A keylogger, sometimes called a keystroke logger or system monitor, is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard. Keylogger software is also available for use on smartphones, such as the Apple iPhone and Android devices.
Keyloggers are often used as a spyware tool by cybercriminals to steal personally identifiable information (PII), login credentials and sensitive enterprise data. Keylogger recorders may also be used by:
- employers to observe employees' computer activities;
- parents to supervise their children's internet usage;
- device owners to track possible unauthorized activity on their devices; or
- law enforcement agencies to analyze incidents involving computer use.
These uses could be considered ethical or appropriate in varying degrees.
Types of keyloggers
A hardware-based keylogger is a small device that serves as a connector between the keyboard and the computer. The device is designed to resemble an ordinary keyboard PS/2 connector, part of the computer cabling or a USB adaptor, making it relatively easy for someone who wants to monitor a user's behavior to hide such a device.
A keylogging software program does not require physical access to the user's computer for installation. It can be purposefully downloaded by someone who wants to monitor activity on a particular computer, or it can be malware downloaded unwittingly and executed as part of a rootkit or remote administration Trojan (RAT). The rootkit can launch and operate stealthily in order to evade manual detection or antivirus scans.
How do keyloggers work?
How a keylogger works depends on the type of keylogger it is. Hardware and software keyloggers will work differently due to their medium.
Most workstation keyboards plug into the back of the computer, keeping the connections out of the user's line of sight. A hardware keylogger may also come in the form of a module that is installed inside the keyboard itself. When the user types on the keyboard, the keylogger collects each keystroke and saves it as text in its own miniature hard drive, which may have a memory capacity up to several gigabytes. The person who installed the keylogger must later return and physically remove the device in order to access the information that has been gathered. There are also wireless keylogger sniffers that can intercept and decrypt data packets transferred between a wireless keyboard and its receiver.
A common software keylogger typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file that does all the recording and an executable file that installs the DLL file and triggers it to work. The keylogger program records each keystroke the user types and periodically uploads the information over the internet to whoever installed the program. There are many other ways that keylogging software can be designed to monitor keystrokes, including hooking keyboard application program interfaces (APIs) to another application, malicious script injection or memory injection.
There are two main types of software keyloggers: user mode keyloggers and kernel mode keyloggers. A user mode keylogger will use a Windows API to intercept keyboard and mouse movements. GetAsyncKeyState or GetKeyState API functions might also be captured depending on the keylogger; however, these keyloggers require the attacker to monitor each keypress actively.
A kernel mode keylogger is a more powerful and complex software keylogging method. It works with higher privileges and can be harder to locate in a system. Kernel mode keyloggers will use filter drivers that can intercept keystrokes. They can also modify the internal Windows system through the kernel.
Some keylogging programs may also include functionality for recording user data besides keystrokes, such as capturing anything that has been copied to the clipboard and taking screenshots of the user's screen or a single application.
Detection and removal
As there are various types of keyloggers that use different techniques, no single detection or removal method is considered the most effective. Since keyloggers can manipulate an operating system kernel, a task manager isn't necessarily enough to detect a keylogger.
Security software, such as an anti-keylogger software program, are designed specifically to scan for software-based keyloggers by comparing the files on a computer against a keylogger signature base or a checklist of common keylogger attributes. Using an anti-keylogger can be more effective than using an antivirus or antispyware program, as the latter may identify a keylogger as a legitimate program instead of spyware.
Depending on the technique the antispyware application uses, it may be able to locate and disable keylogger software with lower privileges than it has. The use of a network monitor will ensure the user is notified each time an application tries to make a network connection, giving a security team the opportunity to stop any possible keylogger activity.
Protection against keyloggers
While visual inspection can be used to identify hardware keyloggers, it is impractical and time-consuming to implement on a large scale. Instead, individuals can use a firewall to help protect against a keylogger. Since keyloggers will have to transmit data back and forth from the victim to the attacker, there is a chance that the firewall will pick up and prevent that data transfer. Password managers that will automatically fill in username and password fields may also help. Monitoring software and antivirus software can also aid in keeping track of a system's health and prevent keyloggers retrospectively.
System cages that prevent access to or tampering with USB and PS/2 ports can be added to the user's desktop setup. Extra precautions include using a security token as part of two-factor authentication (2FA) to ensure an attacker cannot use a stolen password alone to log in to a user's account, or using an onscreen keyboard and voice-to-text software to circumvent using a physical keyboard.
Application whitelisting can also be used to allow only documented, authorized programs to run on a system. It is also always a good idea to keep any system up to date.
History of keylogging
The use of keyloggers reaches back to the 1970s, where the Soviet Union developed a hardware keylogging device for electric typewriters. The keylogger, called the selectric bug, would track the movements of the printhead by measuring the magnetic field emitted by the movements of the printhead. The selectric bug was made to target IBM Selectric typewriters and was used to spy on U.S. diplomats in the U.S. embassy and consulate buildings in both Moscow and St. Petersburg. The keyloggers were found in 16 typewriters and were in use up until 1984, when a U.S. ally who was a separate target of this operation caught the intrusion.
Another early keylogger was a software keylogger written by Perry Kivolowitz in 1983. The user mode keylogger located and dumped character lists in a Unix kernel.
Since then, the use of keyloggers has broadened, notably starting in the 1990s. More keylogger malware was developed, meaning attackers didn't have to install hardware keyloggers, enabling attackers to steal private data such as credit card numbers from unsuspecting victims in a remote location. The use of keyloggers started to target home users for fraud, as well as in different industries for phishing purposes.
In 2014, the U.S. Department of Homeland Security began warning hotel businesses about keyloggers, after an incident where a keylogger was found in hotels in Dallas, Texas. Publicly accessible computers in shared environments are good targets for keyloggers. In 2015, a mod for the game Grand Theft Auto V had a keylogger hidden in it. In 2017, a keylogger was also found in HP laptops, which HP patched out, explaining that they were used as a debugging tool for the software.