What threat do Keystroke Loggers pose to your environment?

Keystroke loggers take the form of hardware or software that record the keyboard activity of the target system. There's an interesting article discussing both hardware and software keystroke loggers on the InternetSecurityOnline blog.

Reading the article led me to conduct a little ad hoc research to grasp the prevalence on keystroke loggers. I browsed to a popular software download site (download.com) and searched for "keystroke logger" - thanks to the site for the following titles and download statistics

Note: I am NOT suggesting that either the site or software described below has malicious intent.

Brief Description Total Downloads
Monitor keystrokes on your computer and have the information privately sent to your e-mail address 324,984
Monitor and record all activities on your computer in stealth mode 309,497
Log every keystroke of your keyboard while you're away from your computer 265,697
Record activities on your PC and have the log sent via LAN or e-mail 204,418

Note: The vast majority of keylogging software was available for download free of charge.

Incidentally hardware keyloggers are available for less than £100 per unit from many legitimate online retailers - each has sufficient storage capacity to capture many thousands of key presses.

The statistics suggest that there are a great number of people who don't trust the users of their PCs! IMHO the right to privacy is a fundamental human right.

Generally speaking I worry more about keyloggers that are installed by unknown malicious third parties than those installed by authorised users. It's worth considering that the PC you use to pick up your email and conduct your banking and shopping activities may have been compromised by keylogging hardware or software.

Network security technologies including the padlock you see in your web browser (signifying encryption and server authentication via Secure Socket Layer) may be rendered useless if your keyboard input is captured by a keylogger.

Personally I only enter sensitive information into computers that meet the following requirements:

  • I trust the author(s) of the software running on the system
  • I trust the administrator(s) of the system to ensure it is appropriately configured

I do not read my corporate or personal email from kiosk computers as I am unable to assert that these conditions are met.