as legitimate due to the ability to modify/create a name and serial number of the keyboard. Last but not least, only one additional HID is present, confirming that the extra hardware is invisible to the operating system and lowering the chances of detection by an operator.
