Looking for the Hack

Grabbing and transmitting keys

A program that I was asked to write a long time ago needed to capture the keys being typed on the keyboard locally. Once these were captured, it needed to transmit the keystrokes through a telephone connection to a remote server for video streaming. Being a young engineer, I wasn't sure how to approach this issue. I proceeded to capture keyboard entries through an interrupt table and sent the keystrokes through the serial communications. After further observation, I noticed a getSystemKey( ) function in an operating system kernel library that was callable by the "C" language. I wrote a thread that just called the undocumented function and sent the keys that were typed. It turned out the undocumented function in the operating system saved a lot of time for capturing keys. After I found the undocumented function, it took me about an hour to write and test the program to send the keys across the phone line.

A hacker can use the preceding approach. If the attacker wants to capture the keystrokes from a computer, he simply needs to store the keystrokes in a log file and transmit them when the computer connects to the Internet. Any password or username, credit card number, or company information typed into the computer could have been saved to a log. The unnamed operating system that I used was one from ten years ago, but the concept applies today. A hacker could use the same technique to read keyboard entries and send the entries to a log file on a temporary machine. The hacker can use a temporary machine to avoid being traced and pick up the keystroke file when the access seems safe. The log can contain everything that a user entered on the keyboard, including passwords.

Keyboard sniffers

A keyboard sniffer is a common hacking routine. Some commercial products even use similar routines to keep tabs on employees or children to check their activities. The keyboard sniffer could masquerade as a driver or library. All a hacker needs is a chance to install the program on the computer.

There are several things that a hacker has to do to read the keyboard entries from a computer. First, a program has to be installed on the local machine with privileges to read the keyboard; and second, the program must transmit the information to the hacker's location. If the key log is transmitted to the hacker's site, the log can be used by the hacker for a replay attack.

The privilege to read from the keyboard has changed over the years in most operating systems. To read a keyboard, the process or program needs the same access that a device driver would have, which is the system-level privilege. A system-level privilege is the access that a "root" administrator is granted when logging in to the computer. The program would have to be installed by an administrator user. So the attacker would also have to have administrator privileges to install such a program. The hacker would normally need a key logging utility to get the administrator password in the first place.