RISK ASSESSMENT RATING: 8
How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.
The KeyGrabber is a series of devices, all of which are designed for commercial use in addition to their use for other, maybe more questionable reasons.
The cost or “DYI burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.
The KeyGrabber stands alone in incredible ease of use. The device is sold commercially as a way of tracking children’s online whereabouts and employee productivity, so it is designed for the most inexperienced user. With a DIY kit and multiple models, the tool is also easily accessible.
The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.
The impact of a KeyGrabber is entirely a function of what is typed: while most organizations cannot be taken down by the contents of an employee’s daily email, a few stolen username/password combinations could prove disastrous to the organization.
Created by KeeLog, the KeyGrabber product line includes no less than 6 distinct types of devices designed for the express purpose of capturing, storing, and reporting intercepted keystrokes from a locally connected keyboard. Each one is intended for a slightly different deployment, from a bare PCB the user needs to solder into the keyboard to “nano” sized units that easily slip between the computer and peripheral. KeeLog even offers an open source DIY keylogger that anyone can build around a Atmel microcontroller.
KeeLog’s top of the line product is the KeyGrabber Wi-Fi Premium, an Internet-connected keylogger, which allows for device configuration and data retrieval over the local network or Internet. Once a KeyGrabber Wi-Fi Premium is properly deployed, it could be left operational on-site indefinitely.
- I/O: PS/2 or USB
- Radio: 802.11 WiFi (open/WEP/WPA/WPA2)
- Storage: 4 GB
- OS: Closed Proprietary
- Supported OS: OS Independent
- Battery: Internal battery good for 7 years
Traditional keyloggers utilize a special combination of keys which must be pressed to access the device’s internal menu and dump the data out to a text file. This requires the operator to recover the device from wherever its been deployed; often a risky proposition. But with its network connectivity, configuring the KeyGrabber and recovering the stored keystrokes can be done without having physical access to the device.
Captured data can be sent out as periodic email messages, or downloaded directly from a computer on the same network. By sending the data out as an email message the KeyGrabber doesn’t require anything more than a valid email recipient and can easily get around inbound firewalls.
In addition to network connectivity, the KeyGrabber can also be put into a USB Mass Storage mode which will make the host operating system see it as a standard 4 GB USB flash drive. The stored keystrokes, as well as the devices configuration files, are then accessible as standard plain-text files on the drive.
Software keyloggers are harder to install and could be detected by security software on the local computer, making them difficult to use effectively. By using a hardware-based approach, the KeyGrabber is effectively invisible to the host operating system; greatly reducing the chances it will be discovered.
Not having to physically recover the device to collect the captured data on the KeyGrabber Wi-Fi Premium makes it considerably more effective than traditional local-only keylogger devices. Remote command and control even opens up the possibility of running large numbers of keyloggers on the same network, a task which would not be feasible otherwise.
On the other hand, connecting to the network makes the KeyGrabber detectable to those who know that to look for. The risk of picking the KeyGrabber up on a WiFi scan has to be balanced against the considerable advantage network connectivity offers.