[openssl-users] Lattice Ciphers

Mon Dec 18 20:41:24 UTC 2017

On 18/12/2017 20:50, Colony.three via openssl-users wrote:
>
>> On Mon, Dec 18, 2017 at 9:59 AM, Colony.three via openssl-users
>> openssl-users at openssl.org <mailto:openssl-users at openssl.org>wrote:
>>
>>     Hear about the HP keylogging case recently? Do you think a
>>     keylogger is
>>     actually used in testing of a keyboard driver, in practice?
>>
>>     Yes.
>>
>>     More specifically, it's used to ensure that the scancodes that should
>>     be detected when a particular key is hit or released are actually
>>     detected when that key is hit or released. It's also useful for
>>     identifying how a particular keyboard has failed, to see which
>>     scancodes aren't being transmitted properly.
>>
>>     That said, it's not something that should be left in a production
>>     driver. It's more suited for a development/diagnostics station than a
>>     general-purpose system.
>>
>
> Actually no.  Microseconds count, when testing a keyboard driver.  
> It's easy to imagine that a keylogger could be used, that's why the 
> cover story worked on so many.  But in actual practice it's not useful.
>
>
>>     (Eeesh. And my friends call /me/"paranoid".)
>>
>
> It's easy to characterize this as paranoia.  Unless you are paying 
> attention to -facts- as the feedstock.
>
For your information, I actually tracked down the original report
about this (and posted some corrections in a comment to the
researcher):

1. This was not HP's keyboard driver.  This was Synaptics' touch
   pad driver (SynTP.sys).

2. The code in question was apparently the common classic issue
   that the driver checks if a hotkey related to the touchpad is
   pressed, and has a test feature to help each laptop manufacturer
   check if they configured the correct (laptop-specific) scan code
   for that hotkey by using a special test driver that logs the keys
   that match/don't match the configured one.  On a number of
   occasions HP (and maybe others) have sent such test drivers to end
   users instead of the drivers without the debug feature.

3. In this case, no keys were logged unless someone (or something)
   with admin rights on the laptop did extra steps to turn on the
   feature and to read back the results.  Any malicious code with
   those rights could just install its own logging without depending
   on that particular wrong driver being installed.

So to me, that particular issue falls into the less serious tier of:
Possible misuse if other things go wrong first, upgrade when ready as
a defense in depth.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded