RoganDawes
commented
3 years ago Yes, this is possible, although it has already been considered/conceptualised in other projects. There are a number of problems with this approach: First is that it is not particularly covert, in that the keyboard LED's would be going crazy as long as the channel is active, making the user wonder what is going on. Second is that the bandwidth of the channel will be extremely low - you can signal at most 3 or 4 BITS of information per report, and are limited to 125 reports per second (maybe 1000 if you are lucky). That would give you either 500 bits per second or 4000 bits per second raw signalling rate. This would then need to be encoded somehow to deal with situations such as consecutive 0b0000, 0b0000 messages (e.g. a null byte), which you cannot send as consecutive toggles (because you are not toggling any of the bits!). You'd have to look at something like what USB uses - NRZI or similar. Thirdly, any keystrokes that the user types while the covert channel is active will be affected by at least the status of the CAPS lock key, which will likely confuse the heck out of the user, leading to investigation and compromise of your implant.
In conclusion, while an entertaining thought, this is not really practical, in my opinion.
Hi, I have investigated a way to get a covert channel for Linux systems. As most actions require higher privileges (like root) there is now way to use them (eg. send raw HID messages to a input device).
My approach is to use plain user privileges to set keyboard LEDs:
for i in $(seq 1 32); do xset -led $i led on; doneorfor i in $(seq 1 32); do xset -led $i led off; doneA quick look shows some output in LOGITacker:
I think there may be some chance to implement some sort of information channel. If some LEDs would be used for some kind of modulation scheme the output stream of a shell could be transmitted this way. This may work similar to the Windows version of the covert channel, implemented already.