Will using an on screen keyboard stop keyboard loggers and hackers?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Home » Viruses and Malware » Malware Prevention

Summary: Using an on screen keyboard instead of a real keyboard might stop some logging, but there's no guarantee that other techniques aren't also being used.

Will using the on screen keyboard in Vista stop keyboard loggers/hackers?

The short answer is very simple: no.

It might stop some, but it's certainly nothing that you can count on.

Let's look at the path of keystrokes from your finger to your computer and see all the various places that your keystrokes can be intercepted and logged.

•

When you type a key on your keyboard, typically a microprocessor within the keyboard does its magic to send a signal up the cable connecting your keyboard to your computer.

And there we reach the very first point of vulnerability. No, not the microprocessor in the keyboard (possible, I suppose, but exceptionally unlikely), but the cable. Or rather what the cable plugs into. Particularly lucrative targets are public computers, where someone comes along and actually installs a physical device between the computer and keyboard; a device that logs every keystroke entered. Sometime later they come back, remove the device and take with it all the information that users of that computer might have entered.

As it turns out, wireless keyboards are worse. Wireless keyboards actually broadcast the keystrokes you're typing. Any receiver within range can "listen in" and record them, and unfortunately "in range" also turns out to be much further than most people think - particularly for a thief with equipment dedicated and tuned to this purpose. While the keystrokes are supposedly encrypted, I recently heard that this encryption is often very easy to crack.

The good news is that your on screen keyboard actually does protect you against these two specific types of keyboard related threats. By using the on screen keyboard you've avoided touching the actual keyboard you've bypassed any compromise of the hardware.

"A keystroke logger can capture a lot more than just keystrokes ..."

The bad news is that hardware based keyloggers are rare. Much more common are software based threats.

Once your keystrokes arrive at the computer from the keyboard, they are then processed by a keyboard device driver which (to oversimplify) handles the translation of the keyboard "scan codes" that have come over the wire to the letters, numbers and symbols that Windows applications expect. Keystroke loggers typically insert themselves into the receiving end of this process, so that they get the keystrokes from the keyboard as they are passed on to Windows.

This is where the on screen keyboard scenario gets interesting.

Windows Vista on-screen keyboard

The on screen keyboard application is a "virtual" keyboard. It effectively has its own device driver, and to Windows "looks like" a real keyboard. As a result, the keystrokes it sends onto Windows can quite easily be captured by the same key logging software that's capturing keystrokes from the real keyboard, if that key logger has installed itself into the proper place.

But it gets worse. Much worse, actually.

Let's assume that the keystroke logger is not able to capture the keystrokes from the virtual on-screen keyboard.

A keystroke logger can capture a lot more than just keystrokes, so perhaps it'll capture something else instead.

You use the virtual keyboard by using your mouse to point and click at the image of a key on the keyboard. A keystroke logger could then capture on every mouse click:

the location of the mouse on the screen
a screen shot image of the screen, or just the area "around" the mouse pointer

What the key logger has done is captured a series of images showing exactly where you clicked and in what order. In other words, it's captured your virtual keystrokes.

Note that this approach to key logging also bypasses one of the more common so-called security techniques of randomizing the keyboard layout on the screen. You still have to be able to see where to click, and the logger simply logs what you see and where you click, regardless of how the keyboard is laid out.

How big a threat is this?

It depends on whom you ask. In my opinion "normal" keystroke loggers - those that record only keystrokes - are a fairly common threat, and are one part of the reason that anti-malware protection and general internet safety common sense in general is so important. So yes, they're out there.

The real question is how pervasive are these more sophisticated screen capturing keyloggers? It's hard to say, but we do know that malware creators have continued to escalate their attacks, both in technique and in scope. It wouldn't surprise me to see these types of malware increase in frequency.

And I, personally, wouldn't rely on a virtual keyboard of any sort as a security measure.

Related:

Is there a way to bypass keyloggers? Keystroke loggers can log a lot more than just keystrokes. We'll look at a couple of ideas for bypassing them, and they chances that you can.
Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.
Spyware: How do I remove and avoid spyware? There are some important steps to take to deal with the ever-present concern of how to remove and avoid spyware.

Article C3617 - January 10, 2009

Recent Comments

4 Comments

There is a much better option than using the onscreen keyboard. To defeat keyloggers, i used to carry my login ids and passwords in my usb pen drive and copy and PASTE them into place, NOT TYPE them. This will defeat hardware key loggers. Passwords are entered as ****** in most cases which will defeat image capturing keyloggers.

Unless, of course, the keylogger is also watching the clipboard for anything you might copy/paste. VERY easy for a keylogger to do.

- Leo
16-Jan-2009

Posted by: amitpoddar at January 15, 2009 10:47 AM

Once again i can offer what i use to defeat
keylogging.
A program called KeyScrambler.
It's a great program.
Works in firefox and IE browsers.

And once again I'll express my extreme skepticism at any software that you have to install as being able to defeat a sufficiently sophisticated keylogger. IMO: it can't be done, and these utilities are a waste of time.

- Leo
16-Jan-2009

Posted by: fastfreddie1959 at January 15, 2009 8:05 PM

i guess it is the responsibility of websites to establish a security layer. they should ask for partial passwords and not full password. For example, a user has 8 character password. The website should display lesser than 8 boxes and ask the user to, say, enter 1st, 4th, 6th and 7th character of password. every time user tries a login, these places should be randomized so that every time, the website ask for different characters of password of the same user.
This can reduce password thefts to a significant extent, but not 100%.

Posted by: greater good at January 17, 2009 7:29 AM

There is an interesting comparison of approaches at http://kyps.net/home/comparison what do you think?

Posted by: Tom Hoffman at May 27, 2009 8:15 AM

Post a comment on "Will using an on screen keyboard stop keyboard loggers and hackers?":

Name: (Required) Email Address: (Required) (Email Address will not be published.) Remember Me? YesNo	By popular demand... my tip jar Buy Leo a Latte!
Comments: (you may use HTML tags for style)	Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...