Artificial intelligence is being used to mimic a victim’s keyboard user-behaviour characteristics on compromised USB keyboards, automatically generating and sending disguised malicious keystrokes.
Ordinarily maliciously generated keystrokes can easily be detected as they do not typically match human typing. However Malboard attacks use AI to autonomously generate commands in the user’s style, inject the keystrokes as malicious software into the keyboard and evade detection. Microsoft, Lenovo and Dell keyboards were used in the research.
The Ben Gurion University in Israel reports Dr Nir Nissim, head of the David and Janet Polak Family Malware Lab? at Cyber@BGU, and a member of BGU's Department of Industrial Engineering and Management explaining: "In the study, 30 people performed three different keystroke tests against the tested evasion against three existing detection mechanisms including KeyTrac, TypingDNA and DuckHunt. Our attack evaded detection in 83 percent to 100 percent of the cases. Malboard was effective in two scenarios: by a remote attacker using wireless communication to communicate, and by an inside attacker, such as an employee, that physically operates and uses Malboard."
The attack and detection mechanisms were developed as part of the master’s thesis by Nitzan Farhi, a BGU student and member of the USBEAT project at the BGU Malware Lab.
"Our proposed detection modules are trusted and secured, based on information that can be measured from side-channel resources, in addition to data transmission," Farhi says. "These include (1) the keyboard's power consumption; (2) the keystrokes’ sound; and (3) the user's behaviour associated with his or her ability to respond to typographical errors."
"Each of the proposed detection modules is capable of detecting the Malboard attack in 100 percent of the cases, with no false positives," Dr. Nissim adds. "Using them together as an ensemble detection framework will ensure that an organisation is immune to the Malboard attack as well as other keystroke attacks."
The BGU researchers plan to expand work on other popular USB devices, including computer mouse user movements, clicks, and duration of use. They also plan to enhance the typo insertion detection module and combine it with other existing keystroke dynamic mechanisms for user authentication since this behaviour is difficult to replicate.
Coincidentally, the news comes the week after it was revealed on SC Media that Microsoft is moving from passwords to biometric/behaviour based identification of employees on its network.
Jake Moore, cyber-security specialist at ESET commented that this is what many have feared for years regarding AI."The more data comes in, the more accurate the machine learns to produce authentic emails, which in turn can be used criminally. Spear-phishing attacks have been used for years but the biggest issue for threat actors is that it can take vast amounts of time in communicating with the victim. Using AI will, of course, reduce the amount of human interaction in such attacks and therefore will increase the number of attacks on inboxes. Naturally, the big question is how should we evade such intelligent attacks. Well, there is still much to be said for timing, use caution opening it or communicating. Or better still, request further verification on unknown emails or communications out of the blue."
In a separate unrelated development Sophos reports how researchers at Cambridge University can now listen to the interaction between your fingers and the screen to discover what you’re typing on your smartphone: A recent paper Hearing your touch: A new acoustic side channel on smartphones, demonstrates what the researchers describe as: "The first acoustic side channel attack that recovers what users type on the virtual keyboard of their touch-screen smartphone or tablet."
When users tap out numbers and letters on a smartphone’s virtual keyboard, it generates a sound wave that travels both on the surface of the screen and in the air. The location of the user’s finger on the screen distorts the wave, and the microphone on the mobile device picks up this distortion, enabling an algorithm to "hear" what the user typed.
To make it work, the researchers use machine learning to train their algorithm using around 21 hours of audio recordings of finger taps. They tried out the attack with 45 participants in a real-world environment, using both an Android tablet and an Android smartphone. On the smartphone, they tried listening to four-digit PIN codes and were able to retrieve the correct codes 61 percent of the time within 20 attempts.
On the tablet, they successfully retrieved nine codes between seven and 13 characters in length in 50 attempts.
Despite this moderate success, the approach is not currently seen as a real world threat as attackers would need to install malware on the device AND get access to the device’s microphone. As the Sophos blog points out, if an attacker is running malware on your smartphone, you’ve got a lot more to worry about than whether it can listen to what you’re typing.
Also results are affected by air temperature, plus an additional glass layer on top of the screen could absorb most of the finger impact, making an effective countermeasure.