Defence Against Keyboard Keylogger

Question

I am wondering whether there is a way to defend against USB Keyboard Keylogger (obviously other than physically checking the keyboard every time after leaving my computer unattended).

These days, people can buy cheep hw keyloggers, such as the Keyllama USB Keylogger, which are small and quite hard to discover unless you are looking for it.

If somebody wanted to install such keylogger on my computer, he would have to disconnect the keyboard first. Provided the machine is running (I always leave my machine running), this event would be logged in /var/log/kernel.log. So that might be one way to alert me.

Is there some other way?

EDIT: I should add, that my whole hard disk is encrypted, and thus an attacker cannot just boot from USB/CD and modify my system. He might format my disk/destroy my machine, but that is not the issue here.

Also, when I leave my office, I leave my machine running, but I always log out.

In my office, power outages are extremely rare. If one happens, this will be a reason for me to thoroughly check my machine for any possible intrusion.

Answer 1

Using a laptop effectively prevents this.

You could glue the keyboard into the USB socket. Not ideal, but hey :-)

Another is to use a Bluetooth keyboard, with integrated Bluetooth on the computer.

But these are all kludges really; in general I agree with the other comments that if an attacker has physical access, most bets are off.

This is quite a good example of where it is important to understand your potential attacker. The Bluetooth keyboard approach will reliably stop a colleague casually installing such a device. It won't stop the CIA/NSA - but you probably don't mind that. A lot of the other answers assume your likely attackers are highly skilled and resourced. If you're that much of a target, I'd guess you wouldn't be asking this on the internet :-)

Answer 2

All defence against physical access requires you to use physical security.

Consider locking your system and all interface peripherals in a secure hard-case, one that would need to be damaged/destroyed in order to physically access inside them. This way you at least know when something has been physically tampered with. Combine this with software security such as full-disk encryption and you have excellent confidence that data on this machine is only accessible by you (even under duress, if you use hidden OS features of TrueCrypt, and of course presuming no or limited network access).

---

I was considering writing a defence against the EvilMaid attack which essentially modifies the TrueCrypt bootloader to save your password for later retrieval. But you have to consider, it doesn't matter if they plugged in a keylogger or modified data on your drive etc., you can spend forever thinking up defences for individual circumstances but there will always be a more subtle technique that can be used (embedding the keylogger in the keyboard, tapping the VGA ribbon cable in your laptop, it is all feasible).

Physical access can only be defended against with physical security.

Answer 3

As @Iszi said, when the attacker has physical access, then he can do a lot of harm. Under some circumstances, he might not even have to remove the hood; access to a USB port might be enough to take full control of the machine (see this question). If the attacker hijacks the machine, then he can remove incriminating lines from log files; he can also install his keylogger directly in the kernel memory, and other evil things of the same kind.

If the attacker has a knife and some skills at electronics, he may also access the keyboard wires without unplugging it, and plug his spying device without the host kernel being made aware in any way of it. For the attacker, this is of course quite harder than simply plugging an off-the-shelf keylogger; it is likely to take him a few minutes, and it cannot be removed discreetly.

A diversion can also be used by the attacker. He can simulate a power shortage (a short one, for a few seconds) by simply tugging on the power cord. While the machine is off, he can plug his keylogger, then plug back the power cord. From the machine logs, the whole process will really look like a "normal" power shortage, as can be induced by a storm, or a clumsy janitor who handles his broom in overzealous strokes. Not a single log line will reveal the presence of the keylogger device.

The bottom-line is that while you can try to raise alarms on unexpected USB disconnect events, there are many ways by which the attacker can work around this mechanism, and also any other computer-based mechanism.

Answer 4

Gentlemen, come on.

No safeguard is foolproof, but I suspect that's not the point here; The point is to not be a soft target. Sure, a determined attacker isn't going to stop at whatever obstacles he may encounter while he targets a machine.

But I gotta tell you... were I to be the attacker and saw evidence that my target is very security-conscious (let's say he implements just one of several sophisticated measures), I'm likely to find a weaker target to attack. The whole point of security is deterrence anyway, so every unique layer of protection (whether it merely be tampering prevention or merely awareness) adds to the "hardened-ness" of the target.

So here's my contribution here:

Whatever else you've got going, if you use a USB-based keyboard, I'd want to find/write some kind of .vbs or batch script which can be modified to alert you the moment a Windows Event is logged noting the removal of a device on a specific USB port. There are even scripts which automate the sending of an e-mail through Google via command line. And most mobile phone companies offer e-mail-to-SMS message relaying.

Perhaps just for that ability alone, I might stick with a USB-based keyboard. More susceptible to attack, but it also acts as a lure to your attacker to take the path of least (and most predictable) resistance. If you can't prevent an attack, lure the attacker to a 'weak spot' which you can protect. If you're like me, you at least glance at almost every text you receive rather religiously--and if not, you can set a custom alarm tone for this purpose to get your attention. That'll give you the best chance of knowing not just if but when someone has attacked your machine, which may give you time to find out who that might be (perhaps configure a remote web cam to begin recording when this system event occurs--Windows Task Scheduler gives you the ability to run scripts or or executables when an event occurs).

Answer 5

Law #3 of security:

If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

• He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.

• He could unplug the computer, haul it out of your building, and hold it for ransom.

• He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).

• He could remove the hard drive from your computer, install it into his computer, and read it.

• He could make a duplicate of your hard drive and take it back his lair. Once there, he'd have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it's almost certain that he would succeed.

• He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.

Always assume that the bad guy has been waiting for this moment of physical access for weeks or months. He has been training on the exact wires to use, he might have replace your whole keyboard with a new bugged replica. The bad guy will always outsmart by being one step ahead of you. Once he gets that small access window, that's it, game over.

Answer 6

Watching for unexpected USB insertion events and unexpected power failures would be the most practical approach. At least they would tell you when it is time to conduct a physical search.

Obviously, this is tailored to the specific threat of an off-the-shelf commercial key logger, and won't help you defend against a different kind of attack (Van Eck, acoustic detection, malware, etc.) But when cheap key loggers are readily available to the common criminal, that's the kind of attack you can expect.

Are such threats real? A Nordstrom's department store in Texas found a three man crew had placed key loggers on six of their POS registers earlier this month, apparently in an attempt to skim data from the credit card readers built into their keyboards. They were caught only because someone observed the attack, not because of a technological defense.

Answer 7

Just a minor addition here, what's already been said is good:

Your biggest defence against keyloggers and other physical attacks is astuteness. If you pay attention to whether your equipment has been tampered with, it makes it many factors more difficult to use things like keyloggers.

You are right to say that keyloggers are freely available, at low prices, but the majority are disguised as usb drives, adaptors or new peripherals. Just noticing whether something has been plugged in, whether your peripherals have been interfered with is probably your biggest defence after locking your door.