Hardware Supply Chain Compromise in Human Interface Devices: Nozomi Networks + Hydro Quebec Joint Research

To build the compromised keyboard, the PCB had to be replicated, so instead of embedding the USB controller (Figure 4), only the connection of the plastic layers had been replicated, making it easier to connect them to the Raspberry Pi.

As shown in Figure 3, the keyboard matrix is ​​organized in 8 rows and 18 columns, so 26 connections (for the 26 letters of the English alphabet) must be mapped into the GPIOs of the Raspberry Pi. The Raspberry Pi Zero has exactly 26 configurable GPIOs, so it was a perfect choice for this application.

Figure 5 shows the complete keyboard with the 26 jumper wires coming from it and entering the GPIOs of the Raspberry Pi. From the Raspberry Pi, only one USB cable is connected to the PC, so operating systems do will only detect the “fake” HID generated by the Raspberry. Once the USB is connected, the Raspberry Pi sends a set of predefined inputs (i.e. Powershell commands) which will be executed in the target machine. Plugging in the compromised keyboard just once causes the malicious payload to begin running on the target machine, allowing the Raspberry Pi to transmit keystrokes through its GPIO, with the keyboard remaining undetectable.

It should be noted that the purpose of this research study is to focus on the best ways to detect compromised HIDs in multiple attack scenarios, hence the reason we decided to use hardware visible to the eye. exterior of the keyboard. An important step in our roadmap is to create hardware small enough to fit inside the keyboard, ensuring that malicious components are completely hidden.


Below Figure 6 shows the output of the List USB command lsusb before the malicious keyboard is connected to the PC, while Figure 7 shows the output of lsusb after the malicious keyboard is connected to the PC. Figure 7 lists the compromised keyboard, connected to the PC via a Raspberry Pi, as legitimate due to the ability to modify/create a keyboard name and serial number. Last but not least, only one additional HID is present, confirming that the additional hardware is invisible to the operating system and reducing the chance of detection by an operator.