16

My company recently discovered a hardware keylogger installed during an routine maintenance procedure.

We tried catching the culprit but unfortunately it doesn't seem like we are going to be able to, so the culprit is still at large.

We're looking into ways to prevent this problem in the future. I did some research and it seems like some endpoints security software advertises the ability to detect keyloggers. Does anybody have any insight into how reliable this? ( the program I saw was called "device lock")

Another solution I have in mind is perhaps we could monitor for if the keyboard ever gets disconnected. However, would it be possible to continue monitoring the keyboards when the computer is turned off?

Please let me know of any thoughts you guys might have in dealing with this problem. Outside of gluing the keyboard into the port or physically securing the premise (unfortunately impossible), I'm quite stumped!

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
PuzzledITMan
  • 161
  • 1
  • 1
  • 4
  • 3
    A hardware keylogger should be practically undetectable through software. The security software is likely referring to software keyloggers only. – Philipp Jan 14 '15 at 15:01
  • 1
    I was referring to this. They specifically state USB keyloggers. http://www.devicelock.com/articles/detail.html?CODE=press1 – PuzzledITMan Jan 14 '15 at 17:27
  • 5
    I call bullshit on that claim. It is trivial to construct a device which listens to an USB cable without causing any interference on it whatsoever. It just has to measure the voltage between the data- and the data+ wires. The only way to detect it would be when it is too smart for its own good and registers itself as an independent USB device. – Philipp Jan 14 '15 at 17:38
  • 2
    ATMs are basically a computer in a tamper proof safe, and they still can't prevent [keypad skimming device](http://www.hoax-slayer.com/atm-skimming-scam-warning.shtml). – Lie Ryan May 03 '15 at 14:46

4 Answers4

9

Anyone with physical access to the ports on the computer can do a lot of damage. The elegant solution is to physically secure access to those ports. Endpoint solutions can usually detect software keyloggers, but hardware keyloggers are tough.

would it be possible to continue monitoring the keyboards when the computer is turned off?

When you turn off a computer, you cannot monitor its activity.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • An done sayig I have hear dmor ethan once is if they have physical access to your computer it is no longer your computer – Wayne In Yak Jan 13 '15 at 23:48
  • 2
    @WayneInYak The 10 Immutable Laws #3: http://blogs.technet.com/b/rhalbheer/archive/2011/06/16/ten-immutable-laws-of-security-version-2-0.aspx – schroeder Jan 13 '15 at 23:51
3

Turn off auto detecting of hardware. Lock down devices to the known good ones, and if they are unplugged do not allow them to re-register when re-plugged. It would be a substantial burden on the admins and with most OSes would not allow a computer to be rebooted without an admin physical review. This is not practical, but it would work for that one specific threat. That is not the only threat though: http://lasec.epfl.ch/keyboard/. The level of effort given to secure a terminal must be weighed against the value of the breach. A more elegant solution might be an insurance policy rather than any piece of software...

ghangas
  • 131
  • 4
  • 1
    I'm unaware of protections that prevent the re-registering of already registered and allowed USB devices. Can you point me to ways of doing this? – schroeder Jan 14 '15 at 21:34
  • http://computerstepbystep.com/shell_hardware_detection_service.html http://www.ehow.com/how_5939369_stop-windows-detecting-new-hardware.html for windows and http://bytes.com/topic/unix/answers/740047-how-disable-auto-detection-usb-device for nix – ghangas Jan 14 '15 at 22:15
2

In general, it's not possible to detect with 100% certainty if you are being monitored. Any detection tool can only detect things it knows how to look for.

As silly as this sounds, a camera focused on the keyboard and your screen would be undetectable if you didn't know it was there. It could record you typing all of your passwords without ever touching your hardware. If you're really worried about that, I suppose you could drape a cloth over your hands, kind of like NFL coaches covering their mouths when they speak into their mics to prevent lip-reading spies from revealing their play calls to the opposing team. Some websites, to circumvent key-loggers, add additional security by forcing you to use your mouse with a virtual keyboard to enter passwords. (Though this alone wouldn't defeat a camera.) I have seen a password entry system that defeats both key loggers and cameras/shoulder-surfers by having you use the mouse to click codes that change with every attempt, and the codes are only easy to figure out if you know the password. Of course password plus one-time keys also work well for this.

All that being said, perhaps the best defense against hardware keyboard loggers is a camera security system. You might get lucky enough to catch the person who installed the logger. If they wear a disguise, at least you'll know that someone tampered with the system and you can take corrective action.

TTT
  • 9,122
  • 4
  • 19
  • 31
  • Just that the camera security system itself could be misused as keylogger again if it also films the keyboard. – Axel Beckert Dec 01 '16 at 16:31
  • @AxelBeckert - that's definitely true! (Though any IT admin could install a keylogger on someone's machine too.) Let's hope that only the proper people have access to the footage. – TTT Dec 01 '16 at 16:39
0

You can block USB storage devices and there are tools to manage USB devices but those only protect against some attacks. All those tools work with USB information like device name or manufacturer that can and will be faked by the attacking device.

There are special cases to lock up computers and deny hardware access.

PiTheNumber
  • 5,394
  • 4
  • 19
  • 36
  • 1
    if the keylogger fits onto the keyboard's plug and passes through the USB ID, then the software blocks won't work – schroeder Jan 14 '15 at 21:33