WE KNOW WHAT YOU TYPED LAST SUMMER

Meet Lumberjack.

Lumberjack is a keylogger that utilizes accelerometer data to recognize and record keystrokes on any keyboard. Small and discreet acceleration sensor underneath a keyboard send data to a seemingly innocuous receiver plugged into the wall. This processor will use sophisticated machine learning and natural language processing to output keystrokes and complete sentences.

Why?

In the new age of startups and Silicon Valley entrepreneuring, security is paramount. Pentesters and security contractors make enormous sums of money training employees to avoid phishing, to use secure passwords, and to enforce secure coding practices. However, the idea of physical security is much less emphasized, especially in smaller organizations. Lumberjack attempts to highlight potential physical security flaws and is a tool that thorough pentesters can use to emphasize the idea of physical security. By including physical hardware in our product, we hope that pentesters will be able to get physical access to key machines in an organization to collect all keystrokes at that machine in an undetected manner. This product is incredibly valuable for infiltrating airgapped machines and for gaining initial access to secure networks that sophisticated software-based keyloggers may not be able to infiltrate. Lumberjack's innocuity is an ideal tool for pentesters to teach the value of physical awareness and knowledge of one's surroundings.

Our eventual goal is to create a counterdefense for Lumberjack that can defeat the accelerometer-based data collection. Creating some program or device that can disrupt the accelerometers via RF signal when one is typing has a major potential as a standard issue for high-security systems. Creating a wireless jammer as a possible method for defeating the system will be an important step to highlighting physical security in all organizations.

Competitive Analysis

Commercial USB Keyloggers

USB keyloggers can only be used with USB keyboards, while Lumberjack can be used with any keyboard, including a laptop. Furthermore, an accelerometer pad hidden under a laptop is more subtle and less likely to be detected by an uninformed user, compared to a USB-connected device. Finally, many keyloggers simply store the keystrokes to the device itself, and the device must be physically retrieved. Lumberjack will feature streaming of the keystrokes, utilizing Wi-Fi and a virtual file system to enable remote access of the keystroke data. Thus, Lumberjack will never need to be physically retrieved and will allow the keystrokes to be viewed in near-real time.

Acoustic Data Based Keyloggers

Much research has been conducted on keyloggers that utilize acoustic data, using the differing tones of keystrokes to classify which key is being pressed. Unlike acoustic keyloggers, our product could be used in a variety of settings, including commonly noisy ones. Accelerometer data is prone to less outside interference, and its accuracy should have little variance based on location.

Phone Gyroscope Based Keyloggers

In 2011, researchers at Georgia Tech published preliminary research showing how a hijacked phone sitting near a keyboard could pick up distinct keystrokes using the phone's accelerometer. The researchers were able to get an impressive 80% accuracy just by using an iPhone several inches away. Lumberjack's data will come from directly beneath the keyboard rather than from a nearby phone and thus will have better accuracy of detected keystrokes. Plus, by bypassing the need for a phone, an attacker or pentester need not create a rootkit for the phone of their target. One only needs physical access once in order to begin collecting accurate keystroke data.

Requirements

  1. The system shall consist of 2 acceleration sensors, a BLE peripheral, and a data processing receiver.
  2. The acceleration sensor units shall collect acceleration data from key presses on the keyboard they are placed underneath.
  3. The acceleration sensor units shall communicate over I2C to a BLE peripheral chip that will forward the data to the data processing receiver.
  4. The accelerometers and BLE peripheral will be powered with a lithium ion battery.
  5. The data processing receiver shall use machine learning algorithms to link the accelerometer data to specific keystrokes.
  6. The data processing receiver shall use language processing algorithms to further refine accuracy of the inferred keystrokes.
  7. The data processing receiver shall gather text and create files that can be transferred via WiFi.
  8. The data processing receiver shall be powered by a typical wall outlet at 120 volts.
  9. The keystroke data files shall be received by our server via WiFi and stored in a MySQL database instance.
  10. The keystroke data files stored in the database shall be retrievable via a web interface or mobile app.
  11. The system should provide over 50% accuracy when all components are fully functioning.
  12. The system should discern whether a user is typing with over 90% percent accuracy.
  13. The system shall be durable to failures of one acceleration sensor and should continue providing 30% accuracy with only one functioning sensor.

Architecture

Our system consists of 3 functional components: the under-keyboard data collection components, the receiver and processing box, and the remote database. Two acceleration sensors and a BLE peripheral module will be placed in a cardboard chassis that can be secured underneath a victim's keyboard. These three components are powered by a single lithium-ion battery, as each of these components is intended to be low power and discreet. For the acceleration sensors, we created our own breakout boards for each of our two accelerometers, in order to easily spread them out underneath the keyboard. These boards are wired directly to the RedBear BLE Nano module for communication over I2C, where we will determine whether the the accelerometer data is significant; that is, the BLE Nano will only send data that it belives to be part of a keystroke. This is accomplished by using a pre-set threshold for the accelerometers' Z-axis data: if a sample's Z-axis data is significantly higher or lower than this threshold, then we queue this data sample to be sent. The BLE Nano will send its data using the Bluetooth Low-Energy protocol to our processing box, implemented by a RaspberryPi 3. The Pi will receive the accelerometer data and run a classification program that attempts to match the three-axis values with discernable keystrokes. We use a support vector machine to classify data based on whether the keystroke occurred on the left or right of the keyboard, as well as whether the keystroke occurred in the top, middle, or bottom rows. Once the Pi has classify each keystroke it received, it can coalesce these keystrokes into words that it guesses from a supplied dictionary. This dictionary can be swapped out to support different contexts and languages, since our algorithm classifies over keystrokes. Finally, the Pi will send its top 5 guess as to what words were typed, and it will send its guesses over WiFi to a database, located on a remote server. Users will be able to retrieve this data using a web interface, which can be found here.

Below are our PCB design for one accelerometer and photos of our finished PCBs and full under-keyboard rig.

Use Cases

We intend for this product to be used only by trained penetration testers and security researchers. We care very much about everyone's right to privacy, and our research and our product are made to emphasize the importance of physical security and awareness of one's surroundings. We understand that our product and our research may be used by "black hat" or other nefarious purposes to invade on people's private conversations, and we hope to release countermeasures against our exploits that can offer physical security improvements for everyone.

Interaction Diagram

Components

QuantityPart NameUse
2 LIS331HH Accelerometers: ultra low power with 16-bit output
1 RedBearLabs nRF51822 Bluetooth Low-Energy chip: for sending data from the accelerometers
1 Lithium Ion Battery - 850 mAh Power source for accelerometers and BLE transmitter
1 Raspberry Pi 3 Receives accelerometer data and performs keystroke classification

The Team

Nick Kosarek

Hardware & UI Designer

  • Little Jazz Boy
  • never spoils Game of Thrones
  • no Chicago accent

Zach Newman

Bluetooth LE Expert

  • Passionate Loverâ„¢
  • overly fond of goats
  • here's wonderwall

Cortney Padua

Firmware Designer

  • likes fuzzy stuff
  • always wears that purple color
  • believes in friendship

Kiran Pandit

Machine Learning Expert

  • killing the Fitbit game
  • doesn't really understand pizza
  • hates the word "plethora"