Key­log­gers are programs or devices that log key­strokes. Key­log­gers are dangerous because they specif­i­cal­ly read out login data such as names and passwords, and transmit them to unau­tho­rized third parties. This threatens the security of your e-mail passwords, social media accounts, and online banking data. Key­log­gers like these are not only used by in­di­vid­ual hackers, but also by in­ves­tiga­tive au­thor­i­ties and in­tel­li­gence services to spy on con­fi­den­tial data. The term “keylogger” is often used syn­ony­mous­ly with spyware. However, spyware is the generic term for malware that gets its hands on specific user in­for­ma­tion. The term “keylogger” is more defined, since it is only used to identify key­strokes.

De­f­i­n­i­tion Keylogger

A keylogger is software or hardware that records key­strokes to pass them on to third parties. This jeop­ar­dizes data security, since it allows unau­tho­rized people to obtain login data such as passwords, which they can then use to access even more private data.

Image: Graphical representation of how keyloggers work
Key­log­gers read key­strokes and pass them onto third parties.

Not all key­log­gers are harmful or illegal. Key­log­ging can be used to check a user’s behavior on the computer – they aren’t nec­es­sar­i­ly only used for criminal reasons. Key­log­gers also make it easier to document computer use for sci­en­tif­ic purposes e.g. col­lect­ing data to get insight into how humans behave on computers. Keylogger programs and devices are not nec­es­sar­i­ly illegal – they only become ques­tion­able from a security point of view if they are installed without the user’s consent.

Tip

If your e-mail account has been hacked, you may have fallen victim to a keylogger. This article explains what you can do to get access back to your account.

Keylogger software

On the software side, key­log­gers often work via un­ob­tru­sive back­ground processes that copy key­strokes. Some key­log­gers can also take screen­shots of the text that’s been entered. This data is then usually passed on online or stored in a file on the victim’s hard drive. In the latter case, the hard drive is then accessed without per­mis­sion. These types of key­log­gers are the most popular and can be ef­fec­tive­ly avoided if you have a firewall or an antivirus program installed on your computer. Keylogger software is available in many different versions. We present some of them below:

Keylogger software / principle / tech­nol­o­gy Func­tion­al­i­ty
Simple software basis Computer program that reads keyboard commands via a back­ground process.
Hy­per­vi­sor basis The keylogger hides behind the operating system using a hy­per­vi­sor malware program – the operating system itself remains un­af­fect­ed. As a result, the keylogger functions like a virtual machine and runs in­de­pen­dent­ly of the operating system.
Kernel basis The malware hides directly in the operating system and gains access to the root account, which is where key­strokes are logged. These key­log­gers can also disguise them­selves as drivers and are rel­a­tive­ly difficult to detect. For example, antivirus scanners need root access to detect this type of malware. An example of this is the kernel-based trojan, Duqu.
API basis These key­log­gers connect to ap­pli­ca­tion pro­gram­ming in­ter­faces (APIs) and respond to each keystroke.
Form-grabbing basis This type of keylogger logs online forms and copies the cor­re­spond­ing login data. The software can also access the browser history to determine which pages have been visited.
Man-in-the-browser basis (MITB) Also known as “Memory injection,” these key­log­gers hide in the web browser and log key­strokes without the user knowing. For example, these key­log­gers collect in­for­ma­tion sent via input fields and store it in the internal logs of the browser. The logs are then accessed from the outside.
Remote access basis These remote key­log­gers allow external access to the malware. The logged key­strokes are “tapped” via e-mail or an upload. These key­log­gers also often work in con­junc­tion with ap­pro­pri­ate hardware.

Keylogger hardware

Many internet users don’t even know that hardware key­log­gers exist and that it’s not just software that spies on passwords. This type of keylogger can be, for example, in the form of a small USB connector that is attached somewhere between the keyboard and the computer. Con­nec­tors like these have an internal memory that stores the key­strokes logs. If you later remove the keylogger, you can then read the saved logs. Hardware-based key­log­gers are also available in very imag­i­na­tive and sur­pris­ing variants, similar to something James Bond would use. However, private users will rarely come into contact with them.

Keylogger hardware / principle / tech­nol­o­gy Func­tion­al­i­ty
Keyboard ad­di­tion­al hardware Ad­di­tion­al hardware is installed between the keyboard and the computer – typically on the keyboard con­nec­tion cable directly. Also called “Key­Grab­ber,” these key­log­gers are usually designed as small connector at­tach­ments with internal memory. The key­strokes are logged in this file. Key­Grab­ber is available for both USB and PS2 ports. These devices are usually attached directly to the computer con­nec­tion and are only noticed when the user looks more closely. They can be hard to spot if the computer con­nec­tions are not directly visible at your desk (i.e. because the tower is un­der­neath on the floor).
Firmware basis These hardware-specific key­log­gers log key­strokes at the BIOS level. You often need physical access to the hardware and at least root access. Firmware-based key­log­gers are also used, for example, in the form of at­tach­ments for hardware circuits. They are not visible until the device concerned is opened.
Keyboard and mouse sniffer These devices read data that is trans­ferred from a wireless keyboard or mouse to the target system. Since wireless com­mu­ni­ca­tion is often encrypted, the sniffer must also crack this code.
Keyboard at­tach­ments Criminals often use this method of key­log­ging on ATMs. You install an at­tach­ment on the machine’s card slot. This at­tach­ment is often difficult to recognize and the user presumes it’s an integral part of the machine. When customers enter their PINS and other con­fi­den­tial in­for­ma­tion, they in­vol­un­tar­i­ly feed it into the keylogger.
Acoustic keylogger These devices evaluate the noises that a user makes with the keyboard. Each key makes a different sound when pressed, although this is in­dis­tin­guish­able to humans. Acoustic key­log­gers can be used to gather sta­tis­tics on human behavior on computers to re­con­struct the text entered by the user. However, these in­stru­ments require a suf­fi­cient sample size of at least 1,000 key­strokes.
Col­lect­ing elec­tro­mag­net­ic waves All keyboards generate elec­tro­mag­net­ic waves with a range of up to 20 meters. Special devices can register and read these waves out.
Video sur­veil­lance The term key­log­ging can also include tra­di­tion­al video sur­veil­lance. This is when the keyboard input is observed using a camera and logged ex­ter­nal­ly.
Physical trace analysis This technique is used less often for tra­di­tion­al PC keyboards and more for numeric input fields. Pressing certain keys more often than others leaves a physical trace that can be used to re­con­struct a password, for example.
Smart­phone sensors Modern smart­phones have so-called ac­celerom­e­ters, which can be re­pro­grammed to special key­log­gers. If the phone is near the target keyboard, it can read the vi­bra­tions generated when the user types.

How to protect yourself from key­log­gers

Most key­log­gers can be kept at bay with a virus scanner and an up-to-date firewall. Of course, new key­log­gers are con­stant­ly being developed and their signature is not im­me­di­ate­ly flagged by the pro­tec­tion programs as being harmful. So, how you behave when using your computer is also important if you want to minimize the risk of key­log­ging. We have put together some tips on how you can protect yourself from key­log­gers.

  • Make sure your security software is up-to-date. Use high-per­for­mance antivirus programs and real-time scanners to protect yourself from key­log­gers. Most key­log­gers are found and removed by any rea­son­ably good antivirus program. However, you should not scrimp on the quality of the software – es­pe­cial­ly if you regularly have to enter strictly con­fi­den­tial data such as account data on your computer.
  • Special password managers not only help you to get an overview of all your passwords, but also generate highly complex passwords that are difficult for key­log­gers to log. In addition, these programs often have an autofill function, so you don’t have to enter your cre­den­tials manually. After all, key­log­gers can usually only read what you actually type.
  • Multi-factor au­then­ti­ca­tion (MFA) is con­sid­ered extremely secure for login data. The user is not only prompted for a password, but also requires variable factor au­then­ti­ca­tion (e.g. via a cell phone), which is usually in­ter­ac­tive. Even if key­log­gers crack the actual password, this is useless thanks to MFA alone.
  • Keylogger hardware is hardly ever used by private users. But if, for example, you work with highly con­fi­den­tial data at the office that might be of interest to com­peti­tors, it can’t hurt to check your con­nec­tions from time to time. Be on the lookout for sus­pi­cious-looking con­nec­tors. If you think you are a victim of keylogger hardware, you should inform IT before removing the alleged keylogger.
  • A simple trick to prevent key­log­gers is to use the virtual keyboard. You can access it on Windows by typing “osk.exe” in the execution box (Windows key +R). Since key­log­gers usually only read physical key­strokes, you are better protected when you enter your data using the virtual keyboard.
  • There are special tools on the internet that can be used to find and remove key­log­gers. The best known tool is Spybot – Search & Destroy which also offers quite a powerful free version. Another tried and tested program is Mal­ware­bytes. Unlike more com­pre­hen­sive antivirus programs, Spybot and Mal­ware­bytes have been specially developed to fight malware that spies on your data – like key­log­gers.
  • Extra care must be taken when using public computers. Avoid entering con­fi­den­tial data on them, but if you have no other choice, make sure to check the con­nec­tions for sus­pi­cious hardware. If you enter a password on a website, stop the process, and type in random char­ac­ters somewhere else before com­plet­ing your password. This method can be used to trick potential key­log­gers. You can also use the virtual keyboard on most public computers.
Go to Main Menu