Clive Robinson • May 17, 2017 10:59 AM
I’ve had a little time to think on this and it’s one of those things that I find deeply suspicious because of the level of deniability that comes from it.
Firstly, yes due to the way PC’s are manufactured, nearly all buttons go through the key board (including the power button and wifi on/off switch etc).
Thus adding the volume control and mute buttons was a natural progression for manufacturers as was going to flash ROM and removing the wrote protect tab etc. Thus “efficiency -v- security” yet again.
Writing the key strokes to a file, is kind of what you expect from a test harness, and also something of use to technical support people. We saw this idea splat the news headlines big time several years ago with various US phone companies installing the CarrierIQ software that sent all the key strokes in plain text across the Internet for “Customer Support” reasons.
We should also know that the audio side of PC’s is probably the part least subject to change after all howmany of you still have AC97 compatable chips and drivers in your system? Realtek still holds the majority market place for OEM aidio and network chips thus you are quite likely to have a Taiwanese “Crab Inside” your laptop. Some of you may remember back in 2011 it was found that some one had “black bagged” their driver signing certificate.
Thus it’s clear that the backwater that many think the “audio” side of PC’s is anything but when it comes to opportunities for spyware, and that the opportunity to use it as such is not just there but very wide spread and importantly very stable/long lived for such backdoor code…
As for the log file it’s self, due to the way it changes and where it is, it’s a prime candidate for getting “backedup to cloud” across the Internet. Thus even if you have taken security steps like FDE you are thwarted in your attempts.
Avoiding cloud backup for most average users of Win10 etc is next to impossible, it’s the way Microsoft want it to be, along with telemetry and forced OS upgrades. The fact that such a file becomes in effect a business record of a third party supplier means that it only takes a letter or less for this data to be aquired by various LEO or IC agencies in quite a few jurisdictions.
So all the steps of an exfiltrating keyboard logger are there, and they all appear to have deniability, which in of it’s self is odd. You would expect atleast one step not to have deniability if it was all accidental…
So whilst I can not say it’s a deliberate keylogger it’s got more smoking guns than the OK Corral…
And that’s before you look into the backgrounds of the companies involved, and their relationships to the US IC etc.