keylogger (keystroke logger or system monitor)

What is a keylogger?

A keylogger, sometimes called a keystroke logger or keyboard capture, is a type of surveillance technology used to monitor and record each keystroke on a specific computer. Keylogger software is also available for use on smartphones, such as the Apple iPhone and Android devices.

Keyloggers are often used as a spyware tool by cybercriminals to steal personally identifiable information (PII), login credentials and sensitive enterprise data.

Some uses of keyloggers could be considered ethical or appropriate in varying degrees. Keylogger recorders may also be used by:

  • employers to observe employees' computer activities;
  • parents to supervise their children's internet usage;
  • device owners to track possible unauthorized activity on their devices; or
  • law enforcement agencies to analyze incidents involving computer use.

Types of keyloggers

A hardware-based keylogger is a small device that serves as a connector between the keyboard and the computer. The device is designed to resemble an ordinary keyboard PS/2 connector, part of the computer cabling or a USB adaptor, making it relatively easy for someone who wants to monitor a user's behavior to hide the device.

A keylogging software program does not require physical access to the user's computer for installation. It can be purposefully downloaded by someone who wants to monitor activity on a particular computer, or it can be malware downloaded unwittingly and executed as part of a rootkit or remote administration Trojan (RAT). The rootkit can launch and operate stealthily to evade manual detection or antivirus scans. 

How do keyloggers work?

How a keylogger works depends on its type. Hardware and software keyloggers work differently due to their medium.

Most workstation keyboards plug into the back of the computer, keeping the connections out of the user's line of sight. A hardware keylogger may also come in the form of a module that is installed inside the keyboard itself. When the user types on the keyboard, the keylogger collects each keystroke and saves it as text in its own hard drive, which may have a memory capacity up to several gigabytes. The person who installed the keylogger must later return and physically remove the device to access the gathered information. There are also wireless keylogger sniffers that can intercept and decrypt data packets transferred between a wireless keyboard and its receiver.

A common software keylogger typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file that does the recording and an executable file that installs the DLL file and triggers it. The keylogger program records each keystroke the user types and periodically uploads the information over the internet to whomever installed the program. Hackers can design keylogging software to use keyboard application program interfaces (APIs) to another application, malicious script injection or memory injection.

Screenshot of data captured from keylogger software
Data keyloggers can capture various information from its targets.

There are two main types of software keyloggers: user mode keyloggers and kernel mode keyloggers.

A user mode keylogger uses a Windows API to intercept keyboard and mouse movements. GetAsyncKeyState or GetKeyState API functions might also be captured depending on the keylogger. These keyloggers require the attacker to actively monitor each keypress.

A kernel mode keylogger is a more powerful and complex software keylogging method. It works with higher privileges and can be harder to locate in a system. Kernel mode keyloggers use filter drivers that can intercept keystrokes. They can also modify the internal Windows system through the kernel.

Some keylogging programs may also include functionality to record user data besides keystrokes, such as capturing anything that has been copied to the clipboard and taking screenshots of the user's screen or a single application.

Keylogger detection and removal

Due to the variety of keyloggers that use different techniques, no single detection or removal method is considered the most effective. Since keyloggers can manipulate an operating system kernel, examining a computer's Task Manager isn't necessarily enough to detect a keylogger.

Security software, such as an anti-keylogger software program, is designed specifically to scan for software-based keyloggers by comparing the files on a computer against a keylogger signature base or a checklist of common keylogger attributes. Using an anti-keylogger can be more effective than an antivirus or antispyware program. The latter may accidentally identify a keylogger as a legitimate program instead of spyware.

Depending on the technique an antispyware application uses, it may be able to locate and disable keylogger software with lower privileges than it has. Using a network monitor will ensure the user is notified each time an application tries to make a network connection, giving a security team the opportunity to stop any possible keylogger activity.

Protection against keyloggers

While visual inspection can identify hardware keyloggers, it is impractical and time-consuming to implement on a large scale. Instead, individuals can use a firewall to help protect against a keylogger. Since keyloggers transmit data back and forth from the victim to the attacker, the firewall could discover and prevent that data transfer.

Password managers that automatically fill in username and password fields may also help protect against keyloggers. Monitoring software and antivirus software can also keep track of a system's health and prevent keyloggers.

System cages that prevent access to or tampering with USB and PS/2 ports can be added to the user's desktop setup. Extra precautions include using a security token as part of two-factor authentication (2FA) to ensure an attacker cannot use a stolen password alone to log in to a user's account, or using an onscreen keyboard and voice-to-text software to circumvent using a physical keyboard.

Application allowlisting can also be used to allow only documented, authorized programs to run on a system. It is also always a good idea to keep any system up to date.

History of keylogging

The use of keyloggers dates back to the 1970s, when the Soviet Union developed a hardware keylogging device for electric typewriters. The keylogger, called the Selectric bug, tracked the movements of the printhead by measuring the magnetic field emitted by the movements of the printhead. The Selectric bug targeted IBM Selectric typewriters and spied on U.S. diplomats in the U.S. embassy and consulate buildings in Moscow and St. Petersburg. Selectric keyloggers were found in 16 typewriters and were in use until 1984, when a U.S. ally who was a separate target of this operation caught the intrusion.

Another early keylogger was a software keylogger written by Perry Kivolowitz in 1983. The user mode keylogger located and dumped character lists in a Unix kernel.

The use of keyloggers has broadened, notably starting in the 1990s. More keylogger malware was developed, meaning attackers didn't have to install hardware keyloggers, enabling attackers to steal private data, such as credit card numbers, from unsuspecting victims in a remote location. The use of keyloggers started to target home users for fraud, as well as in different industries for phishing purposes.

In 2014, the U.S. Department of Homeland Security began warning hotel businesses about keyloggers, after an incident where a keylogger was found in hotels in Dallas, Texas. Publicly accessible computers in shared environments are good targets for keyloggers.

In 2015, a mod for the game Grand Theft Auto V had a keylogger hidden in it. In 2017, a keylogger was also found in HP laptops, which HP patched out, explaining that they were used as a debugging tool for the software.

This was last updated in October 2021

Continue Reading About keylogger (keystroke logger or system monitor)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing