Keystroke logging

Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. However, keyloggers are widely available on the internet and can be used by anyone for the same purposes.

Keystroke logging can be achieved by both hardware and software means. Commercially available systems include devices which are attached to the keyboard cable (and thus are instantly installable, but visible if the user makes a thorough inspection) and also devices which can be installed in keyboards (and are thus invisible, but require some basic knowledge of soldering to install). Writing software applications for keylogging is trivial, and like any computer program can be distributed as a trojan horse or as part of a virus or worm. It is also said that using an onscreen keyboard is a way to combat these, as it only requires clicks of the mouse. That is, however, false information, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text typed with an onscreen keyboard.

What is not trivial however, is installing a keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A Trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker.

Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper [YY97] (their paper from ’96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging Trojan is installed using a virus (or worm). An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the Trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board (e.g., Usenet). They also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as “unused”. Nowadays this can done using a USB token. So, the Trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the Trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as Cryptovirology.

The FBI used a keystroke logger to obtain the PGP pass phrase of Nicodemo Scarfo, Jr.. He plead guilty to running an illegal gambling operation in 2002. (“Mobster’s son pleads guilty of gambling; computer spying helped seal case” Asssociated Press, 1 Mar 2002) The FBI has also reportedly developed a trojan-horse-delivered keylogger program known as Magic Lantern.

References

[YY97] A. Young, M. Yung, “Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage,” IEEE Symposium on Security & Privacy, pages 224-235, May 4-7, 1997.