1

If I have to enter sensitive data like a password on a device/system I don't fully trust, because of a possible keylogger. Are there any (common) ways to trick the keylogger to don't get your sensitive data? For example an application which maps your input to your real password and enters it into a the programm/website/etc.?

Are there any exisiting application or solutions for this? Or is this technically not possible?

I am not interested in answers like: 'Then don't enter the data' ;)

Artery
  • 239
  • 4
  • 12
  • I don't meant, that the "mapping tool" don't know the password. – Artery Nov 14 '16 at 19:49
  • 1
    By definition, keylogger will record all K&M inputs. So the only way to get around that is to authenticate not using K&M and/or reusable credentials. Things like tokens with rolling code will offer reasonable protection. Now in practical terms, you are likely safe using throw-away password then changing it from a trusted system once you finished with untrusted device. You are counting on the fact that 'nobody home' at the other end of keylogger. – Kirill Sinitski Nov 14 '16 at 19:49
  • @KirillSinitski Are there any (common) ways to do so? – Artery Nov 14 '16 at 19:52
  • It's better to not use a system you think will have a keylogger running. Any schema you can think about is a schema the keylogger maker could possibly have thought before you. – ThoriumBR Nov 14 '16 at 19:54
  • In the novel Cryptonomicon, the protagonist extracted data from PC that was suspected of being bugged by flashing Morse code on the Caps Lock LED. You could do the opposite, use the shift key as a Morse sender, as key loggers really don't record timing, only codes – infixed Nov 14 '16 at 19:55
  • The question is not exactly the same as yours, but the answers should answer your question. – Anders Nov 15 '16 at 18:16

1 Answers1

8

Its impossible to tell without knowing which exact keylogger.

Depending on how the keylogger gets the keys, it can be tricked. For example, if the keylogger works on such a low level that it gets the keys before the operating system, then you can likely hide from it by using a virtual on-screen keyboard or other methods that don't have you touch the actual keyboard.

OTOH, if the keylogger uses a high-level OS API to get the keys, then chances are you won't be able to trick it, since whatever the OS treats as a keystroke will be seen as a keystroke by the keylogger as well.

Some programs let you specify passwords using standard input. So what might work is storing the password in a file (off-system, of course), and then piping the password into the program you want to use via shell pipes. This will almost certainly bypass keyloggers. The downside is that its limited to programs which accept input on the standard input stream, so most GUI programs are out.

Another method that should work everywhere with a clipboard is to store the sensitive info / password in a file, open it in a text editor, copy its contents into the clipboard and paste it where you need it. The keylogger will just see the copy and paste commands (if it doesn't know how to read the clipboard contents, that is). But note tha keeping sensitive info in a system clipboard is hardly secure.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • +1, nicely covered but as you say - pretty tricky when the keylogger is a bit of a blackbox. Biometric identifcation may also be an option if the keylogger's not capable of capturing biometric templates. –  Nov 15 '16 at 09:16