Ben-Gurion University of the Negev (BGU) cybersecurity researchers have developed a new cyber attack which can mimic a user’s personalised keystroke characteristics.
The cyber attack, called Malboard, evades several detection products because they are designed to continuously verify the identity of user based on personalised keystroke characteristics.
Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, and a member of the BGU Department of Industrial Engineering and Management, said: “In the study, 30 people performed three different keystroke tests against three existing detection mechanisms including KeyTrac, TypingDNA and DuckHunt. Our attack evaded detection in 83% to 100% of the cases.”
How does it mimic personalised keystroke characteristics?
In this cyber attack, a compromised USB keyboard automatically generates and sends malicious keystrokes which mimic the attacked user’s personalised keystroke characteristics.
Usually maliciously generated keystrokes do not match human typing so they are easily detected. However, Malboard using artificial intelligence to generate commands autonomously and in the style of the user to inject the keystrokes as malicious software into the keyboard. The keyboards used to test this attack in the research were products by Microsoft, Lenovo and Dell.
Remote and inside cyber attacks
Dr. Nir Nissim explained: “Malboard was effective in two scenarios: by a remote attacker using wireless communication to communicate, and by an inside attacker or employee who physically operates and uses Malboard.”
The proposed new methods of detection
The cyber attack and new detection mechanisms were developed as part of Nitzan Farhi’s masters thesis. Farhi is a BGU student and member of the USBEAT project at BGU’s Malware Lab, and explained: “Our proposed detection modules are trusted and secured, based on information that can be measured from side-channel resources, in addition to data transmission. These include (1) the keyboard’s power consumption; (2) the keystrokes’ sound; and (3) the user’s behaviour associated with his or her ability to respond to typographical errors.”