What Is Keylogging & How Does It Work?

What Is Keylogging & How Does It Work?
Image credits: Cyber Chasse

Keylogging (short for keystroke logging) is the practice of covertly recording input signals into a computer from a keyboard so the computer user is unaware. It can be accomplished using various methods – both software and hardware. These can range from low-level rootkits and operating system-level API-based programs to physical devices connected with a keyboard’s connection to a computer and analysis of electromagnetic signals emitted by a target keyboard from up to 20 meters (66 feet) away.

Keylogging capabilities are often added to various botnet malware (such as the Zeus Trojan) to steal personal or financial information.

How Keylogging Works

Keystroke logging is an act of tracking and recording every keystroke entry made on a computer, often without the permission or knowledge of the user. A “keystroke” is just any interaction you make with a button on your keyboard.

Keystrokes are how you “speak” to your computers. Each keystroke transmits a signal that tells your computer programs what you want them to do.

These commands may include:

  • Length of the key press
  • Time of keypress
  • Velocity of keypress
  • Name of the key used

When logged, all this information is like listening to a private conversation. You believe you’re only “talking” with your device, but another person is listening and writing down everything you said. With our increasingly digital lives, we share a lot of highly sensitive information on our devices.

User behaviors and private data can easily be assembled from logged keystrokes. Everything from online banking access to social security numbers is entered into computers. Social media, email, websites visited, and even text messages sent can all be highly revealing.

What is a keylogger?

A keylogger, sometimes called a keystroke logger or keyboard capture, is a type of surveillance technology used to monitor and record each keystroke on a specific computer. Keylogger software is also available for use on smartphones, such as the Apple iPhone and Android devices.

Keyloggers are often used as spyware tools by cybercriminals to steal personally identifiable information (PII), login credentials and sensitive enterprise data. However, some uses of keyloggers could be considered ethical or appropriate in varying degrees. Keylogger recorders may also be used by:

  • employers to observe employees’ computer activities;
  • parents to supervise their children’s internet usage;
  • device owners to track possible unauthorized activity on their devices; or
  • law enforcement agencies to analyze incidents involving computer use.

What does a keylogger do?

Keylogger tools can either be hardware or software meant to automate the process of keystroke logging. These tools record the data sent by every keystroke into a text file to be retrieved at a later time. Some tools can record everything on your copy-cut-paste clipboard, calls, GPS data, and even microphone or camera footage.

Keyloggers are surveillance tools with legitimate uses for personal or professional IT monitoring. Some of these uses enter an ethically questionable grey area. However, other keylogger uses are explicitly criminal.

Regardless of the use, keyloggers are often used without the user’s fully aware consent and keyloggers are used under the assumption that users should behave as normal.

Types of keyloggers

Keylogger tools are mostly constructed for the same purpose. But they’ve got important distinctions in terms of the methods they use and their form factor.

Here are the two forms of keyloggers:

Hardware keyloggers

Hardware keyloggers are physical components built-in or connected to your device. Some hardware methods may be able to track keystrokes without even being connected to your device. For brevity, we’ll include the keyloggers you are most likely to fend against:

  • Keyboard hardware keyloggers can be placed in line with your keyboard’s connection cable or built into the keyboard itself. This is the most direct form of interception of your typing signals.
  • USB disk-loaded keyloggers can be a physical Trojan horse that delivers the keystroke logger malware once connected to your device.
  • Hidden camera keyloggers may be placed in public spaces like libraries to visually track keystrokes.

Software keyloggers

Software keyloggers are computer programs that install onto your device’s hard drive. Common keylogger software types may include:

  • API-based keyloggers directly eavesdrop between the signals sent from each keypress to the program you’re typing into. Application programming interfaces (APIs) allow software developers and hardware manufacturers to speak the same “language” and integrate. API keyloggers quietly intercept keyboard APIs, logging each keystroke in a system file.
  • “Form grabbing”-based keyloggers eavesdrop all text entered into website forms once you send it to the server. Data is recorded locally before it is transmitted online to the web server.
  • Kernel-based keyloggers work their way into the system’s core for admin-level permissions. These loggers can bypass and get unrestricted access to everything entered into your system.

How keyloggers work

How a keylogger works depends on its type. Hardware and software keyloggers work differently due to their medium.

Most workstation keyboards plug into the back of the computer, keeping the connections out of the user’s line of sight. A hardware keylogger may also come in the form of a module that is installed inside the keyboard itself. When the user types on the keyboard, the keylogger collects each keystroke and saves it as text in its own hard drive, which may have a memory capacity up to several gigabytes.

The person who installed the keylogger must later return and physically remove the device to access the gathered information. There are also wireless keylogger sniffers that can intercept and decrypt data packets transferred between a wireless keyboard and its receiver.

A common software keylogger typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file that does the recording and an executable file that installs the DLL file and triggers it. The keylogger program records each keystroke the user types and periodically uploads the information over the internet to whoever installed the program.

Hackers can design keylogging software to use keyboard application program interfaces (APIs) for another application, malicious script injection or memory injection.

Uses for keylogging

To explain the uses of keylogging, you’ll have to consider: what is keylogger activity legally limited to? Four factors outline if keylogger use is legally acceptable, morally questionable, or criminal:

  1. Degree of consent. Is the keylogger used with 1) clear-and-direct consent, 2) permission hidden in obscure language in terms of service, or 3) no permission at all?
  2. Goals of the keystroke logging. Is the keylogger being used to steal a user’s data for criminal uses, such as identity theft or stalking?
  3. Ownership of the product being monitored. Is the keylogger being used by the device owner or product manufacturer to monitor its use?
  4. Location-based laws on keylogger use. Is the keylogger being used with intent and consent per all governing laws?

Legal keylogger use requires the person or organization implementing it to:

  • Involve no criminal use of data.
  • Be the product owner, manufacturer, or legal guardian of a child owning the product.
  • Use it per their location’s governing laws.

Consent is notably absent from this list. Keylogger users don’t have to obtain consent unless laws in the area of use require them to. This is ethically questionable for uses where people are not made aware that they are being watched.

In consensual cases, you may allow keystroke logging under clear language within terms of service or a contract. This includes any time you click “accept” to use public Wi-Fi or when you sign an employer’s contract.

Here are some common legitimate uses for keyloggers:

  • IT troubleshooting — to collect details on user problems and resolve them accurately.
  • Computer product development — to gather user feedback and improve products.
  • Business server monitoring — to watch for unauthorized user activity on web servers.
  • Employee surveillance — to supervise the safe use of company property on the clock.

You might find legal keyloggers are in your daily life more than you realize. Fortunately, the power to control your data is often in your hands if the monitoring party has asked for access. Outside of employment, you can simply decline permission to the keyloggers if you so choose.

Non-consensual legal use of keylogging is more questionable. While it violates the trust and privacy of those being watched, this type of use likely operates in the bounds of the laws in your area.

In other words, a keylogger user can monitor computer products they own or make. They can even monitor their children’s devices legally. But they cannot surveil devices outside of their ownership. This leaves a bit of a grey area that can cause problems for all involved.

Without consent, people and organizations can use keyloggers for:

  • Parental supervision of kids — to protect their children in their online and social activities.
  • Tracking of a spouse — to collect activity on a device the user owns for proof of cheating.
  • Employee productivity monitoring — to watchdog employees’ use of company time.

Even consent that has been buried under legal jargon within a contract or terms of service can be questionable. However, this does not explicitly cross the line of legality either.

Criminal keylogging uses

Illegal keylogger use completely disregards consent, laws, and product ownership in favor of nefarious uses. Cybersecurity experts usually refer to this use case when discussing keyloggers.

When used for criminal purposes, keyloggers serve as malicious spyware meant to capture sensitive information. Keyloggers record data like passwords or financial information, which is then sent to third parties for criminal exploitation.

Criminal intent can apply in cases where keyloggers are used to:

  • Stalk a non-consenting person — such as an ex-partner, friend, or other individual.
  • Steal a spouse’s online account info — to spy on social media activity or emails.
  • Intercept and steal personal info — such as credit card numbers and more.

Once the line has been crossed into criminal territory, keyloggers are regarded as malware. Security products account for the entire user case spectrum, so they may not label discovered keyloggers as immediate threats. Similarly to adware, the intent can be completely ambiguous.

Why keylogging can be a threat

Threats of keyloggers can come from many issues around the collection of sensitive data. When you are unaware that everything you type onto your computer keyboard is being recorded, you may inadvertently expose your:

  • Passwords.
  • Credit card numbers.
  • Communications.
  • Financial account numbers.

Sensitive information like this is highly valuable to third parties, including advertisers and criminals. Once collected and stored, this data then becomes an easy target for theft.

Data breaches can expose saved keystroke logs, even in legitimate use cases. This data can easily be leaked inadvertently via an unsecured or unsupervised device or through a phishing attack. More common leaks can occur by a direct criminal attack with malware or other means. Organizations collecting mass keylogging data can be prime targets for a breach.

Criminal use of keyloggers can collect and exploit your information just as easily. Once they’ve infected you with malware via drive-by download or other means, time is of the essence. They can access your accounts before you even know that your sensitive data has been compromised.

Keylogging detection and removal

Due to the variety of keyloggers that use different techniques, no single detection or removal method is considered the most effective. Since keyloggers can manipulate an operating system kernel, examining a computer’s Task Manager isn’t necessarily enough to detect a keylogger.

Security software, such as an anti-keylogger software program, is designed specifically to scan for software-based keyloggers by comparing the files on a computer against a keylogger signature base or a checklist of common keylogger attributes. Using an anti-keylogger can be more effective than an antivirus or antispyware program. The latter may accidentally identify a keylogger as a legitimate program instead of spyware.

Depending on the technique an antispyware application uses, it may be able to locate and disable keylogger software with lower privileges than it has. Using a network monitor will ensure the user is notified each time an application tries to make a network connection, allowing a security team to stop any possible keylogger activity.

Protection against keylogging

While visual inspection can identify hardware keyloggers, it is impractical and time-consuming to implement on a large scale. Instead, individuals can use a firewall to help protect against a keylogger. Since keyloggers transmit data back and forth from the victim to the attacker, the firewall could discover and prevent that data transfer.

Password managers that automatically fill in username and password fields may also help protect against keyloggers. Monitoring software and antivirus software can also keep track of a system’s health and prevent keyloggers.

System cages that prevent access to or tamper with USB and PS/2 ports can be added to the user’s desktop setup. Extra precautions include using a security token as part of two-factor authentication (2FA) to ensure an attacker cannot use a stolen password alone to log in to a user’s account, or using an onscreen keyboard and voice-to-text software to circumvent using a physical keyboard.

Application allowlisting can also be used to allow only documented, authorized programs to run on a system. It is also always a good idea to keep any system up to date.

References

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like