Hello,
I'm performing a research about novel attack vectors, and I came across Adrian Crenshaw's very clever use of a HID to attack a (seemingly) well protected PC. The gist of it is that you can identify a dedicated piece of hardware as a HID (a regular keyboard), record data (scripts, whatever) to output in said hardware, and have it output the data as actual keyboard keystrokes into the computer. Read more about it here.

Assuming a computer has been hardened, and no USB devices other than, say, a keyboard, mouse and printer have been allowed to interface with the computer in any way, using the PHUKD is a very effective way to attack the system, seeing as you can't really protect a system from its primary source of input.

Additionally, a piece of hardware such as PHUKD could extract data from a system with relative ease. Even if the PHUKD isn't recognised as a mass storage device, one could, for instance, "write" a program on the system, which transmits binary data through "caps lock morse", that is, interpret binary data, and send it out as caps lock presses. (A keyboard knows that it has caps lock on because the computer continuously tells it so) The PHUKD could then interpret the caps locks as binary data and save it in internal storage. Additionally, one could simply "write" the data to the HID driver, but I consider this relatively trivial to block.

Getting to the point, I've been thinking of ways to defend a system from a PHUKD style attack. So far, I've come up with several possible solutions, each with their own key flaw:

1) Statistical analysis of input and output: One of the most obvious, yet without a doubt the most challenging, manner I could think for protecting a system from malicious HID is to perform statistical analysis of the user's input behaviour, with the goal of recording and analysing activity times and typing patterns.

This is problematic, however, because a PHUKD can be very flexible. One could attempt to mimic regular user keyboard activity in that information isn't typed robotic-ally, with equal intervals between keystrokes. Furthermore, one could perform some simple social engineering (as shown on the article) and perform the initial attack during a victim's active hours. Furthermore, such form of defence might be a major inconvenience to the user. The more rigid a defence one might put up in statistical analysis, the less accepting a system would be to any users other than its regular user. This downside is further emphasised when it comes to multi user systems. In such cases, statistical analysis might never actually formulate an actual user activity pattern, rendering the whole approach totally useless.

2) Standardisation for keyboard hardware: In this approach, all keyboards would have to be digitally signed, in some manner which can't be counterfeited. I'm thinking something along the lines of an interface with a smart card, going maybe as far as having to "log in" to a keyboard before you can use it, and have the HID drivers force a keyboard to authenticate with the OS prior to interacting with it.

The downsides for this approach is that creating a new line of "secure keyboards" doesn't sound like it can happen in the near (or distant) future. Additionally, said keyboards might be hackable, rendering them rather pointless (obviously, the smarter a system is, the more attack vectors it opens up to itself).

Anyway, this is all I could come up with, in order to protect a system. A combination of these two forms of defence MIGHT prove to be effective to slow down a PHUKD attacker and even reveal a sloppy one at that.

What do you guys have to say about this? I'd be very happy to hear comments and suggestions.