 Keylogger video mouse how to turn your KVM into a raging key logging monster by Yannif Balmas. There has been a lot of work on keyloggers already so the question is what can be done or what can be achieved even more and this is what this talk is about. Yannif is a software engineer and professional in the security field. He mainly deals with analyzing malware and vulnerability research. So give a warm applause to Yannif Balmas. Thank you very much for coming to my talk. It's called Keylogger video mouse so how to turn your KVM into a raging key logging monster. Now a few words about the team who made this research. So first of all it's me, my name is Yannif Balmas and I'm... How's this? So my name is Yannif Balmas and I'm a security researcher. I work for Checkpoint Software Technologies and my colleague in this project is called Lior Ofenheim is also a security researcher and here is trying to understand what to do with the unpermitted and unfortunately he couldn't be here today but this research is much much owes him a lot for getting being done. So let's start with the problem. So our problem as many other computer science related problems it all starts with computers right. Well we have computers we have many computers we actually have a lot of computers you see and when we have a lot of computers then the thing is that each of one of these computers actually needs a set of keyboard video and mouse in order to operate right makes sense and the problem is that when we have a lot of these computers then we also have a lot of these keyboards a lot of these videos and a lot of these mice yeah and when a single user wants to work on several of these computers at the same time well this creates a big mess on his desk right there's all of a sudden a lot of keyboards and he doesn't know which keyboard goes to which computer and which monitor displays what right well it's a big problem and well some of you might be thinking that's that's not a new problem and that's really not a new problem and the solution to this problem is also not new at all and it's called a KVM now for those of you don't actually know what a KVM is so that's pretty simple keep the KVM simply stands for keyboard video and mouse right that's simple and its only purpose in life is to connect one or more sets of keyboard video and mouse I'm sorry to connect a single set of keyboard video mouse to one or more computers right well it all looks something like this you see you have two computers underneath your desk and their inputs and outputs are then connected to the KVM and the KVM in turn is connected to a single set of keyboard video mouse on your desk and then you can play your favorite video game or something like that and when you hear your boss creeping in the office you just manage to press the two button and whoa there you go you had a nice code on your desk and catastrophe is avoided and that's just as simple as that there are these are KVMs now where can we find those creatures those KVMs well we can find them in a lot of places we can find them on your desktops such as the example I just showed you before and another thing is that we can find them in your server wrecks you see a typical server wreck holds like something let's say eight nine ten servers yeah in order to physically manage those servers we must have some kind of KVM inside the track to make the server administrator's life a bit easier right so we do have KVMs in server wrecks and last but not least we have KVMs in very very secured environments and the reason for that is that in those environments we usually have a lot of networks and those networks are a lot of times segregated or even air gap from each other right and then again comes the problem the single user has to work on both of these networks and in order to do that he needs a KVM on his desk right this makes his life a lot easier and if I want to sum it all up then KVMs are pretty much everywhere everywhere I mean in every technologically rich environment you ever go to you'll probably find a lot of these creatures laying around all over the place well let's take a brief look at the KVM evolution along the years it all started off in the 1980s or 1990s with something that looks like this some of you might be familiar with this right it's commonly known as an A B switch right all it is it's a KVM but all it is is just a stupid analog box yeah it just connects the electronics from the A port to the keyboard video mouse when you switch the B port same goes for the B port and that's it a stupid analog box and that stupid analog box actually worked really fine for a lot of years I mean really a lot a lot of years but then came one one invention one small invention that changed the world of KVMs and I'm I'm specifically talking about USB keyboards you see when you have USB keyboards and those KVMs are simply not enough because they will work but when you switch ports then the USB needs to be connected to the computer and that like has some kind of two three seconds delay until the computer actually recognizes that USB so those KVMs now the modern KVMs need to needed to implement some kind of USB stack in order to support smooth transitioning between the ports right and that's where we met those KVMs those are modern KVMs they are really cool this is what we see on the desks of a lot of guys today and it supports a whole lot of inputs and a whole lot of outputs and it's really really cool it also looks sexy and then came the next evolution in KVMs and came those monsters those are called matrix KVMs they are absolutely monsters they have thousands and thousands of ports support stuff like KVM over IP and God knows what they're usually implemented in some kind of huge enterprises huge server rooms and stuff like that and that's it that's actually the last evolution of KVMs now we come to some kind of a conceptual problem you see because a lot of guys and when I say guys I mean system administrators, security administrators, security researchers, a lot a lot of guys still consider today's KVMs those modern KVMs as those same old stupid boxes same same old stupid analog boxes right well are they stupid boxes I mean let's take a look at some of the features modern KVM has look at this they have on-screen displays they have configurable web menus they have all kinds of stuff like this right well obviously those boxes are no longer stupid right obviously those boxes now run code yeah well we were thinking to ourselves okay so if those KVMs now run code then what can we do with them right and in order to answer that question I have another question for you what is the one common feature between all the features I've just showed you what is the one common thing that all KVMs share all the features has well the one common thing is that all these features actually require the KVM to be able to process keystrokes you see now when you enter a keystroke the KVM doesn't immediately send it to the computer it needs to first inspect it and see hey maybe this was a web menu option maybe this was some kind of hotkey combo maybe it was something maybe I need to deal with it and not the actual computer who is connected to it and only if the answer to that is no is false then it will pass this great keystroke to the computer right well you see the thing is that all we need to do is to just alter the execution flow just a bit you know and find some kind of free memory space in there take the keystroke store it there dump it later on when convenient to us and what do we got yes a keylogger a keylogger inside our KVM I mean think about it how cool is that I mean we know software keyloggers right software keyloggers run on the host this is not a software keylogger because there's no code running on on the computer the entire code is running inside the KVM and this also is not a hardware keylogger well because there's no special hardware nothing that I needed to come to the office and connect to your computer you connected a perfectly legit KVM to your computer and that's it you got a keylogger in there that would be incredibly hard to detect right well we thought that this is a great research subject and we started researching it in order to research that the first thing we need we need to do is to get a KVM so we went to the store next to our office and bought a sort of a KVM took the box went to the office and happily opened it and started unpacking it first thing we find in there is manuals it's cables it's warranties and a CD now that CD contain a few very interesting files one of them is called a firmware upgrade utility hmm and the other one very conveniently named firmware.bin okay we were thinking this is gonna be a bit too easy so we started looking at this firmware.bin file and we actually find out that this thing has a really high entropy levels so that practically means that it's either encrypted or compressed in some way that we can't really decompress so we were thinking okay both me and Lior the other guy that made this research we are both pretty experienced x86 guys so all we need to do is to reverse engineer the firmware upgrade utility yeah and what we were expecting to see is is that the firmware.bin file will be loaded yeah then it will be like decompressed and open and maybe we can find it however this utility is a huge utility it has thousands and thousands of functions it's a C++ code full of vTables really really a big mess and we didn't really want to deal with it but when we ran it in a dynamically in a debugger we saw the exact behavior that we expected it actually took this file send it to some kind of decompression function and then stored the output in some kind of memory range in there so we went to this memory range and what did we find there no challenge except yeah well we met a blob and this blob looks something like this right and this is its image representation looks nice let's see some of the properties of this bug a blob so first of all it's a 64k blob and that makes sense because 8-bit architecture 64k looks okay and then now this blob has really low entropy which again confirms our suspicion that it is now decompressed that's also good but it has completely not even a single string in it nothing at all nothing and that's we're expecting to see something some kind of word in there and having no strings at all is not so good for us but we go on and we make some kind of frequency analysis and of this and we try to match it to other film words and other assembly languages and stuff like that and well nothing even comes close we don't know what this blob is so the next thing we do is use our favorite tool in these cases bin walk yeah well for those of you are not familiar with bin walk it's kind of a tool that when you enter binary blob in there it will check it for signatures and known assemblies and known firmers and stuff like that but the thing is that bin walk in this example had zero results I mean I've never seen something like this actually zero results nothing at all nothing completely empty now we were sitting looking at ourselves looking at this blob and saying well I mean what can we do that we're gonna we're kind of lost here so that entire path of research was a complete failure and now we were thinking to ourselves again you know there's two options for us now one would be to go back to the firmware upgrade utility and reverse engineer the entire thing it will it will be specific job it will take us days weeks months I don't know but we don't really like it we don't really feel like doing it so the other thing we come up we come up with is maybe we can be a bit creative about it a bit innovative and in order for you to understand what I mean when I say innovative you must first understand how this firmware upgrade utility actually works how this firm upgrade process works well the thing is that you connect this kind of strange serial cable that you take from the from the box of the KVM you connect one side of it to the RS232 port of your computer and the other side goes into the KVM you run the utility and everything is upgrade upgraded the KVM is actually upgraded through the serial cable right so we were saying okay maybe we can download some kind of generic serial sniffing software and sniff the serial protocol there and then all we need to do is just to analyze to understand the serial protocol itself and hopefully now we will have the the firmware going into the device through the serial protocol right so that sounds also easy so challenge accepted we did just that so we started sniffing the serial protocol and we got an output that looks something like this now let's analyze this together just very quickly so first thing we see here that there's two type of messages the red messages are from the KVM and the yellow messages are sent to the KVM over the serial cable right and the first thing we notice is that each of these messages has some kind of fixed header to it right the hex value of it is 4655 which is the ASCII representation of FU all right so is anybody trying to tell us something here FU well yes actually they are trying to tell us something and that something is firmware upgrade right yes thank you thank you so feeling a bit amused about all this we went on with the analysis and the next thing we notice is there's something that looks really suspiciously like an opcode in here I don't know if you can see you probably can it goes like a 0 a 1 a 2 a 3 a 3 a 3 and almost all of this file is actually composed of the h3 messages so what this tells us that the first part here is some kind of serial handshake going on and the second part the big part is the data right and we are actually interested in the data part of it so we're going to take a closer look in this now and the thing about the data that the next thing we notice that there's some kind of sequence number in here you see it actually goes 0 1 2 3 4 5 6 up up until the end of the file whenever there's a retransmission the number repeats itself so it seriously looks like a sequence number and now we have it and the only thing missing now is something that we expect to see in every serial protocol around the world and that's some kind of error correction right and then we know this is that this less bite in all of the all of the messages is actually an accumulative XOR of all the bytes if you if you make an accumulative XOR of all the bytes you get this byte so this seriously looks like a checksum and we decided this is our checksum value and when keeping there's nothing more we can find keeping inspecting this no more buttons no more nothing so we figured out that that's it we got this string pretty much analyzed and all we need to do now in order to extract the firmware or the data from this serial protocol is just to first of all get rid of the handshake part which because it's really not interesting and then take a look at the data part then again get rid of all the serial related bytes and then put it all together and if we take a look at this then hopefully now we will have our firmware right guess who it's the same blob the exact same blob all this firmware upgrade utility did was just to take this blob and send it over the serial protocol into the device itself now the device is probably responsible of opening this but we had no way of knowing this and we can say that that is another great failure well again feeling a bit depressed about this we said well hey you know this thing this blob is passed into the device and then it's probably handled there right so the next logical step the only logical step will be to yes to open up the device this is how it looks like under hoods right now our first impression of this whoa that's like a lot of electronics in there we are software guys not hardware guys what do we do with this what can we do with this stuff and now we're feeling feeling really depressed and then a few whiskey shots later we say to ourselves you know obviously there's a lot of big chips in there so maybe we can Google them up we can try figure out what are these chips then maybe it will give us some kind of clue of what this thing is doing right so let's do this together now first thing we know this two really big chips in here they have the vendor name engraved on them completely no information about them in Google big black boxes we think they are asics just judging by the number of pins they have but we actually have no clue what they do and then we find another chip now this chip we do know what it is it's a PLD device now PLD for those of you don't know it stands for programmable logic device yeah that's something like you design your own you are your own circuit your own PC circuit and then you burn it into the the chip the PLD chip and then the chip runs your circuit right so we do know it's a PLD we have no idea what it's running and we don't know how to look for it so we left it alone for the for the moment and then we find something that we know it's RAM it's memory that's great it's also connected to something called a Dilech again something Dilech flip flop I flip flop I remember from my university days how is it all connected to the picture here I don't know yet but anyway that's a memory right and the last chip here was actually the most interesting chip of them all this chip is an 8052 processor right it's an Intel based chip it's the next version the advanced version the commercial version of another chip called 8051 it runs assembly and this assembly is called 8051 assembly right well now we're suspecting of this chip to be the brains behind this device but we actually don't know what's going on here yet and this actually got us pretty lost for some time and we tried figuring out how this all how this all put together what's going on here and the question is we do know the firmware upgrade comes in through this port this is the serial port I was talking about right and then where does it go to I mean it goes somewhere but where it can go into the 8052 chip right but it can also go into those big black boxes right and it can also go into another chips and it could be divided into chunks and each chunk goes into different chip we don't know we don't know what to do so what do we do when we don't know what to do well we use Google and when we use Google we found this very very interesting PCB in some kind of Russian KVM review site I have no idea why why anybody reviewing a KVM would need to look at the the PCB of it but they had a pretty good picture of it and you see there's something really interesting about this one this is like almost the exact same model as we have the only thing is that our model that the one that we are researching researching has four ports right and this one is eight ports eight ports right now look at this there's something really interesting about it those big black boxes I was mentioning before right now there's four of them yeah and those PLDs I was I mentioned before again two of them so double the ports double the chips why is that funny okay double the ports double the chips the thing that is not double the thing that is still single in here is the RAM and yeah you guessed it the 8052 chip this is a single chip so this now really smells like this thing is the brains behind this entire KVM right and now we would like to know how this 8052 chip gets upgraded it must get upgraded somehow but how so it turns out that each one of the 8051 8052 chips has an integrated UART port in them right UART stands for universal asynchronous received transmit some kind of generic serial protocol right and the thing is okay we know it has a UART but which IC pins which which of the chip pins are actually responsible for this upgrade well we can order we can answer this question pretty easily by just looking at the specs right so we open up the specs of this chip and we see this and it clearly states that these chips here you see the RX and TX pins are connected through portry of the chip to the UART port so these are our UART pins great now we only need to inspect what's going on in these pins in order to understand and to see the firmware hopefully coming into this chip challenge accepted so 30 to 45 China mail shipping days later we can finally use logic and this thing here again for those of you who are not familiar this is a logic analyzer okay what it does it just connects to the pins and you see the actual electronic signals going into these pins right they have these nice clips in there it actually comes with this great great postcard saying thank you for your awesomeness okay so we did just that we we plugged the pins into the UX into the RX and TX ports and this revealed the UART signals right it looks something like this you see RX and TX and the third one again why is this funny RX TX and the third one in case you were wondering is ground right in order for us to differentiate between zeros and ones and that's it using the awesome awesome UI of logic analyzer we have now we make the firmware upgrade process and we reveal the signals going into these pins into the chip during the firmware upgrade and we see stuff like this you see we see some kind of pattern here you see there's stuff going from the UART and the stuff going to the UART yeah and if we zoom out this picture for a second then we see an obvious obvious pattern I mean this stuff is going to the UART you see and this stuff is going from the UART so it goes from the UART to the UART from the UART to the UART again this seriously looks like a protocol right so we take all the signals that we could gather from this UI and we just put them in the right order and yeah somebody is laughing what do we find here? Yeah it's the same serial protocol so what thank you I mean the thing what's going on here is that the serial protocol is connected to the KVM and then the lines go directly into the 8052 chip right so again everything is probably decoded inside the chip itself so now we need to you know to some kind of chemicals and to open the chip and no we don't want to deal with that so this is now a great failure right or is it? I mean yeah it is a great failure but there is something that we know now that we didn't know before the thing that we know now is that this thing this blob that we see must be actually translated somehow into 8051 assembly yeah now we know the destination language of this chip which that we see right so this give us some kind of hint here and what we can try and do as I said yeah and what we can try and do is to try and break this code and break this obfuscation because obviously it's an obfuscation it's not encrypted the entropy levels are low so we are expecting to see an obfuscation and maybe now since we know the destination language maybe we can try and break it so challenge accepted let's try to do that let's take another look at our blob not sure if you remember it it looks something like this now for those of you who has really really good eyesight you might have noticed that the end of this blob is actually composed of the same hex value see in this case 53 53 53 so when we see stuff like this what we do what we do yeah we usually do an XOR operation on that right and what we expect is that somebody did an XOR operation and the original thing was one of two things either a knob sled just a lot a lot of knobs or a zero padding just a lot of zeros and luckily in our case 8051 knob is zero so we just need to XOR this thing with 53 and that's it we get this really nice blob that looks like this still no strings no nothing but you know what let's give it a try let's try opening it open in it in IDA in our disassembler and try to do disassemble it as 8051 code and see what we get yes we get assembly code that that is perfect we are really happy now and we're going to our office and starting to you know reverse engineers and try to understand what it's doing and like just two or three minutes later we meet up at the kitchen again and say to ourselves hey something here is no not not so not so good and you see let let me show you an example you see here the last two instructions move a r6 move a r6 now i'm not i'm not a big a big genius about 8051 but maybe they need to perform the same operation twice in order to make sure it works well no the answer is obviously no so we have a feeling of what's going on here so we made a little test we took calc.exe which is obviously an x86 code right and we tried to disassemble it as 8051 assembly and what do you know again we got proper assembly oh okay so this starts to look a bit strange so what we did in order to verify our assumption is take this picture of a cat and load it into IDA as 8051 assembly and what do you know proper assembly yeah there's functions there's everything here and that's thank you now this is the moment that we actually realize that if you really try hard enough everything is 8051 assembly okay okay let's let's let's be serious again now back to our blob back to step one or maybe square two because we decided to keep the x-hole operation because it looks like something good to do but the thing now that again those of you with good eyesight might have noticed that the last eight bytes of this blob are actually different yeah but what are they what are those bytes are they a clue yeah is this some kind of clue left to us by an mad embedded developer what can we do with them well the first thing that comes to mind is error correction yeah they they are in the end of the file so maybe there are some kind of error correction so we take take these bytes and try to check them for check some crc addler and d5 a lot of other error corrections and no nothing even comes close so it's probably not an error correction at least not a known one and then we understand that up till now we've only looked at one version of the firmware right and we can take a look maybe at the last eight bytes of a lot of firmware upgrade firmware version because the vendor lets us just download however firmware how many firmware versions that we want so these are all the eight bytes from a lot of different versions right they are all different and look at this something here just it looks strange you see because look at this the byte a1 appears 17 times right this is not random there's some some kind of data in here we just need to understand what it is but how how do we do this so this is this was actually the eureka moment for our project what we decided to do is to write those eight bytes just next to the firmware version version right so this is from the 3.3.3.1.2 and whatever right and look at this there's some kind of obvious pattern in here in here you see the byte 99 appears three times in here and the number three appears three times in here right and and the byte a1 appears twice here and then the number four appears twice here well also the number one appears twice but we actually know it's four because it's actually consistent throughout the entire table right so we got some kind of mapping between bytes and the number in the version right well is there a pattern here right what what can we do maybe if we you know list you know the digits that we see one and the hex value that we see 89 this is our mapping and the binary values maybe this will give us some kind of clue right look at this look at the binary values there's an obvious pattern here this part here is fixed and this part here is not and not only that it's not fixed but it's it's some kind of counter right look at this one two three four binary counter right and then we're thinking to ourselves wait a counter well why is it counter what is it doing in the middle of the bytes here it should be in the right hand so let's shift it or rotate it to the right by three and when we did this this is what we got and this is the x values of this binary value and for those of you or ASCII foo is a bit lacking then yes these are the same ASCII values as the digits right so all we need to do is to take this blob and rotate its entire bytes by three eight chunks of bytes by three and what do we get we get this right this looks much better this looks like strings now we are so happy about it but looking about this a bit more the strings they don't look exactly right look look at this look at this example this is like an you know alphanumeric string yeah it's just in the wrong or although and and I mean take take a look at this again this is the same string that we saw before right there's some kind of shuffling going on here and if you stare at this long enough you'll understand that this shuffling is going on in chunk of eight bytes let me explain this a bit better these are the chunk of eight bytes right and the bytes are actually not in the order but only within the same chunk now look at this yep the byte a is in the right the a is in the right place the a the i and the q now the g the o and the w needs to be moved from the second position to the seventh position and this goes on and on and on and it's it's consistent to our the entire blob right so what we got ourselves is some kind of permutation table and if we'll apply this permutation table on the entire blob what will we get yes assembly proper assembly this is our firmware yes thank you thank you now it's not it's not over yet you know usually when we do reverse engineering of x86 so the first thing we do is load it up in a disassembler and the funny thing is in hardware the last thing that you do is open the load open it in a disassembler so it was really from here it was really fun and now this is 8051 assembly so all we need to do is to understand 8051 so we can now actually design our own custom firmware if we can understand this and all we need to do is just to understand 8051 and for those of you who don't know we prepared a short review of 8051 assembly the thing is that it has only 25 255 opcodes and around 40 instructions really a pretty pretty easy assembly to learn the thing is that functions in this assembly are not really functions code jumps into the middle of functions and from the middle of functions a whole lot of spaghetti code we didn't really understand and then there's only a single memory access register whenever you want to access memory you store it in this register and then move the memory big big mess and then registers for summaries and keep changing in the middle of the of the code of the execution that's because there's some kind of register banks that's a nice idea but anyway we gave this one and a half stars out of five x86 is still much better in our opinion and that's it once we have this understood this we can properly analyze this this code and this is a screenshot from IDA from our disassembler and it presents the main function of this KVM now it's divided into a few interesting parts one is HID parsing now HID stands for human interface device right this is what we were looking for this is where the actual keystrokes are being processed and then this place here processes hotkeys like if you press some kind of hotkey it switches the port and stuff like this and this part here actually controls the leds of the keyboard like the leds for some functionalities it has to flash the leds and you know stuff like this and then this part was the really interesting part you see this part is a keyboard emulation so this is where we understand that this KVM is not simply imitating a keyboard it is a keyboard it is emulating a keyboard do you understand I mean this means that we can actually put some kind of rubber ducky inside our KVM it's an actual keyboard right this is amazing we can type whatever keystrokes we want into into the machine right so we prepared a little demo and if you don't understand the implications I will show it to you now so we have two networks two air gap networks one would be an internet connected network and the other would be an air gap network 100% secure as this sticker says now a lot of people a lot of engineers work days and nights in order to secure those environments and keep them totally separated from each other by doing a lot of interesting stuff and they did it really nicely but the thing is that in the end of the day a user needs to work on both of these networks right and if there's a user there are computers and if there are computers there are videos and mice and keyboards and the user is again frustrated so he goes to his purchasing department and purchases a KVM right and when he did that then he doesn't need those two sets of keyboard video mouse and only needs one now his life is easy right so what will happen if this KVM is malicious if it contains our malicious fumer we can this this KVM can wake up in the middle of the night right just in the middle of the night and start typing on the user password on the internet connected connected network right now some of you might be asking yourself wait the computer is password protected how does he know the password and I ask you back well how do you enter your password to your keyboard yes so the KVM already knows this it types in the password and then it performs like a wget or something and gets the malicious virus from the cloud from the internet into the internet connected computer now that's perfect persistency right look at this there's nothing you can do in order to prevent this attack I mean you can reformat your hard vibe you can switch your computer and again as long as the KVM is there every night you will get infected again and again right this is cool but this is not but this is not cool enough because we we want to get into the air gapped network so what we did is design a very special special malware which what it does when it's ran on the computer it actually replicates itself and when it replicates itself it then starts typing itself into the into the computer and when doing this our agents our agent get these keystrokes and passes this malware into the memory into the memory of the KVM then he very casually switches the ports and retypes this malware into the other network and so we got now two malware's two of the same hours in the in both of the networks and effectively bridging the gap between those networks those are not no longer air gapped networks right air gapped networks so this is what we did and now we have a I have a little demo for you hopefully it will work I'm holding my fingers I'll put this down for a second I'll keep using this okay so what you see now is the output of the attacked computer right I have here two computers one is the attacker the internet connected one and the other one is the attack the air gapped network computer right and they are only connected through this KVM I have on the desk no other connections between them only through a KVM right now look at this this is the attacker computer I just need to run my malware here let me just lock the screen let's see what will happen he woke up no hands whoa now the thing is that well you're laughing but this is actually a really neat trick that we so we actually needed to type the binary into the attacked computer right and the way to do that is to use base 64 and what we use this set utility which is a default utility that comes with any windows installation and we just type the base 64 of our malware into this yeah we save it as a text file and then decoded and then we got a binary actually actual binary on the on the computer now it's not a big file but it will take a bit to work so if anyone has any jokes no okay it will finish soon 20 more minutes come on come on okay looks like it's gonna finish soon I could have but this is a live demo man give me some respect for that that's it we have our text file and now yeah and the certificate into encoded dot txt go on go on now search it till decodes it into decoded dot bin which is our malicious file very malicious and now we run it and yes thank you very much thank you very much so ergap network are not really ergap as you thought if you have a kvm connected to them and if i'm lucky enough there's one more thing my malicious software knows how to do let's see if it works back to our presentation so i'm running out of time so let's do it quickly so what are the attack vectors so some of you might be asking yourself hey hey you need to have physical access to the kvm and that's right i needed to have physical access to the kvm still with physical access we have a few attack vectors that are really reliable one of them would be you know just give me 30 seconds alone with your kvm and that's it and the other one would be let's attack the supply chain yeah the seller of the seller of the seller that sells you the kvm we can just switch it and you get a malicious kvm right out of the box that's nice and that's been known to be done before now however there are many kvms not the one that we researched that are being upgraded through ip and if they are upgraded to ip then theoretically we can exploit the same thing remotely that will be really really cool to do and it is possible and the thing is that kvms are really not exploit proof i mean just googling it up a bit diesel cvs are related to kvms that are upgraded via ethernet and via ip so it is it is really possible just it was our out of our scope of research to do now what can you do you know to protect yourself from these kind of attacks first of all know your environment that's the best suggestion i can give you i mean sometimes it's not necessary to connect a really secured computer to a non-secured computer through a kvm and if it's not required then please please remember this and don't do this but sometimes of course it's unavoidable and you need to do this and if you do this know that there are some other creatures called secured kvms now those creatures look like this and they actually close all of our of our attack servers they they don't let us do anything from what we shown the thing is that those devices cost like a hundred times more than normal kvms and i actually know very very few people who actually buy this stuff right so if you do need to connect something really really important then you might consider buying one of these and the last thing is being innovative and by being innovative i mean we sat down and we thought a bit about you know what we what can we do in order to protect against this what we came up with is a nice idea it's not perfect but it's nice what we do is place we wrote a small agent that you can place on your computer and this agent actually logs keystrokes it doesn't log the keystrokes themselves but the statistics and what it looks for is some some some deviation from the normal statistics right the thing what we did here is type a lot a lot a lot of keystrokes really really fast that's that's that's a deviation right so if we detect some kind of deviation like not using backspaces or the intervals between the characters are really really small then something weird is going on and all we need to do is just to pop a message box and that's what this will fuck up the entire exploitation process that's a nice idea you might have better ones but we did it with the help of our colleague draw draw rapper port thanks to all and that's about it guys that's my presentation thank you thank you thank you very very much for this very entertaining and fun presentation so if you have any questions come to the microphones here is one and there is one and ask your questions you can also ask them via the internet uh there i think they're also questions on the internet so maybe we start here with you the other ones who are like leaving this room please be quiet because there is still a question and answer session here so please be quiet while leaving this room thank you okay your question this doesn't work i can give is it on yeah so now thank you very much for the talk very great my question is how much time did you need to achieve this goal how many days weeks or is there a number it's a good question because we worked on it like on and off so overall it took us like i think six months but it's not a straight job yeah just like with pigs okay thank you question over here i could think of just another attack surface because if you're even if your kvm doesn't update over the internet if it has usb for keyboard and mouse and not ps2 then maybe you could even flash a new firmware just by exporting some usb functionality like bad usb thank you this is my next research okay a question from the internet um yeah we got a few questions one is can you upgrade the kvm why the connected usb keyboard like um just typing in just a dongle or something like that not that i know of and also another question what are the black boxes in the uh slides some people ask for that i still don't know thank you but but they they probably has a something to do with uh with the outputs right i think there are video chips related to video chips or some something like this thank you over here again um you said you could like copy the code you got over the internet um over in a night um how one how long would it approximately take to type in the code it depends on the timer of the kvm and how long how long is the intervals between the key strokes so it varies between one type of kvm to the other this kvm is pretty slow and if you want to download a big executable i'm guessing that something like 30 minutes okay but there are other kvms it might take five minutes or even less okay thanks and over there again um i wonder whether you have thought about implementing um bi-directional communication for example by flashing the keyboard LEDs uh we thought about it and we even tried to do something but we couldn't really make anything it will be really cool if we if we could do and another question from the internet um two questions um the black boxes was meant as the chips the black balls boxes was meant for the censorship of the images i'm sorry can you repeat the question i didn't understand you had some images on the hex dump and the people were asking why was it censored ah that's the vendor name okay another question is there any way to shut down the internal keyboard or is this a core feature no that's a feature of the kvm okay um is it possible to emulate a virtual ethernet device via the kvm so you could really make a bridge between those air gap networks whoa um i've saw something very similar very similar talk at defcon this year uh we couldn't do it uh i would be really happy to try and do something like this but we didn't try okay thanks are there any more questions i can't see anybody so thank you again jenif very very much giving a warm applause