Keyloggers, hardware or software to record all key strokes, have been an attack that is hard to defend against when all passwords, keys and other types of secrets are up for grabs. Since keyboards continue to be the most used input device and passwords continue to be most used authentication mechanism, keyloggers can wreak havoc to an otherwise secure system. Keyloggers can capture your whole disk encryption passphrases, BIOS passwords just to name a few. Even the best of breed encryption software can be defeated by the simplest of keyloggers.
Software keyloggers are installed on the computer locally or installed remotely (FBI‘s Magic Lantern style or merely via Active Directory GPO). Since they leave1 footprint on the OS, they can be detected by security software. What is harder to detect is hardware keyloggers that work more or less independent of operating systems. However hardware keyloggers require physical access to the computer and therefore can be harder to put in place than software keyloggers. Computer manufacturers or shipping companies or used computer vendors, can easily have these preinstalled.
For example, take a look at the YouTube video on spytec‘s 2MB memory USB keylogger, that goes between the keyboard and computer USB port. The device can then be disconnected at a later time and the recorded keys can be downloaded off the USB device. Now when did you last check how your keyboard is connected to your desktop ?
Of course this device does not work for laptops with integrated keyboards but how many times have you seen laptop users preferring to connect a second regular keyboard (mouse and bigger monitor etcetra) for comfort, ergonomy, keyboard layout or just because it is cool ? And on top of that if users connect the laptop to the docking station, close the lid and put the laptop along with all peripheral connections away from plain view, at that point for all practical purposes the laptop becomes a desktop and the USB keyloggers like the ones above become viable again for recording purposes.
Besides it is not like there are no products for laptop keylogging. Keycarbon has mini-PCI keyloggers made just for laptops (watch installation demo here) that go inside the case and hence are hidden from plain view unlike the USB keyloggers. Keycarbon makes PCI keyloggers as well for desktop form factors. They claim that these devices are “invisible” to OS, but I suspect that may not be entirely true.
Hiding from OS is probably best achieved when keylogger is an inline piece such as the PS/2 or USB keylogger since that way it may not need to be an additional device in the device chain. Of course it depends on how the keylogger is designed. KeyGhost makes KeyGhost SX that is a PS/2 keylogger with timestamping (ie. it can tell when a keystroke was typed which is a legal requirement for evidence to be admissible in a court of law) that looks like the EMC Balun so you do not suspect it to be a keylogger. Read this interesting review of Keycarbon’s USB keylogger that drops subtle hints to the A¼ber geek about its presence.
And then there are wireless hardware keyloggers that can give the eavesdropper real time data off of the chip. Wirelesskeylogger makes several wireless keyloggers including this Do-It-Yourself one that goes inside the keyboard and pipes all keyboard data onto itself, once you figure out which wire to solder to which by using a multimeter. The keylogger transmissions can be received within 100 meters. Wirelesskeylogger also makes a trojan keyboard, with the hardware keylogger built-in.
There are also other wireless hardware keyloggers called sniffers, that attempt to break the protection mechanism in place between wireless keyboard and receiver and therefore gain access to raw keystrokes. These of course will not work if the keyboard is wired.
Not all keylogging happens to catch a cheating spouse or an errant child. It could be a cracker that came across this, employee, employer, law enforcement agency or government. So how many times do we do a hardware inventory of computers to find a keylogger connected to usb or pci bus ? How much time do we spend in Windows Device Manager looking for suspicious looking devices ? How many times security administrators do rounds of parking lots looking for wireless keylogger eavesdroppers ?
May be we should. If the workspace is lockable, there is no reason not to lock it when one is not around. For the rest of us in cubicles, before workstation unlock or boot, we should perhaps physically inspect our keyboard PS/2 or USB cables for “security breaches”. May be we should not be content with sensitive data protected just by a password but by multifactor authentication. May be we should use mouse with virtual keyboards (such as Windows Vista’s On Screen Keyboard accessible by typing osk in run dialog) whenever we enter a password or type sensitive documents. [Online bank ING Direct forces all users to use a numeric virtual keyboard for account password entry which I think is a great security feature against hardware keyloggers. There are external HDDs that accept the PIN right on the device itself thereby making them more secure against hardware keyloggers.]
May be we should open up our laptops and desktops and keyboards more often not just when something goes wrong but just to do a what-is-what physical inspection and inventory, followed by periodic what-is-new-or-missing-inside-today differential inspection.
May be we should all put wire meshes around our cubes a la Edward ‘Brill’ Lyle in Enemy Of The State to defeat the wireless keyloggers. May be we should all have RF bug sweepers like these before we type anything on a keyboard.
My point is, thwarting hardware keyloggers is difficult, if not impossible, without ensuring physical security. But chances of thwarting become even smaller, if the attack has never even been considered or conceived.
1Chul-woong Lee has a fascinating paper on implementing a keyboard sniffer based on System Management Mode (SMM), a special mode of the processor accessible by raising an SMI – which if it were to be practical, could potentially make the sniffer invisible to the OS.
