Floppies are obsolete, CRT monitors are a dying breed and CPU cores are multiplying every year. Since the early days of modern computers, research companies have redesigned, reinvented and revolutionized every aspect of computers except one: the ever faithful keyboard.
As network-based attacks and software trojans are becoming more difficult to maneuver and deploy, malicious attackers are focusing on peripherals such as keyboards.
Enterprise resources such as access to secured networks, confidential files, database records and business servers are the primary target for attackers. Traditional security products attempt to protect these resources by various means: firewalls block network intrusions, network encryption prevents eavesdroppers from intercepting information and anti-virus and anti-malware software protect the workstation from virus or malware infection.
Unfortunately, one major information weakness remains- the presence of passwords. No amount of security technology can prevent a malicious attacker armed with a password from unlocking a workstation, logging into servers and accessing other proprietary information. Passwords are the keys to IT infrastructure and they are traditionally entered by the simple act of typing characters on a keyboard.
Intercepting passwords typed on a keyboard is not a new concept. From the early days of Unix workstations, hijacking an X11 session allowed an attacker to monitor all keyboard activity performed by the unsuspecting workstation operator. Unsecured network protocols such as Telnet and FTP allowed eavesdroppers to simply record passwords as they traveled the network.
As network security improved, attackers turned to software-based keystroke recorders. Trojan programs installed on a workstation would record every keystroke and store it in a hidden file. Early trojans used crude keyboard-hooking techniques, easily detectable by anti-virus software. Then kernel-mode keyloggers appeared which claimed to be “invisible” and “undetectable”. Fortunately, with recent advancements in root-kit detection and removal tools, even those kernel-mode keyloggers are little more than a nuisance.
In this never-ending competition between cyberattackers and security experts, attackers have raised the bar: instead of using software to record keystrokes, they developed a sneaky little device known as a hardware keylogger.
Hardware keyloggers are small devices (usually less than 1.5 inches in length), which are inserted between the keyboard plug and the keyboard socket on the computer workstation. Hardware keyloggers exist for both PS/2 and USB keyboards. These devices intercept all signals sent from the keyboard to the computer, recording those signals in non-volatile memory and without disrupting normal keyboard operation. The memory capacity of these devices allows for millions of keystrokes to be recorded.
When the malicious attacker wants to access the recorded keystrokes, he or she need only disconnect the keylogger device from the computer and reconnect the original keyboard plug. The attacker can then connect the hardware keylogger to a computer and instruct the device to reveal all recorded keystrokes.
Attaching and detaching hardware keyloggers to and from a computer takes mere seconds even for novice attackers. Competent attackers can distract a teller, office worker or any other kind of computer operator for a few seconds, and install malicious devices. The keylogger may steal data for several weeks before running out of memory space, allowing the attacker to return to the compromised machine at any time.
Hardware keyloggers pose a serious security threat to the IT infrastructure, mainly because of the amount of work needed to identify them as they are virtually undetectable and require manual detection. How many employees physically scan the back of their computer workstations on a daily basis? And if they did, how many would be able to tell the difference between what is connected and what should be connected?
The good news is that there are both strategic and technological solutions available to protect keyboards from prying ears and eyes. Obviously, a visual inspection of workstations is one way to attempt to identify a compromised machine, but this is a time-consuming endeavor, particularly in an environment with hundreds of workstations. The task becomes virtually impossible when thousands of PCs are involved. Additionally, using only trusted PCs and laptops minimizes the risk. Publicly accessible PCs such as those found in internet cafes, hotels, and libraries should always be considered suspicious and never trusted with personal information. Laptops are generally a safer alternative to PCs as their keyboards are internal but it should be noted that keylogger devices can still be connected to an external keyboard via a USB or PS/2 port. Finally, there are software solutions available which can detect the presence of hardware keyloggers and disable them by intercepting and blocking communications between the devices and the targeted computer.
The bottom line is that the threat presented by hardware keyloggers is real but preventable…are you listening?
–Gil Sever is CEO of Safend.