Scarfo "keylogger", PGP

Phil Karn karn at ka9q.net
Fri Oct 19 12:32:56 EDT 2001 

All through this case, the FBI has been very cagey on whether the key
logger was implemented in hardware or software (or firmware).

Until recently I had thought the hardware approach more likely. It's
easy to install a bug in the keyboard cable, and such devices already
exist on the market.

But one passage in this affidavit caught my attention: 

  Recovery of Output 13. In order to recover the output of the KLS, it
  was necessary to gain physical access to the computer. A total of five
  surreptitious entries into Scarfo's place of business were made. On
  four of those occasions, the computer in question was found to be
  inoperative or not present. On only one of those conditions was the
  computer in question found to be present and in working order

A hardware device would have been easy to install even if the computer
wasn't "operative" (as long as it was actually there). This strongly
suggests that the logger consisted either of software modules hacked
into Windows, or possibly a hack to the BIOS firmware.

If it was done as a Windows software hack, that raises the question of
why so many keystrokes were captured -- especially if the search warrant
was only for his PGP passphrase.

They probably already had a copy of his encrypted secret key ring from
an earlier search. So a good programmer could have written the
intercept routine to test the keystrokes in real time, saving them
only if they constituted the correct pass phrase. This could be done
either by looking for the keystrokes that typically precede the
entering of the passphrase, or by continually testing a "window" of
the last (1,2,...N) typed characters regardless of context. The former
would work in a command line environment, the latter might be
necessary in a GUI.

The real-time testing would have to be done without raising suspicion,
i.e., by noticeably lengthening the computer's response time. It would
be interesting to see how fast such a routine could run on a typical
PC.

Still, the software/firmware approach does have the advantage of being
less easily detected by a naive user than a hardware "bug". The
average Windows user wouldn't have a clue as to how to look for
cleverly hacked DLLs or system programs.

However, if one does suspect a software "bug", then the
countermeasures are pretty obvious. This would certainly explain the
FBI's reticence to disclose the details. Tripwire-like mechanisms,
improved physical security (e.g., keeping a laptop in a safe) and
using IR motion detectors to silently log physical intrusions into the
vicinity of the computer would all complicate the FBI's job.

Anybody have any other ideas?

Phil



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list