What do they look like?

Hardware keyloggers can be hard to spot. They are typically small and can be plugged into the back of a computer, unseen. They often look like a USB flash drive or a keyboard connector. They are easily found online; even Amazon has several them. If you see any device plugged into a computer that is not yours, consider this a red flag. While there is a good chance the device will look like one shown in the link or below, there are others out there.

Why are they legal?

While they may be useful in fraud and identity theft, they do have valid uses. In testing software, knowing exactly what a user did is useful to programmers. That can effectively pin-point a problem in code. Employers can use them to monitor the progress and productively of employees. Some manufacturers advertise them as a form of backup, keeping each page you write even if the power goes out. While arguments can be made that they are more often used for nefarious reasons, in the right hands, they are a useful tool.

Have they actually been found on public computers?

Yes. Earlier this year, there was a case where hardware keyloggers were found on library computers in Manchester. In three separate locations, the devices were found plugged into public access machines. The type used here was the kind that looked like a USB flash drive. Authorities advise greater vigilance, especially for the employees, but users need to be alert too.

It should be noted that it is generally unwise to use public computers for sensitive data. E-mail, banking sites, and credit card use should be avoided when on these computers. If you have to use them, here are some tips. Ask how the computers are protected. Do they block software installation? Are they wiped on reboot with software like Deep Freeze? If so, could they restart the computer for you (wiping out most software keyloggers)? Always use a secure connection (https) when possible, and be alert to your surroundings (e.g. watch those around you, know what is connected to the PC). This still is not as safe as a home computer running a live CD, but there is not much more you can do.

What do I do if I find one on a work computer?

It should go without saying that you should contact IT and your manager immediately. Should you remove it? Ask. If the company owns a PC, they can install a keylogger on it. What is deemed notification (if required) can vary by state and country. Typically, a software keylogger would be more conventional, so a hardware one is suspect. Chances are that it was planted, but if that is the case, then it is evidence. Physical and digital forensic information can be gathered. Let someone responsible for and trained for this handle it.

Should one of these devices be found on a server, the problem is much more severe. It highlights a lack of physical security. A strong firewall, good anti-virus software, proper permissions, and complex passwords will not protect you from a trick like this.

The Point: Awareness

The point of this article is to be aware of the existence of these deices. They do exist, but they are not commonly seen. If you do see one on a computer, let someone know. Chances are they are not supposed to be there. While they are legal to own, it is illegal to install them on computers for public use or on systems someone does not own.

The simple keylogger records every keystroke while more advanced ones make screenshots and record mouse movements as well. The idea for this article was born while reading the excellent Technospot article about keyloggers. The most secure way to defeat keyloggers is of course not to use public computers at all.

You sometimes do not have a choice though which leads to the next most secure way to defeat them: Live CDs. If you are allowed to boot from DVD or CD you should pop in your Linux live CD and use it to go online. This defeats all software keyloggers but not the hardware ones obviously.

Next in line is a method detailed by Technospot which suggests that you should do the following when entering usernames and passwords:

Let us assume you want to type in ghacks and fear that a keylogger would record the string. What you could do is add random chars to the string and replace them with the ghacks chars. You begin by typing “re4″, mark the three chars with your mouse and type the “g”. Then after the g you would write “bt” and replace bt with “h”.

This is a great method to defeat software keyloggers that do not take screenshots when moving or clicking the mouse.

A quick check of the system tray and if possible the task manager could also reveal several keyloggers as long as they are not running in stealth mode.

It it important to do a quick check of the PC hardware to see if a hardware keylogger is connected to it. It is not always that easy to detect hardware keyloggers but some common ones can be spotted quite easily.

The picture above shows a hardware keylogger that was connected between PC and keyboard recording any keystrokes right into his internal memory. It becomes more difficulty if the keyboard itself contains the hardware keylogger and impossible to tell if the hardware keylogger was placed inside the system. (assuming that you can’t open the PC’s)

The most secure alternative would be to use your own notebook to connect to the Internet which defeats all keyloggers but not programs that record network traffic.