Keystroke Loggers - Detection and Prevention

Rich RumbleSecurity Samurai
OSCP certified, need I say more?
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!

Keystroke loggers, aka keyloggers, can take many forms and have evolved over the years. As the name implies, they log the keystrokes of your keyboard. After they log the keystrokes, they can send the logs to the person(s) who created/deployed the keylogger. Unfortunately, keylogging is still a worry in this day and age, but the good news is that with the prevalence of two-factor authentication, that worry is slightly diminished.

Keyloggers used to be mainly hardware based, and in recent years there has been some clever research in the security field to get users to willingly plug in a device that says it’s one thing, but is actually another. Some are disguised as a phone charger or a keyboard itself! There seems to be no shortage of tutorials and information on creating or buying a hardware keylogger.

Hardware keyloggers used to be easy to spot, but only if you looked for them. Often when dealing with a mess of wires, or even tucking away a wireless keyboard receiver, one could insert a keylogger and go unnoticed. They can’t really be detected from the computer itself, but with physical inspection, you should be able to spot them… however, as the links above show, there are some very clever people out there and a professional such as myself would probably never take notice of a “keysweeper” type of device.

With software, there are 1,001 ways to log keystrokes. Software keyloggers have the advantage over most hardware keyloggers, because software can make use of the network card and send the keystrokes to an attacker in real time. Windows 10 comes with the equivalent of a keystroke logger built in! You can opt out, but you are never asked to, therefore many people (and companies) continue on with the software sending keystrokes to Microsoft. Some of HP's computers have an audio driver that is supposed to listen for a certain keystroke, but is overzealous and listens to all keystrokes once a user logs in.

Again, there are tons of ways to get your keystrokes and not all of them are directly logging them from the keyboard. A screenshot could be effective, as can looking through your PC’s memory, or even the hibernation file in search of certain strings that help you locate things like passwords. That last item is an attack that is used against the popular password manager Keepass. (I covered what a password manager will and will not protect you from in two other articles—1, 2.) That is not to say a password manager hurts your security—quite the contrary. If you can, please use a reputable password manager. They avoid hardware keyloggers 100% of the time, and unless the malware/keylogger is specifically created to look for a password manager, you’re a lot safer having the manager input the password than not.

So again, I’ve painted a pretty bleak picture of what you can possibly be facing. On the upside, some of this is just research, and as for the others, anti-virus technology is pretty good about detecting their presence. 

Nonetheless, the very best thing you can do—especially when authentication/passwords are involved—is to use two-factor authentication. Two-factor authentication (2FA) uses what are known as one-time passwords. After they are used, and after you log in—even if the bad guy tried the second factor—they should be denied access. If the bad guy got the second factor and hit enter before you did, then perhaps he’d get in and you wouldn’t.

A new standard in 2FA is called Universal 2nd Factor (U2F) from the FIDOAlliance. U2F was developed by Google and Yubico, and is Google’s go-to 2FA method. Devices that are U2F compliant use a challenge-response and public-key cryptography. Many popular websites are already using the protocol, and the devices themselves range from $8 to around $20 on average—some are higher.

With luck, protecting your passwords will soon be solved. While even the U2F products aren’t perfect, it’s a great practice because protecting the rest of what you type is going to be harder to solve. Best practices have that name for a reason, and here are some industry standards:

  • Do not run as an administrator of your PC for your day-to-day activities.
  • Do not run as an administrator of your PC for your day-to-day activities. (not a typo)
  • Keep your computer patched and updated, not just the OS, but also the installed software.
  • Do not open or click on items that have a “time component”—this could be phishing, especially when it’s from an unknown or unexpected source.
  • If you do receive something questionable, call the person who sent it, make sure it’s them and that it is indeed urgent, etc. This will save both you and your company!
  • Occasionally inspect your wires. Maybe you do have a hardware keylogger. No one knows how prevalent hardware loggers are, because no one checks. 
  • Keep your AV updated, and do not install anything you do not need. If a new “search bar” or additional shortcuts appear on your PC, find out what program installed those and remove them all.

Rich RumbleSecurity Samurai
OSCP certified, need I say more?

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.