Physical keyloggers top the list of security nightmares for most in the profession. While full-blown remote access trojans are worse, they are also fairly easy to identify and block, both at installation and in use, but physical keyloggers are much harder to identify.
They are also harder to deploy, but anyone with physical access to a machine can infiltrate it without much difficulty and with very little risk of detection.
And more than passwords are at risk. Even in an environment with strong authentication, the contents of confidential documents and emails can still leak after the logger captures the keystrokes.
However, keyloggers can also act as evidence-gathering tools for security investigators, once you have cleared it with your legal advisers – some circumstances will preclude the use of such a device and may in fact be detrimental to an ongoing case, so tread carefully.
With that in mind, we looked at some options available from KeyGhost, one of the better known hardware keylogging providers. Its product is available in a number of formats, including external dongles and options for embedding the technology into a keyboard itself. A PCI card, which will capture all keystrokes without needing separate dongles, is in beta. We tested USB and PS/2 variants of the dongles.
Loggers are also useful to audit access to locked-down systems. In such systems, where personal information should not be entered (such as data entry terminals in retail or manufacturing facilities), such use is much safer legally.
KeyGhost also provides tamper-evident seals to prevent a user temporarily removing the logger. There’s nothing to stop a user plugging in a keyboard of their own, but this will show in the log.
Installation is simplicity itself - just plug in the device between the usual keyboard connector and the socket on the PC. The PS/2 version is really small and hard to spot, although its black casing does stand out against the pale purple of modern, colour-coordinated connectors. The USB version is comparatively much larger, about the size of a biggish USB flash disk, but still very hard to spot even with a direct view of the back of a PC. Covertly installing and retrieving the gadget is the hardest part, but as the ‘cleaners’ at Sumitomo-Mitsui demonstrated, this is easy to overcome.
Once in place, the device will capture all keystrokes, including control keys and function keys, along with regular timestamps and notifications of when the device received and lost power (to spot unauthorised removal). It doesn’t give any feedback in the form of USB notifications, so the OS is oblivious to its presence. And being outside the PC, it is OS-independent (although some of the support software is Windows-only).
The only give-away is that non-HID (mouse or keyboard) peripherals connected through the USB chain will fail, and that might give away enough clues to lead to discovery. If you use, as we do, keyboards with USB hubs to which flash disks are routinely connected, you might have to investigate alternatives: KeyGhost does sell versions with built-in USB hubs for just this situation.
Retrieving keystrokes is easily done, either in situ or on another machine, because the logger can also generate keystrokes of its own. Connected in the normal fashion, typing a password results in the device sending back a menu (you need to be in a text editor for this, so it has somewhere to send keystrokes!), which is used to retrieve the log, clear the device or change basic settings or passwords.
Although the product does not need any software to function, the company does supply a handy interface, KeyGhost Renderer, which is a software GUI to manage the device. It works with a USB to PS2 adaptor for PS2 models, and can download logs and present them in a more easily read format than the raw data you can retrieve direct into a text file.
It also offers some configuration options, such as setting the time and date and changing the current password, as well as the ability to erase the logger. More importantly, its ability to display keystrokes is vastly improved, with a number of options over how to display them.
For example, where backspace characters usually show as ‘’ in the text, the Renderer has the option to simply update the text: remove the character to the left and not show the backspace event.
This seems like a no-brainer, but bear in mind that backspace keys are used for more than deleting text: web browsers use it to navigate back a page too.
This will apply to other keys, so we found ourselves liking the legibility of the KeyGhost Renderer, but preferring the full-blown text display for serious investigation.
The Renderer can also save the log to a local file, and write a separate file with a SHA1 hash of the log. A program confirms that the log matches the hash.
If you are a security investigator needing a software-invisible keylogging solution, these are highly recommended. If you are a security admin worried about loggers, then we are afraid we have little to offer until TCG-style encrypted keyboard connections are possible. We could find no way to detect or prevent their presence aside for hoping someone happens to notice something out of the ordinary.