Malboard: A novel user keystroke impersonation attack and trusted detection framework based on side-channel analysis

Concealing malicious components within widely used USB peripherals has become a popular attack vector utilizing social engineering techniques and exploiting users’ trust in USB devices. This vector enables the attacker to easily penetrate an organization's computers even when the target is secured or in an air-gapped network. Such malicious concealment can be done as part of a supply chain attack or during the device manufacturing process. In cases where the device allows the user to update its firmware, a supply chain attack may involve changing just the device's firmware, thus compromising the device without the need for concealment. A compromised device can impersonate other devices like keyboards in order to send malicious keystrokes to the computer. However, the keystrokes generated maliciously do not match human keystroke characteristics, and therefore they can be easily detected by security tools that are designed to continuously verify the user's identity based on his/her keystroke dynamics. In this paper, we present Malboard, a sophisticated attack based on designated hardware concealment, which automatically generates keystrokes that have the attacked user's behavioral characteristics; in this attack these keystrokes are injected into the computer in the form of malicious commands and thus can evade existing detection mechanisms designed to continuously verify the user's identity based on keystroke dynamics. We implemented this novel attack and evaluated its performance on 30 subjects performing three different keystroke tasks; we evaluated the attack against three existing detection mechanisms, and the results show that our attack managed to evade detection in 83–100% of the cases, depending on the detection tools in place. Malboard was proven to be effective in two scenarios: either by a remote attacker using wireless communication to communicate with Malboard or by an inside attacker (malicious employee) that physically operates and uses Malboard. In addition, in order to address the evasion gap, we developed three different modules aimed at detecting keystroke injection attacks in general, and particularly, the more sophisticated Malboard attack. Our proposed detection modules are trusted and secured, because they are based on three side-channel resources which originate from the interaction between the keyboard, user, and attacked host. These side-channel resources include (1) the keyboard's power consumption, (2) the keystrokes’ sound, and (3) the user's behavior associated with his/her ability to respond to displayed textual typographical errors. Our results showed that each of the proposed detection modules is capable of detecting the Malboard attack in 100% of the cases, with no misses and no false positives; using them together as an ensemble detection framework will assure that an organization is immune to the Malboard attack in particular and other keystroke injection attacks in general.