TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC



  Professional Keylogging
December 22nd, 2007

I used to say that the easiest way to break in to an organization was through submitting an outstanding CV.  Nowadays I’d be inclined to say giving away free USB memory-sticks to a targeted organization’s staff as they were about to begin their working day. With USB sticks containing a stealthily disguised keylogger, you’re practically guaranteed that someone will plug it in…

Of all the nefarious techniques that can be used to gain access to a hosts’ data, the keylogger continues to be a perennial favorite.  Whether it’s deployed in hardware or software formats, for as long as people rely upon password protected authentication processes, the keylogger will continue to be a reliable hacking tool.

Over the years, I’ve personally only had cause to make use of hardware keyloggers a handful of times – mainly due to the fact that very few penetration tests have required surreptitious social engineering techniques, and those that did had objectives focused upon gaining entry to a specific hosting environment (rather than a user account). 

Software-based keyloggers – particularly those associated with spyware and banking Trojans – have hogged the limelight for quite some time.

That said, hardware keyloggers seem to be an oft-forgotten aspect to hacking (for fun and profit).  Consequently, whenever I publicly present on the hacking trends and include state-of-art hardware keyloggers, there’s always a lot of startled faces and expressions of “you’re kidding, it’s that easy?”

Why use a hardware keylogger?

With so many software keyloggers, spyware and malware out there offering the ability to silently install and operate stealthily, why would anyone opt for a hardware keylogger?  Lots of reasons - depending on who you are, and what you’re trying to achieve.

While it is certainly true that hardware keyloggers are undetectable by any existing anti-virus solution or software based malware detection, and that they are operating system and language independent, the main reason why an attacker will opt for a hardware keylogger is because it may be substantially easier to plug one in rather than trying to install a piece of software.

To install a hardware keylogger you just need to have physical access to the host for a few seconds and it doesn’t involve any technical skills.

Consider two scenarios, the office receptionist’s computer and the cash registers used by major retailers.

As you walk in to almost any commercial office, you’ll typically be confronted with the receptionist.  He’ll have a PC which he uses to keep track of visitors, manage door access keycards, respond to email and interact with other internal systems – with the monitor turned away from visitors.  It only takes a couple of seconds for the attacker to reach down behind the screen, pull out the keyboard cable, insert the keylogger, and plug back the keyboard while the receptionist is temporarily distracted in a conversation.

Meanwhile, at a store - since just about all modern cash registers are based around a standard desktop PC configuration - the attacker can insert cheap keyloggers in to any cash registers not currently in use. Thereafter capturing login credentials, customer address details and manually keyed credit card details whenever that register gets used.

To retrieve the captured data the attacker merely returns to the premises when convenient, unplugs the keylogger(s) and exits the building.

To top it all off, how many people check the back of their PC’s for extra cables or dongles each time they sit down to use it? How many people even know what a keylogger looks like?

Hardware Keylogger Types

For all intents and purposes, there are four types of keylogger: the PS2 barrel connector, the USB dongle, the keyboard embedded logger, and the laptop keylogger. 

PS2 Barrel Connector
The most common type has traditionally been the PS2 barrel-type because of the proliferation of keyboards (and mice) that use that type of connector.  They are usually 3-4 cm long, and look like a standard keyboard connector.  For example, here are some for reference:

When installed, their relatively small size makes it difficult to spot.  For example, check out the before and after shots below:

   

USB Dongles
The next most popular type is based upon a USB dongle.  As the popularity of newer USB-based keyboards increases, the use of this type of hardware keylogger will similarly increase.  The dongles themselves come in a greater variety of shapes in sizes than PS2 barrel keyloggers – ranging from short (3-6 cm) solid male-to-male connectors, through to flexible connectors that may be over a foot long.  For example, here are some for reference:

When installed, they are similarly difficult to spot – unless you know what you are looking for (remember, there’ll likely be a whole mess of other tangled wires at the back of the host). For example, check out the before and after shots below:

   

Keyboard Embedded Logger
As the name would suggest, the keyboard embedded logger is actually installed inside the keyboard itself.  As such there are no externally visible identifiers beyond perhaps scratches to the screws holding the keyboard together (if the attacker installed it in to the existing keyboard).  Then again, it’s possible to purchase branded keyboards that already contain embedded keyloggers – so perhaps the only hint lies with the victim spotting the slightly cleaner/newer keyboard replacement.

A typical commercial keylogger module looks like the following:

 

And may look like the following if you were to open up the keyboard to look for it:

(A detailed walk through on how to install a keylogger module can be found here)

Laptop Keyloggers
These newest keyloggers are designed to fit within standard laptops and intercept their built-in keyboards (which do not utilize PS2 or USB connections).  The current generation of laptop keylogger hardware is based around the standard Mini-PCI slot - an internal PCI slot connector that typically covered with a screw-down lid, and doesn't require device drivers to work.  As such, once installed it is not visible to the laptop user and will successfully intercept all keystrokes.

A typical commercial laptop keylogger looks like the following:

laptop keylogger

How much does a keylogger cost?

Typing “hardware keylogger” in to Google will yield several hundred thousand results, and dozens upon dozens of keylogger manufacturers and resellers. The prices and specifications of the keyloggers vary widely, and it can quickly become quite confusing.

Hardware keyloggers are typically priced on four factors:

  1. The type of keylogger. PS2 barrel connectors are the cheapest, while a complete keyboard with an embedded keylogger is the most expensive.  Typically, USB-based keyloggers are about 50% more expensive than their PS2 cousins.
  2. The number of keystrokes the keylogger can store. Hardware keylogger comes in sizes based upon their storage capacity.  It can be confusing sometimes as vendors mix Bits with Bytes and keystrokes with pages.  In general sizes range from 64kB to 2MB – which corresponds to 10,000 words (30 pages) through to 350,000 words (about 5 large novels).
  3. Whether logged keystrokes are encrypted and/or timestamped. Some keyloggers encrypt the stored data so that anyone discovering the presence of the keylogger cannot extract the stored keystrokes and/or reuse it on a different host.  Encrypted keyloggers are often used by law enforcement or internal security teams for evidence gathering, and often combine keystroke timestamping so that the captured data can be used for legal proceedings.
  4. The tools and software bundled with the keylogger to speed up downloading or facilitate analysis. While almost all keyloggers can have their data extracted through their default connector (i.e. PS2 or USB), some vendors offer connector tools that can accelerate the process along with software for dynamically rebuilding the documents created upon the monitored host.

Buying a bare-bones 64kB PS2-based hardware keylogger is going to cost you something between $30-$40, while a USB-based version will set you back $50-80.  Meanwhile, a 1MB PS2-based keylogger complete with a hardware accelerator, encryption, timestamping and advanced software analysis tools, will likely come to $200-$400.

The latest generation of laptop Mini-PCI keylogger boards start around $200 for 2MB of capacity.

Prices vary considerably, and most sites can offer big discounts for buying in bulk.  For example, if you’re prepared to buy one thousand 16kB PS2-based keyloggers (such as the ones often given out at security trade shows as gifts) you can pick them up for $3-$5 each.

Meanwhile, commercial keylogger modules are pretty cheap – often retailing for about 50% off the price of an equivalent capacity PS2 keylogger.

Failing that, if you’re prepared to break out the soldering iron and do a little DIY, you can make one yourself for only the cost of the components.  Checkout Keelog.com for details.

 

Retrieving Keystrokes

Retrieving the keystrokes from the keylogger is an extremely simple process.  In most cases with PS2-based barrel connectors, all that is required is the typing of a particular password while the barrel is connected to a keyboard and PC.  Once the password is typed (e.g. “Open Sesame”), the keylogger will reply all the keystrokes it recorded – usually in to an open document – just as if a ghost were at the keyboard (with control and non-printable characters converted in to something readable).  Obviously, the person who installed the keylogger would want to choose a password that is unlikely to be inadvertently typed by the monitored victim.

The process is just as simple for most USB-based keyloggers.  The person extracting the data plugs in the device, types the password, and the computer then registers the presence of a flash media drive.  A folder pops-up, and the person just copies a file from the “USB Drive” to wherever they want.

It’s all very well pretending that a ghost is repeating all those collected keystrokes serially, but 2MB of keystrokes done this way can take a VERY long time. As such, USB accelerators are available for PS2 barrel-type keyloggers which greatly speeds up the extraction of the collected keystrokes.  An example is pictured below:

In the case of hardware keyloggers that offer encrypted data storage, there may be some additional passwords or software-aided extraction tools necessary for decrypting the keystrokes.

Keyboard Language

One thing to remember when using hardware keyloggers is that the data collected is bound to the language of the keyboard in use and (to a lesser degree) the language of the operating system.  The arrangement of keys and the alphabet presented on the keyboard is typically country specific.  In order to correctly retrieve the captured keystrokes and understand their meaning, the analyzer needs to know what country keyboard was used.  For example, [SHIFT]-3 on a UK keyboard is the £ symbol, while on a US keyboard it is the # symbol – and the keys for and the @ symbol are transposed.

Things get a little more complex with double-byte languages such as Chinese and Japanese, but many of the better commercial keyloggers come with extraction software that can easily handle them.  For example, the screenshot below of the KeyGhost software shows the correct rendering keystrokes obtained from an Arabic keyboard.

Combating a Physical Keylogger

The nature of hardware-based keyloggers means that they will always elude software-based detection systems.  Protecting against their unwanted use really comes down to a handful of methods:

  1. Physical blocking - preventing physical access to the keyboard connectors through case design and system location.
  2. Interruption Detection - more sophisticated keyboard peripherals that maintain a constant “I’m attached” signal to the host computer, which triggers an alert of some kind if the keyboard is ever physically detached. This kind of system would have to operate even when the host is in an unpowered state.
  3. Regular inspection - trained staff need to regularly inspect the back of the host for the addition of new wires and connectors.

While not particularly glamorous, method (3) is the most reliable method of detecting unwanted keyloggers.

What does the future hold?

I think that the future for hardware-based keyloggers as a significant hacker technology is strong - much stronger than the future of their software-based cousins.  Their lowering purchase cost, increased miniaturization and absence of any kind of necessary technical knowhow, means to me that they will become more popular with organized criminal teams seeking to steal confidential or personal information from retailers and other large organizations.

Their proven track record at stealing login credentials and other “keys” critical to accessing valuable data and penetrating deeper in to an organization, means that they will always be useful in the first stages of an organized attack.

These keyloggers may even become simpler too.  At the moment the commercially available keyloggers require their installer to physically break the keyboard-to-PC connection in order to install the keylogger.  Already there is talk of more advanced “strap-on” keyloggers that wrap around the keyboard cable and record keystrokes – designed to look like every-day ferrite cores (commonly used to reduce electromagnetic or radio frequency interference).

I haven't been able to find anyone selling them online yet - so I don't know how much they retail for - but if you do, drop me an email.

Hardware Keylogger Reference Sites:
http://www.keydevil.com/
http://www.keyghost.com/
http://www.keelog.com/
http://www.keycarbon.com/

    Copyright 2001-2007 © Gunter Ollmann