Slashdot Mirror

In short: Yes, it's very easy to capture keystrokes over bluetooth, even when the device isn't paired with you. Google for "bluetooth keyboard sniffing".

But there are easier, more reliable ways to get information. Let's say you were involved in corporate espionage, and you wanted to capture the keystrokes of a company's CEO. Here's the easy way to do it:

1. Buy a USB keylogger
2. Bribe the local cleaning staff: "I'll give you $1000 (or whatever) to connect this to Mr Guy Smiley's computer, where the keyboard plugs in. Here's how you do it ..."
3. Insert on Monday, collect on Friday.

It's a sad fact, but almost no one notices the cleaning staff. And the cleaning people are there when you aren't.

So for $300-$350 for the keylogger, plus $1000 (or whatever) for the bribe, and waiting a week, you now have lots of information about what the CEO has been typing. Usernames/passwords, private memos, etc.

While I have never done this, I know a tech support person in another IT department who discovered a USB keylogger had been installed on the Director's laptop dock. But I guess the Director had dropped his laptop that morning, and the techs were replacing it with a new one, including a new dock. That's how they found it, pure luck. They suspected someone was doing that to catch the Director's username/password.

I know an IT Director in another organization (a small company) and they had an incident a few years ago where the IT Manager (who also did tech support as part of a staff of 3 ... small company) installed a software keylogger on the Director's and CIO's computers as they were deployed. I understand he used this to get their passwords and read their email.

So yeah, this stuff does happen.

Hardware keyloggers are expensive/hard to get.

While I've never bought one, they seem to be readily available although buying one untraceably would be a bit more difficult (but not impossible) which would be a necessary step to avoid having the keylogger found and an investigator simply asking (perhaps under subpoena) the selling company for the purchase information for that (probably serialized) keylogger.

This won't work for the reasons that other people have noted.

The best security precaution is continual awareness. If you're intimately familiar with all of your hardware and software, it's a lot harder for someone to install a keylogger. Would you know if someone came into your office and moved something around? You should. It requires an effort, though, to start paying attention to little things, so that you'll notice if something is amiss. And if you have a bad feeling, you need to act on it immediately.

Would you notice if someone swapped your keyboard with one of an identical make and model and approximate age? And if you did notice something odd -- maybe a little stiffness in the keys that wasn't there before, a difference in the wear patterns from where your fingers normally lie -- would you just shrug it off or would you immediately stop using it? How often do you actually look behind your desk to see if someone has shoved one of these in between your keyboard and CPU? Those are the things you have to take into consideration.

It's similar with software. A while back I read about a guy who only discovered he'd been rooted because of an oddly misbehaving "ls" command when it was invoked with certain switches. Lots of other intrusions are only discovered because of similar, very subtle, signs. (Most of which boil down to the intruder making a mistake somewhere.)

Most people don't want to have to pay attention to security, and thus look for easy ways out. This is generally where they become most vulnerable. Automated and procedural security is good, but ultimately any 'fire and forget' approach is fatally flawed. There's no replacement for vigilance.

A PS/2 hardware keylogger only needs to be placed at the end of the device. You needn't even touch the keyboard to install it, let alone unscrew anything.

P.S. Oh.. and don't feel safe just because you may use a USB keyboard. That's covered too.

-Grym

• Hidden/undocumented APIs in commercial operating systems (note I didn't specify Windows) - will get 99% of suspects, and the police are well aware that there will always be a group that they have substantially less hope of catching.
  
• Backdoor built into the OS at the factory. It's always been there, why should it be a concern to AV which generally looks for changes? For best results, "disappear" the development team once they've completed their work.
  
• Backdoor in hardware - something like this, but etched into the silicon of the keyboard controller rather than a separate piece of hardware. Good luck detecting that without an electron microscope and substantial knowledge of IC design.
  
• Backdoor is digitally signed - perhaps using this key - there's a pretty strong chance that most AV software will silently ignore anything that's digitally signed with a known key.
  

Sure, this is more difficult on a laptop since it would have to be opened, but it would also be even more discreet. I'm not aware of any products on the market for laptops, but I'm sure LE could commission one to be made, if necessary.


Laptop keyloggers exist now. Buy one here.

http://www.keyghost.com/PCI-MPCI-Keylogger.htm

I think it's main use is to find out if your wife/husband or live in girlfriend/boyfriend is cheating on you, stuff like that. I owuldn't trust it for a sensitive operation like the one described in the article, too easy to discover with routine maintenance.

One that was built into an identical keyboard would be better in that case.

If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.

As the other replies have stated, I don't remember them mentioning a physical keylogger. They do exist though. They sit in between the keyboards ps/2 plug and the systems ps/2 slot (USB varieties work the same). It looks like they just intercept and log the keystrokes, no software to detect on the host pc and no login needed.

If the receptionist is assumed to be untrustworthy, then they could just as easily install a real hardware keylogger in between the PC and the keyboard. (And that would be a lot easier to get than an iPod-disguised keylogger.)

I'm not saying that there aren't situations where barring anything that could carry data away is appropriate. It's just that IT types seem to hone in on the "security breaches" that they can shore up, to the greatest inconvenience of users, while ignoring glaring holes elsewhere. If you're going to tell the secretary that she can't charge her iPod from the USB port because of the risk of keylogging, I hope that the keyboard's PS/2 connector is superglued in, or the entire chassis is encased in a locked steel container. Otherwise you're ignoring an obvious avenue of attack (like these), but going after a highly unlikely one, even though the treatment for the unlikely one annoys the user more.

Most IT departments have so many security problems and vulnerabilities, it's hard to even know where to start. But rather than working through them in a rational way, they seem to begin with the premise that "anything that annoys the users in the name of security must be good." (Probably not their fault; it's probably an attempt to placate a PHB somewhere by making the security really obvious...)

It's ultimately a glass-houses issue. Before overt, draconian security measures are put in place, everything else ought to be locked up already. Otherwise, it just makes the IT department look like they're power-tripping, regardless of the real motivation. And in the corporate world, it's not good to make everyone else hate you. Particularly the secretaries.

At my last job, we had a small, close-knit company. We had a steady influx of about a dozen contractors at any given point. Pretty well paid, they generally had 6mo to 1yr contracts, if we didn't hire on fulltime (which was very common). Catered lunches, the company wasn't going down in flames, etc..good place to work, good city, etc. Come one day, I decide to swap out my keyboard for a new one. I bend down to unplug my existing keyboard, and find a KeyGhost dongle on my keyboard. We had no idea who might have put it there, or what their real reason would have been. We hardly had any idea what to do from there, and hired on someone to help us deal with the ramifications. Our best guess is that this person was bribed by the competition to steal secrets. Now, I was the main IT administrator. My question for the authors of the article is how do you protect your IT people from compromised employees? I think the focus should go the other way around. Us IT workers are increasingly the targets of targetted attacks and hacks, trying to get at the information we have. And hardware security, in the case of this keyboard dongle, is almost non-existent. There are theories on how to detect them, but no solid products. So don't focus on the fact that your IT people have access, and how do you prevent them from using that access for harm...your IT people need that access to do their jobs. Make sure you hire on someone with good ethics, do the best job at auditing and process creation that you can. But realize that a big vector is someone trying to compromise your IT person, without them knowing.

So, you never heard of the likes of KeyGhost...

How often do you check that keyboard cable of yours, by the way?

You mean like this?

http://www.keyghost.com/images/closeup_sx_sm.gif :) they be tiny if you want them to be... Perfect for places like universities and the like... :( bad for me because I feel prompted to look around the back of every machine I ever use... The university does a great job of providing clean environments for its users, but something like a hardware logger would trap 50 users all powerful passwords in a single day in one of the university comp labs on a single computer...

http://www.keyghost.com/securekb.htm

This just makes the parent's post more insightful. Any unsupervised, publicly accessable computer should be considered comprimised by default. It doesn't matter much if you VPN into your banking sight if some asshat has plugged an undetectable keylogging keyboard into the system

That won't help you one bit if the keyboard has within itself a hardware keylogger.

Some keyboards themselves are keyloggers.

Sometimes keyboards are attached to keylogger adapters or dongles.

KeyGhost.Com

So, remember, either bring your own keyboard or just bring a laptop.

Your choice of employers? Seriously, what right does your boss have to know where you are? If they implemented that where I work, I'd never take my laptop home.

But how would you know, unless you disassembled your laptop and all of the software running on it?

There are in-keyboard, in-laptop keystroke loggers now that corporations are considering putting in their laptops and desktop keyboards, which sends the data back up the pipe at regular intervals when connected. Companies are using this stuff TODAY.

Granted, its not GPS, but that'll eventually be a part of it as well. With Always-On devices becoming the standard, there's nothing to stop them from including a bit of firmware that simply stores your coordinates every 5 minutes and when you're connected polling your mail or whatever, sends that back upstream. Were you in a meeting for the last hour? Or down the road at the coffee shop? They'll know.

Hardware based keyloggers are a little easier to spot, though. You could show them pictures of hardware loggers so they'd know what to look out for. A quick Google found this one and this one, which are pretty much the only two types I've seen so far.

It should be noted though, that finding these things on an Internet kiosk would be near impossible as most of the hardware is hidden from the user's view.

Even then, you're not necessarily safe.

Just one example of a hardware keystroke logger

To have privacy, you have to find some obscure Unix distro (Red Hat isn't obscure enough; they have that covered too) and use it.

Two words: hardware keylogger.

http://www.keyghost.com/ (There are also cheaper competing products with similar functionality)

If you're going to be that paranoid about keystroke loggers, it might be worth taking a look at http://www.keyghost.com/ - normal keyboards with built-in hardware keystroke loggers.

Knoppix won't help with that. I suppose you could bring your own keyboard, but at some point it's probably just easier to use a Palm Pilot with a keyboard and an ethernet card.

"key loggers in the keyboard"

Something similar to this: KeyGhost

http://www.keyghost.com/sx/
This device will happily log all your keystrokes whatever media you decide to boot from.

Available if you e-mail them about it, but described as "Beta". Or as I read it, "There's limited demand and we're still working on them, but we'll sell you a usable one-off current prototype if you're really interested."

I use the PS/2 keyboard for the stuff I want to save, and save the roll-up USB keyboard for passwords.

And if you consider it important enough to spend money on, you can buy a gadget to insure exactly that. (Thanks to Dan Rutter for his reviews of this and other cool geeky toys.)

In no particular order..

Perhaps it doesn't appeal to the stereotypical geek, but the vibrator. The pocket calculator as well as; The calculator/remote control/radio controlled/FM radio *wristwratch* (surely the pinnacle of minitiaturization!).

Of course, the bonefone: link. The transistor radio. The world receiver radio. The wind-up/clockwork radio/charger. The intimidating maglite flashlight. Glowsticks! Neither electonic, nor moving parts, but who can resist luminecence!

7" 33 1/3rpm vinyl gramophone records; or I can do you even better than that - 7" 33 1/3 rpm plastic gramophone records that were given away as inlays with MSX Magazine, that you'd dub on tape, and you'd "load" programs off of the tape using the regular "data cassette recorder".

CB (Citizen's Band, 27 "megacycle") radio. ZX80. C64. Nuff said. The lava lamp! Duh! The strap-on (wait for it) keyboard (keyboard guitar).

The hearing aid. The answering machine remote control/handheld DTMF tone dialer. Also; the blue box! The minox sub-miniature "spy" camera (as seen in james bond). The SLR Single Lens Reflex camera. Automatic tweezers (They don't work particularly well, but they have a gadget-esque movement)

The portable DVD player. Toys robots (remote controlled, especially; the robosapiens is a good stab at the concept). Magnesium firestarters. (I'm the firestarter!)

Personal Emergency Position Indicating Radio Beacons (P-EPIRBs) RC cars, helicopters. E.g. The translator pen (scans text when you move across it, translates) The penman robotic plotter and of course the closely related concept of the Logo turtle..

The random movement printer (If and when it becomes widely available..) Lego mindstorms (programmable bricks..)

The most important hand-helds historically; the Smith&Wesson and the AK47.

Also, though not an autonomous device, nor mechanical, nominated for achievements in disrupting the global economy, I'd like to recognize bubblejet printer ink, for costing more than its weight in gold or oil.

Aerosol spray canisters; specifically,
every graffitti artist's friend: spraypaint and every gadget-minded geek's friend: deodorant (especially the miniature cans) and of course; aerosol cheese! Also, perhaps slightly more
palatable, mace pepper spray.

The electric toothbrush (with induction-loop-charging-circuit magic!)
Not the greatest gadget in history until you consider it's "dual use" nature, and the fact it's marketed so widely.

Sattellite TV. Not the most portable of gadgets, but come on! Windscreenwiper glasses. (Though more of a chindogu) The mac. The iMac for doing it twice. The aibo.

The "orgasmotron" (actually just a head massager, not at all naughty) Stylish pin clock. The keyghost hardware keystroke logger.

The digital camera. The digital photo frame.
The credit-card sized Anything, but in particular, the cre

You're talking about this I presume?

These little devices simply plug in between the keyboard and the PS/2 port on a PC. They're usually beige in color and look as if they're supposed to be there.

You can get them at sites like this and this.

I've never heard of USB keystroke loggers however (probably because the information transfered between USB keyboards is in an arbitrary format), so any computer using a USB keyboard (modern Macs only have USB keyboards) should be safe.

Finally, the method of data retrieval is also fairly simple. Simply unplug the device and plug it into your own computer, and in any text editor start typing a certain "code" to open an interface to the keylogger (I think some might come with special software for it as well).

I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.

Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?

Or go one better; install the keyghost keystroke-logging keyboard-dongle (other brands are available).

Note that storing your information on an encrypted partition does fuck all to protect you from virusses or spyware that choose to spam X:\goatporn.jpg to your entire adressbook.

And then there's the omniscient swapfile. Did you encrypt the swapfile?

Notice that the article poster mentions his system is "as safe as XP will let him make it", but strangely no mention of the windows "syskey" option. Also no mention of hardware encryption for his hard drive.

Not to mention that all of that is moot if you're planning on running for public office, and you might be worried about your ISP/google's logs ever resurfacing from that one night you and your buddies were drunk and surfing the web for goat porn..

With some smarts, you install a keystroke logger/ICQ bot/VNC/what-have-you (for future use). That is nice, but it won't actually run when the user returns...

So, I install a KL on the CFO's machine, grab your acutal SOX docs (not the "doctored" ones you want to release) and send them to the feds. Your key people go to jail for flagrant violations, and then I move in, install my own people into key positions and wait...

> If you're at work and not using your own laptop or
> a Knoppix disk, make sure you only use a corporate
> credit card when ordering online.

And how can you stop this ?

It's a compromise. It's more difficult to modify the hardware than the software. And the software can easily be compromised without even the owner knowing it by various spyware.

A computer at an internet cafe is likely to have spyware on it, but it would take more work for them to install a physical keylogger. So if you sit down at one of those, you should at least check it for one of these.

So this will protect you when you're borrowing a friend's computer or dropping in on a client or customer. Probably. It can't reduce the trust to zero. You can get closer to zero by borrowing an Ethernet cable and using your own laptop, but it would certainly be convenient to have to bring along nothing more than a tiny USB key than having to schlep around your own processor, monitor, and keyboard.

From the KeyGhost installation instructions: "To install the KeyGhost, all you need to do is plug it in between your keyboard cable and your computer."

Obviously, these require no expertise to install. Obviously, also, you would look for these on any computer you used.

It might be good to carry one of those laptop-size USB keyboards, and use it instead of the cyber cafe keyboard. That would guard against keystroke loggers inside the keyboard. USB keyboards install automatically; there is no need to detach the normal keyboard.

There might still be a problem with a hardware-based keystroke recorder, but that level of expertise is unlikely, I think. A thief who could do that could get a good job, and wouldn't need to be a thief.

Hire me, please!

It's not quite as hard as you think.

There's nothing wrong with that if you use Knoppix

Really?

If you can touch type and aren't worried about seeing your notes until you get back, you could go with a small keyboard such as the Happy Hacking and a keylogger like KeyKatcher, or a combination like at Key Ghost. Just rig up a few batteries to power it. When you get back, dump the notes into a file.

(1) no better system than passwords has yet been devised

Except those nifty token+PIN systems. My bank has even given me a "calculator" type thingy in which I put my ATM card, and using my normal PIN, the chip on that card will calculate the response to a challenge when I log into online banking. Pretty nifty, pretty secure. The chip will stop working after 3 attempts at a wrong PIN, and if the card is stolen, I'd report it straight away anyway. This closes the window of opportunity considerably.

Token based security systems can integrate really well into computer systems, so you end up with Single Sign On solutions, and the challenge-response protocol can run over a simple USB link, so all you have to enter is your PIN (into hardware which you carry with me, and isn't susceptible to having keyboard sniffers installed).

There are lots of vendors who sell this hardware, iButton, rsa.com, etc. etc. Pick up a random computer industry mag and they're right there in the less-than-a-page-big ads.

Note that SSH uses a similar idea for single sign on; you type in your password/phrase into an agent which decrypts your private key on your workstation, and challenge/response is used when logging in; your password is only exposed to your local workstation, not to the remote system, nor is it sent over the line in any way. You can even change keys without changing the password/phrase (and vice versa).

I saw another post here mention diceware, which is pretty nifty too; passphrases generated using dice.

Physical security is also often overlooked, on the premise that you're fucked anyway when people bring in laptops, or plug a wifi access point into your network. But physical security is the only kind of security where biometrics make any sense at all (as in; "hey, I haven't seen you here before" or; "that's not your photo on this id here.."). So if you're going for 3-out-of-3 authentication (something you know/have/are) you need physical security as well.

No security is perfect, but it doesn't have to be quite as bothersome to users. Let's say no one can log into remotely to the work LAN. That's not that inconvenient to most people, and if some one complains, sure, let them at it, and log what they're doing. The window of opporunity may be widened by a creak because a few accounts do get remote access, but no form of security is perfect anyway.

I find attack trees a useful way to present weaknesses in security; it emphasises the weakest chain in the link, but also the prerequisites to get there, and the alternatives. (For example, the CEO might well have a yellow sticky tape with his password on his monitor at home, but breaking into the CEO's home is quite hard because that house has pretty good physical security, him being the rich bastard that he is.. Whereas bribing cleaning people who come in at night to place a keyghost is cheap and effective.

So far our security record has been 100% according to our internal auditing firm.

So, you pay your cleaners more than minimum wage?

It's amazing what people can do with the passwords written on yellow sticky tape stuck to the bottom of your keyboard.. Or a keyghost for that matter.. Or even just having their kid hook up a wireless AP to your secure LAN hidden under a desk on bring-your-kid-to-work-day..

I beg to differ: one of these would work. Of course you likely meant software loggers.

Are you sure you don't have one of these keyboard sniffers connected by your employer / family?

One way to check if a machine has a keylogger is to type some stuff like "yakyak", reboot and do a search for text files containing that term.


Also, look behind it for something like this but keep in mind it's also very easy to install something like that inside the case, even to the back-side of the motherboard where youn can't readily see it.

Let's face it, if somebody wants to steal YOUR identity, it's so fucking easy there's really nothing you can do to prevent it short of living like the unabomber and having no identity to steal.

The best you can do is try to prevent yourself from ending up in a lot of databases, and try to avoid using your credit card in places like grovery stores and gas stations where it's just going to pile up in a stack of receipts behind the counter, guarded by some punnk making 4.75 who doesn't give a shit about your AMEX with the $100000 limit. Most identify theft is not targeted - these guys harvest stacks of receipts and computer printouts, test which identies or credit cards are useable, and go from there.

"Not! you think they can't design a keyboard wedge which logs the numlock-flashing pattern to a built-in memory? And it could even detect Morse and decode it."

Well, you can't buy that sort for $90

You mean like this.
If I was to do this I would use one of the versions that uses a a private IRC channel to communcicate, that way you never have to go back to the machine again, yet can control it from almost anywhere with a lesser chance of being found.

Of course, I'd just you a keyghost hardware keystroke logger, so it wouldn't really matter what your software setup was like.

I think ThinkGeek used to sell these babies for a little while, they probably realised they' have rather unethical uses. You might need to break your own locks if you've lost your key, but you certainly don't need to log your own keystrokes because you've forgotten your password.

Yes there is.

• You're using a computer that could have a keystroke logger installed. http://www.keyghost.com is an example of a tiny & cheap hardware logger.
• You need to use your personal GPG keys at work, school or a web hosting facility where you don't trust or own the equipment.
• If you maintain a PGP Certificate Authority or signing key and have to have a safe place to use the CA key.
• If you simply don't want to risk putting a PGP key on a hard drive where someone else might have access to it.
• The Illuminati are watching your computer, and you need to use morse code to blink out your PGP messages on the numlock key."

Uh, according to This page, you don't need software to download the keystrokes.