The Naked Scientists

The Naked Scientists Forum

Author Topic: Will this mouse-operated "virtual" keyboard circumvent keylogging ?  (Read 9508 times)

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
Will this mouse-operated "virtual" keyboard circumvent keylogging ?

Just found out that Vista has a mouse-operated "on screen keyboard" ...



Would this “virtual” mouse-operated keyboard circumvent key logging ?

i.e. avoid the data from actual keyboard keystrokes, including bank account numbers and passwords,
       being secretly recorded and transmitted.
« Last Edit: 29/08/2009 16:37:05 by RD »


 

Offline JimBob

  • Global Moderator
  • Neilep Level Member
  • *****
  • Posts: 6564
  • Thanked: 7 times
  • Moderator
    • View Profile
I doubt it - in order for the computer to understand the input it must be in the same format as any other key input.   
 

Offline LeeE

  • Neilep Level Member
  • ******
  • Posts: 3382
    • View Profile
    • Spatial
I doubt it too.

Unless the keylogger software is part of the keyboard driver it will sit downstream of the keyboard driver.  For the virtual kb to be able to replace the h/w kb, it must feed the keystroke data into the same stream as the real kb, and probably at the same point that the real kb driver does as there's no obvious reason why it shouldn't and it would require more code to do otherwise.  If so, keylogging software is likely to work as well with the virtual kb as it it with the hw kb.
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
There are legitimate keylogging programmes: e.g. to check employees are working, not surfing the net on company time.

If anyone has used those legit keyloggers perhaps they can tell us if they can be defeated by this virtual keyboard.

Of course that would not prove that illegitimate keylogging code would be defeated in this way e.g. 

Quote
Form Grabber is an advanced (Crimeware based) keylogging method of capturing web form data. Often confused with traditional keylogging (recording individual keystrokes or hook based keyloggers). This type of keylogger intercepts the on submit API in browsers and collects web form data before it passes over the internet. This type of method is very effective in recording online banking passwords and other sensitive data because it only records login, password, IP, URL and other form fields. Traditional hook based keyloggers record all keystrokes pressed and creates bulky logs for attackers. 
http://en.wikipedia.org/wiki/Form_Grabber
« Last Edit: 30/08/2009 04:27:35 by RD »
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
I agree, even with JimBob. It's not going to look any different downstream.

However, (and I realize I'm answering a different question  :D) if the virtual keyboard was part of the webpage, it would defeat loggers. And the webpage could do things like shuffle the keys around, move the location of the keyboard and make each page sent out unique to make it even more secure. The OS and drivers would be completely out of the picture. The only way to hack it would be to capture and analyse the datastreams in both directions, which would defeat most crooks.

Unfortunately, I'm pretty sure the idea is well known!
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
(Looks down at keyboard and has a second thought.)

I suppose, if the web application had direct access to the actual keyboard (MS would not like this idea BTW) and the actual keyboard had a programmable look-up table built into it, you could do a similar security system with an actual keyboard.

The web app would keep downloading new tables into the keyboard, so, even if the keystrokes were logged, they would be very difficult to decipher. Only the web app would know what the keystrokes represented.

 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
if the virtual keyboard was part of the webpage, it would defeat loggers ... The only way to hack it would be to capture and analyse the datastreams in both directions

An excellent idea, but it could be defeated by a screen recorder on the users computer.
However if you've ever run a screen recorder you'll know it consumes a very conspicuous amount of CPU and memory,
 particularly if used at a frame rate high enough to capture "virtual" keystrokes.
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
Ah! Good point. I didn't know they existed. I suppose they would also produce a huge amount of data. It would all be bitmap I think, although it could be compressed I suppose.

It's also possible for the "virtual keyboard which is actually hardware" to connect only through the screen and mouse (and possibly the audio connection instead of the screen).

Imagine you have a second keyboard that is only connected to the audio out and mouse in.

Audio out sends a signal that tells the keyboard which look-up to use (it could have an enormous number in of them preloaded in memory)

As you type, the keyboard generates pseudo mouse movements that select certain fields in the screen. I'm not sure of this, but I suspect they could be virtually invisible, even to a screen capture program.
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
Forgot to mention - Obviously, you don't really need a second keyboard. Just a special mode in your standard keyboard.
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
I suppose, if the web application had direct access to the actual keyboard

If the keylogging programme was incorporated onto the keyboard driver it would have access to the keystroke information before any legitimate process, i.e. before any encryption had been applied to the keyboard data.
« Last Edit: 30/08/2009 05:44:54 by RD »
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
OK - No, I'm proposing that the encryption is done in the actual keyboard hardware. I think that's the only way to make it secure. It's not a big deal to make such a keyboard.
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
I was thinking a separate little numeric keypad which plugs into the usb port with its own unique encryption.
Provided the numerals are not displayed on screen it would defeat a screen recorder too,
 (BTW screen recorders can also record sound).
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
Let me try to recap.

The virtual keyboard idea seems to be fairly secure as long as it is an extension of the web app.

This might be fine for many situations, but it's not so good when there are a lot of keystrokes to input.

I'm suggesting an actual piece of hardware (a keyboard) that is completely unknown to the OS and drivers. From the OS and driver perspective, they are only aware of some strange audio from the app and a series of incredibly fast mouse operations.

 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
The audio to the keyboard could be replaced by a video pattern that the app flashed on the screen. This would require some slightly fancy means of reading the screen, but it's not out of the question.
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
You certainly could go the USB port route as you suggest. The only thing is that you have to rely on some driver, and that's always a weaker point. I was trying to eliminate the driver completely.

I suspect it will all boil down to how much people are willing to pay for security.

I had a great idea once for a pen with accelerometers in it to authenticate users. The idea was that the application would ask you to write a random word. You could not know what the word was going to be in advance. Then the pen would transmit all the acceleration info to the app as you wrote the word. A "magic" piece of software would then analyse the dynamics of the writing, and decide if you were authentic or not.

Unfortunately, when I searched, I found a patent that described exactly the same idea! Bummer.
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
... I found a patent that described exactly the same idea! Bummer.

I suspect my idea of a separate numeric keypad has been done before.

The person who solves this security problem will become as rich as Bill Gate$...


http://www.thesmokinggun.com/mugshots/gatesmug1.html

here booked for possession of an offensive floral shirt & impersonating John Denver  :)
« Last Edit: 30/08/2009 06:47:35 by RD »
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
Don't be so sure about that. If you can find a useful combination of hardware and software processes, it's quite likely you can patent it. It's not hard to search patents either. I can provide more info if you need it.

I think the most secure approach needs to stay as far away from the OS and drivers as possible. The flexibility and interoperability that they provide comes at a great price - lousy security. The trick is to allow the user and the application to interact without the OS having the faintest idea what is going on. As I mentioned, MS may not like that too much, because it could be a threat to their business model.
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
Great minds think alike ...

Quote
KeyScrambler Personal is a free plug-in for your Web browser that protects your username and password from keyloggers. It defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable.
http://download.cnet.com/KeyScrambler-Personal/3000-2144_4-10722575.html

1. I'm suspicious of anything that's free.
2. I still think a keylogger could get to the keyboard data before encryption.
3. Even if this works (and is not malware in disguise) a form grabber could still harvest the data. 
« Last Edit: 30/08/2009 08:57:51 by RD »
 

Offline Geezer

  • Neilep Level Member
  • ******
  • Posts: 8328
  • "Vive la résistance!"
    • View Profile
Great?  [:I]

Anyway, yes. As soon as you rely on some other component that you don't control, there is a weak point.

'twer it up to me, I would blow up the current paradigm. For most internet transactions that need to be secure, all you need is a "fancy teletype" (I'll get heat for that). Basically, an internet browser with a human interface. Such a thing needs no intimate connection with as OS, File System, Program Execution, drivers, etc etc. A "fancy teletype" can be made very secure, but it will only be able to perform a limited set of functions.

All the "other stuff" should live behind a firewall, or be on a completely independent machine.

Perhaps we should move to Channel D?
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
Perhaps we should move to Channel D?

Either that or tattoo messages on heads ...

Quote
Histiaeus did not like living in Susa, and made plans to restore his power in Miletus by instigating a revolt in Ionia. In 499 BC, he shaved the head of his most trusted slave, tattooed a message on his head, and then waited for his hair to grow back. The slave was then sent to Aristagoras, who was instructed to shave the slave's head again and read the message, which told him to revolt against the Persians.
http://en.wikipedia.org/wiki/Histiaeus
« Last Edit: 30/08/2009 09:07:33 by RD »
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8131
  • Thanked: 53 times
    • View Profile
Re: original question about the Windows on screen keyboard ...

Quote
Keylogger Note: While on-screen keyboards offer protection against hardware keyloggers,
 they do not offer protection against software keyloggers (which are far more common).
http://portableapps.com/apps/accessibility/on-screen_keyboard_portable
 

The Naked Scientists Forum


 

SMF 2.0.10 | SMF © 2015, Simple Machines
SMFAds for Free Forums