Do-it-Yourself Keyboard Logger

Here's how to make your own hardware key logger for PS/2 keyboards.

Not that buying one is very expensive. (And there are software versions available.)

Anyone have any experience in using any of these products?

Posted on February 24, 2006 at 8:14 AM • 45 Comments

Comments

BasFebruary 24, 2006 9:45 AM

I got this one from thinkgeek (128KB, 99$)
http://www.thinkgeek.com/gadgets/security/5a05/

The beauty of this thing is that is doesn't need any software installed.. trully plug-n-play.

I got it plugged in all the time on my workstation, and use it as a kind of 'real time backup device'.. It saved me from retyping pages and pages of text after a power failure...

J.D. AbolinsFebruary 24, 2006 9:46 AM

@Bruce > "Anyone have any experience in using any of these products?"

I use KeyKatcher (www.keykatcher.com/) hardware and it does the basics of capturing keystrokes. Works nicely with DOS, Windows, Linux, etc.

My main use is as a presentation demo when I teach about PGP and other crypto. It's an easy example of how easy it is to go around good crypto & security software if one neglects others aspects of security, including physical security. The strong crypto as a steel & kevlar reinforced door set into a frame of balsa in a house with open windows picture.

I have also been pondering on approaches to data recovery from a password protected KeyKatcher type of device, but lack the time to really work on it. (NOTE: These devices often come with a default PW; it is up to the user to change them.)

Another pondering is on detection of hardware keystroke loggers. Sure, look for a plug like thing between the keyboard and the PC. But there are loggers available that are built into the keyboard and one can hack a PC to put the logger inside. Etc.

Sean TierneyFebruary 24, 2006 10:54 AM

Bruce,
what's the best way to defeat a keyboard logger? i've always just typed a bunch of characters in notepad and then copy/pasted my password together but I'm sure advanced keyloggers record copy/paste operations as well...

sean

CassandraFebruary 24, 2006 11:02 AM

Securing PCs against having hardware keyloggers installed is an interesting problem. I'm surprised that it's not possible to purchase transparent (acrylic or polycarbonate) keyboards (and mice) so you can look for evidence of foul play. There are plenty of USB cables fabricated with tranparent plastic.

Organised crime probably has already solved this problem, or is on the way, as I understand US investigation authorities have use evidence gained from the clandestine installation of keyloggers to convict criminals - it being a neat way of finding the password/passphrase used to secure encrypted files/partitions.

In principle, you could use the technique used by nuclear facilities/weapons inspectors: small reflective metal chips (glitter) distributed randomly through a blob of transparent epoxy applied to the case locks. Each time you want to check the integrity of your previously secured PC, you compare a previously taken stereoscopic picture with the pattern in the epoxy. If they match, the epoxy has not been disturbed, so unless there is a back door, the contents of the case being secured have not been tampered with.

That would leave needing protection from software keyloggers, which can be done by booting from known good read-only media e.g. a live-cd.

Cassie

Chris FFebruary 24, 2006 12:50 PM

Is there software out there that has a GUI keyboard? I would think that a GUI keypad with a plain text output box that worked by mouse clicks, while slow, would defeat keyboard loggers.

PabloFebruary 24, 2006 1:25 PM

I've solved the keylogger problem for use with my USB key. I have a copy of PuTTY (ssh), a copy of a software keyboard (Click-N-Type (http://www.lakefolks.org/cnt/). I've seen a virtual keyboard that also generates random key layouts so (relative) mouse positions don't reveal what character was clicked (this does not defeat recording/snooping view e.g., vnc).

To authenticate I have two options: I have a separate SSH key with passphrase (I use the "virtual" keyboard for this). I also have set up Opie on one of my hosts (a One Time Password system) and I keep a printout of the one time passwords in my wallet (obviously the list does not include my username or what host they belong to).

Hope that helps.

J.D. AbolinsFebruary 24, 2006 1:28 PM

@Chris F

Yes, there are various on-screen virtual keyboards available. Various open source projects offer such software. Among them is GOK, the GNOME On-screen Keyboard. Some onscreen keyboards are used by people with physical handicaps who cannot type but can move a pointing device.

The University of Ontario's Adaptive Technology Resource Centre has a good intro and a listing of some sources of the software for different OSes. See http://www.utoronto.ca/atrc/reference/tech/onscreen.html

Fred F.February 24, 2006 1:47 PM

The solution to keyloggers is TPM. Only keyboards whose hardware has the correct signature from a trusted manufacturer would work. :)

AmgineFebruary 24, 2006 2:21 PM

@ Chris F
"Is there software out there that has a GUI keyboard? I would think that a GUI keypad with a plain text output box that worked by mouse clicks, while slow, would defeat keyboard loggers."

Maybe this will defeat the hardware keyboard loggers and "some" of the software loggers but this is hardly a foolproof technique. There are software keyloggers that do screen captures and record mouse movement/action, as well as applications running.

After a cursory Google search using (software keyloggers mouse clicks), I found this: http://www.mykeylogger.com/

Sadly, this would probably defeat an onscreen keyboard, but I haven't tried it yet. Presumably, many of these programs target Windoze, but I would assume that if it can be done on that OS it can be done on others.

If I may be so bold, I would suggest an eye-opening book (for me at least): "Computer Espionage: Tactics and Countermeasures" by Joal McNamara, ISBN#0-7645-3710-5

The book makes for a very good read and really puts computer security, in all it's aspects, into perspective - just as Bruce's book "Secrets and Lies" does.

Cheers!

DFebruary 24, 2006 2:28 PM

@ Fred F.

Sarcasm noted. However, you raise an interesting point. How do I know *I* can trust the signature? The manufacturer? That some clandestine employee of the manufacturer has not altered the keyboard after certification?

Dan HenageFebruary 24, 2006 3:19 PM

@Bruce > "Anyone have any experience in using any of these products?"

I've also used KeyKatcher for security tests over the years and it works great. Sneak into the building during the day or at night, put it on a Domain Admin's PC, then sneak back in later to retrieve it. It's easy to explain away being caught a someone's desk (e.g., "Oh, I was just leaving a note for Mike," or "I might be lost -- I'm trying to find Suzan's deks."). The PS/2 keylogger's effectiveness is quickly diminishing as more and more keyboards move to USB, but it looks like they are just now coming out with USB versions.

@sean > "I'm sure advanced keyloggers record copy/paste operations as well"

Software keyloggers have no problem doing this. In addition to the clipboard and keystrokes, they also pick up on all mouse clicks, the title of windows, etc. I've used SC-Keylog PRO.

gostar_baiterFebruary 24, 2006 3:22 PM

[url=http://www.wgadesign.ru/motorola-slvr.htm]
GET THE SLIM NEW MOTOROLA SLVR FREE

Stay connected with bluetooth wireless technology and push-to-talk capabilities

Store and share your itunes with up to 512 mb of removable/transferable transflash memory

Up to a $300 value - yours FREE

You can easily unblock it and use with another mobile provider!
[/url]

AmgineFebruary 24, 2006 4:23 PM

@ John McDoe

"Aren't software keylogger too easy to discover?"

Well, that depends on the sophistication of the software. I just tried out Powered KEYLOGGER from: http://www.mykeylogger.com and was able to pick up the Windoze On-Screen Keyboard easily. I wasn't able to find it running in the Task Manager and it didn't show up in installed programs list either.

I did have to go into the Performance setting and "allow" it to run since Data Execution Prevention in SP2 wouldn't let the keylogger run initially. But that was an easy fix.

Btw, I know Windoze is a security nightmare, but it remains the OS of choice - regrettably.

Erik CarlseenFebruary 24, 2006 5:39 PM

The really interesting for something like this would be adapting the techniques to cover notebook computer keyboards.

MartinFebruary 25, 2006 3:58 AM

@Chris F "Is there software out there that has a GUI keyboard?"

Tinfoil Hat Linux (http://en.wikipedia.org/wiki/Tinfoil_Hat_Linux) uses gpggrid. To quote Wikipedia: "[gpggrid is] a wrapper for GPG that lets you use a video game style character entry system instead of typing in your passphrase. Keystroke loggers get a set of grid points, not your passphrase."

Ronald PottolFebruary 26, 2006 12:24 AM

I always figured that if you wanted real security, you would use a sub notebook that you never let out of your sight, probably with OpenBSD, encrypted fs and swap, and disable suspend. I don't think there is anyway in without your cooperation. If you have to let it out of your sight, you walk into a store, buy another one, move your data, and destroy the first one.

J.D. AbolinsFebruary 26, 2006 12:40 PM

While we are having interesting comments & suggestions for thwarting keystroke loggers, let's not forget other ways where passwoes -- I mean passwords but the typo presents an interesting commentary of its own --, PINs, cc numbers, and such can be compromised.

"Shoulder surfing", video cameras installed in a ceiling, etc. as well as compromised systems on the other ends of the transactions. This supports, among other things, Bruce Schneier's common assetion that great care in transaction decisions are needed.

n1February 27, 2006 7:37 PM

You don't need to physically or software record the keystrokes. You can just record the noises they make, then do a little number-crunching.

http://www.securityfocus.com/news/11318

As for whether software keyloggers are a threat, if you're worried about physical keyloggers, then you are assumed to have tackled the problem of software integrity and PC case integrity already.

If you haven't fixed those, then forget about defeating hardware keyloggers, because yes, you are easily vulnerable to software loggers (and RF "tempest" attacks etc etc).

And none of it is worthwhile unless you can invest a lot. If you are a windows user and worried about these things, the best you can do is get a decent antivirus, turn on windows firewall, turn on windows update, and make regular backups. And keep whatever data you really want to keep in text-based formats, ie not proprietry binary ones that you can't physically examine or transcribe. Because when you get a virus, text-based formats are easy to clean and the contents easy to recover in disaster.

Then reinstall every 3-6 months, regardless of whether the antivirus says you have a virus or not.

If you can afford it, have two PCs, one on the net, one not, and move data between them using a USB drive or CDs. Or get a Mac. Or learn unix. Or use Ubuntu or similar linux liveCD or installation for web surfing and email, and use windows only for those fancy documents and games that linux doesn't handle (and which don't access random websites).

Happy surfing.

Doug KerfootMarch 2, 2006 7:57 AM

Thanks for linking to my site Bruce. I've had 290 hits from you in the last week. That is more than from my Google ads!

I started selling the KeyKatcher (ps/2) and KeyPhantom (USB) after using them to help keep my own kids safe online. Rather than use filters, I just let my kids know that I can and do check to see what they are up to from time to time.

I had used a couple of software keyloggers previously, but in time they were discovered and disabled by my anti-spyware software.

If you need to see everything that is happening on a PC, the best of today's software keyloggers are amazing. I am actually an authorized Spectorsoft dealer, but I only sell it by request. Why?

To my mind there are two major problems with software: 1. Sooner or later, it will be detected and removed by anti-spyware/anti-virus software. It is only a matter of time. 2. I don't really want anything that stealthy installed on my computer! Simply put, I don't really trust the software makers. What else is their program doing?

Hardware keyloggers can only record what is typed, but that is generally enough to be able to determine what the computer is being used for. Plus the good ones are absolutely undetectable, require no software at all and are completely transportable.

If anyone has any general questions about keyloggers, feel free to e-mail me at the address posted on my site. Unless you are looking to use one for spying on your wife, kids, etc... The websites that include "Spy" in their name will be much more interested in helping you.

RobMarch 16, 2006 12:49 PM

Ther are 2 keylogging 2 risks:

1) Hardware logger
2) Software logger

How to mitigate:

You might put your pc backwards on your desk, and check the keyboard cable physiccally, but there still could be a logger inside the shell of the keyboard. The effective mitigation for hardware keylogger is an on screen keyboard.


However, You are still open to a software keylogger, so you must scan for it. You do scan, right?

As background, there is a software "on screen keyboard" program for windows called "click-n-type' that you can, with some specific configuration, use to type into the GINA: http://cnt.lakefolks.com/features.htm#New301-302

instanceMay 23, 2006 8:53 AM

I want a software "keyboard monitor" (for windoze, KDE a bonus) that will tell me what window I had active, the amount of time it was open, what the window title was, and the number of keystrokes I entered on that window. The application *must* be open source so I can audit it.

My need for this is that I work on many projects in a multi-tasking mode, and when it's time to account for everything on a timesheet, I sometimes don't have a clue on how to break it down by project. Lawyers must have this problem -- although I think they just bill half an hour per window switch!

If anyone knows of an open source logger, please let me know. At least if it's OSS, I can adapt it to my needs.

joyceJune 19, 2006 4:38 AM

Is it possible to install a kelylogger on your own computer and be able to track someone else(a boyfriend) on their computer, like by e-mail or mesenger?

RodJune 27, 2006 3:51 PM

To whom is interested

I have developed a virtual keyboard (more one among probably thousands avilable on the
internet...), but mine addresses the keyloggers that take screen shoots, as well as it
prevents the shoulder surfing(those that look over your shoulder to learn your password).
I think it is a good idea BUT I would like to work on professional basis,
meaning: my goal is honestly be rewarded for my effort. I donĀ“t intend to get rich, but
some dollars will be very welcomed. Morover, find a good team to work together.

I have checked this subject on the internet, and I'm sure I have some very original
features in my program that can, for sure, bring new directions to this keylogging
problem.

If some serious developer is interested, please post a contact and
we can start a conversation.

Regards


Rod

Brian MillerAugust 18, 2006 9:00 AM

@instance:

What you actually need to do is run a performance monitor (like Windows perfmon). When the application is active, the performance monitor will log the activity. Then you can see which of your applications were busy for how long.

thatguyAugust 18, 2006 9:25 PM

worried about keyloggers? here's my solution...

Buy a little mac mini

Put holographic serialized seals over the seams.
Use two different kinds of seals and use a uv
invisible ink pen to sign the seals (dissolved by
solvents used to compromise seals).

Do the above to the keyboard putting seals over
screwholes and seams. Use an external
encrypted hard disk. Use seals and uv marks
over everything you have, wiring, ac adapter,
etc.

Place the computer (which is about 1/2 the size
of a laptop) and external hardware encrypted
hard drive (token type key) into a small safe.

Keep the token on your person and turn on
filevault encryption (AES 128 bit).

This setup is quite reasonable and everything
is available to buy quick and easy on the net.
Sneak and peek warrants are tremendously
complicated by this system. Enova 3DES 192 bit
HDD's are very secure and reasonably priced
($450 USD)

IanSeptember 3, 2006 3:20 AM

To beat keyloggers (both software and hardware ones), I prefer to use programs that bypass keyboard altogether - e.g. Mouse Only Keyboard (MOK) with anti Clipboard logger - find at

http://www.myplanetsoft.com/free/antikeylog.php#mok

or even better - a terrific program that I recently discovered and which beats also mouse-loggers, called HashPass - check at

http://www.kagi.com/fantasy/

which not only bypasses keyboard by using Clipboard with anti Clipboard logger but can even bypass also the Clipboard allowing to use drag-and-drop. Fortunately, practically all web sites' password edit boxes are drag-and-drop enabled. I've been using HashPass since I discovered it and it uses a concept that I have not seen applied anywhere else so far. It's a small standalone app, doesn't have to be installed, doesn't require admin rights and can be run from any removable medium. At this moment it's my top of the line.

VINCENT SISTOFebruary 15, 2007 10:10 PM

FOR THE BEST ANTI KEY BOARD LOGGER
GO TO STRIKE FORCE TECH,OR GO TO GUARDED ID....THEY ENCRIPT ALL KEYSTROKES AND THEY KNOW OF NO KEYLOGER PROGRAM THAT CAN READ KEYS.....I HAVE GUARDED ID ON MY COMPUTER....I WISH I COULD TEST IT WITH KNOWN LOGGERS,BUT I DO NOT HAVE THE KNOWLEDGE TO DO SO...


VINNY

jzApril 2, 2007 2:36 PM

I NEED TO KNOW IF THERE IS A WAY TO MAKE A WIRELESS KEY BOARD INTO A KEYKETCHER??OR WHERE I CAN BUY ONE ALREADY BUILD INSIDE..I KNOW THE KEYKATCHER CAN BE INSTALLED INTO THE MOTHERBOARD..BUT IS THERE A WAY TO PUT IT INTO THE WIRELESS KEYBOARD ITSELF??I KNOW IT WILL TAKE SOME SODERING AND ALITTLE SMARTS...I HAVE THE SODER IF SOMEONE HAS SOME SUGGESTIONS I AM ALL EARS....THANKS

CuriousApril 3, 2007 12:32 AM

I'm just wondering:

If a hardware keylogger HAS been installed, and it does capture ctrl+v paste commands, and the average memory a hardware keylogger has is between 2mb - 8mb, would me copy/pasting a lot of text fill that 8mb up fast and then pretty much be able to ignore a hardware keylogger?

MrNiceGuyApril 24, 2007 10:14 PM

Where in the world are you doing that you're so sure someone is trying to record your activity and what are you doing that must be kept so secret?

If you're at work doing work, then it doesn't matter if your employer is logging your keys, if you're at home, how likely is it that anyone has physically gone in and put a key logger in?

If you're surfing child porn at work, I hope you get caught.

AnonymousAugust 13, 2007 1:28 AM

Estranged husband says there is a key logger installed from remote computer - he seemed to be able to do something with my msn while i was online. I have run a deep scan with nod32 and it showed nothing... could there be a key logger and how do i get rid of it in laymans terms please

AnoopSeptember 13, 2007 6:56 AM

I know that on screen keyboards can be easily be read by the keyboard loggers, but is it possible to read copy paste, if it was done using mouse in windows ??? If that cannot be read by the keyboard loggers then what anyone needs to do is create a text file from a-z A-Z 0-9 ~to+ ... etc and copy paste the appropriate characters, would that work ???

scuzSeptember 15, 2007 6:42 PM

what i want is a keylogger, that i can steal someone else's keystrokes that they type on their OWN computer. cause i play this game called runescape, and i wanna know there passwords...plz help me?

hackerOctober 23, 2007 12:18 AM

i have used ton's of keyloggers in the past and i make them to. but there is a very ezy way to get rid of them.most keyloggers have a "safety pin" if this number or numbers are tiped on the keybord the keylogger will "kill it's self" per say but this code is most of the time very long and impossable to find out. sorry for any bad spelling as i am onley 13 years old i hope this helps PS.never download anything from "zerogamers.com" as i make most of the hacks that are on there and if u use them u will be the one hack.

makaylaNovember 9, 2007 12:47 PM

Does anyone know of any hardware keyloggers for laptops? i've been googling them but only found internal ones that get installed into the motherboard. i'm looking for the kind that just get plugged in, any ideas? Thanks

SergioJuly 24, 2008 12:30 PM

I need a software that check that mouse and keyboard is present, if not send me an alert.
Sergio

SafOctober 5, 2008 12:48 AM

Hiya

Some interesting ideas being discussed on here.

What I would like to know is;

1. How can a hardware keylogger pick anything up other than keyboard strokes? On screen keyboards would kill this in that case.

2. Is there really wireless keyloggers available? Those would kick ass at stealing corporate info, just sit outside with a coffee and laptop lol.

3. Finally, like mentioned above, why do you care so much about what is being monitored? If they get your online bank details, the bank will cover you for the fraud (might be a headache). If they get login details etc, as long as you kept a reminder question, you can reset it from another pc.

Anyway I would love to see a wireless hardware keylogger, which incorporated a self install software keylogger. Maybe have 1gb of memory and be small enough to fit inside a mouse/keyboard with no solder required (connect itself between the keyboard cable connector inside the case, usually the little white connector going into the pcb, if you get my idea). Have the keylogger transmit the data in short bursts every 6,12 or 24 hours etc.

The thing is, if you code your own keylogger software, anti virus will never pick it up most likely (if your a good coder that is). So you could ripp corporate secrets left right and centre lol. Then sell them back to the company in question and never reveal your secret ;).

Clive RobinsonOctober 5, 2008 5:05 PM

@ Saf,

To answer your questions.

1, It should not. But in theory you could have a side channel that leaked information. In practice this could leak the mouse movments due to say a badly written driver changing it's timing, or poor hardware design where a mouse related signal appears on the power supply lines (Look up Tempest attacks).

2, It depends on what you mean by wirless. If you take the keyboard data signal and modulate a small bug with it then this is considerably easier than a conventional key logger. Likewise using a small uP like a PIC to do burst mode transmission would actually still be simple. The problems are frequency / power / detectability.

3, The info leaked may be considerably more important than your online bank details, such as say access data to a server with a companies latest R&D info. Or if wirless logging it might enable sesion hijacking (some of these One Time Password Tokens only change the logon key every minute this giving a window of oportunity). Also not all banks will accept liability, their argument is you deliberatly gave away your credentials and therefore they have no liability.

If you have a keyboard logger that can communicate wirelessly you do not need to install software on the target PC so for that vector your detectability is zero (however the RF signal could be very easily detected by a bug detector so on that vector you detectability is fairly high).

It is a myth to asume that software can hide from detection it can't, all it can do is make the probability of detection lower.

Even the stealthiest code is quite easy to detect if it is installed to the HD. Which is normaly the case if the code is to survive a reboot. Even if it is not installed the way it communicates data to an external entity can get detected (this was how the Sony Rootkit was discovered).
In practice a hardware PC keyboard logger would find it difficult to install code undetectably because it's in the wrong place and the bandwidth of the channel available to it is quite low.

As for "rolling your own" code this is not a simple task even for an experianced code writer and is likley to have bugs etc that make it easily detectable.

However if the target of the evesdroping is not technicaly sophisticated then yes even simple very obvious things are not going to be detected by them. But then they are probably going to be vulnerable to all sorts of other attacks so you would have a much larger range of lower risk vectors to try first (like an email with an attached "neat game").

A golden rule of survalence is the KISS principle as high tech / sophisticated attacks have high costs and are considerably more likley to fail.

DerekJuly 23, 2009 8:41 AM

I've created my own open-source hardware keylogger coded in C based on a PIC micro, and serial EEPROM.

The code/schematics are available here, and it would cost you less than $5 to build:

http://derek.chezmarcotte.ca/?page_id=24

This can be installed directly into a keyboard if you like, instead of an in-line dongle, so you don't have to worry about it being unplugged, etc.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.