KeyGhost Security Keyboard

Review date: 24 March 2000.
Last modified 03-Apr-2013.


If you think They have put a tiny device in your keyboard that records everything you type and sends it to the Illuminati satellites so the Greys can keep tabs on your every action, you may be right.

Well, except for the Illuminati-satellite part.

There are lots of ways to spy on computer users, but one of the simplest is the "key logger". Key loggers are programs that record every keystroke made by the user.

Any reasonably expert user can set up a logger to output to a hidden file, or a file on a network drive. Some loggers can send their output to a distant machine over the Internet.

Loggers are simple enough things, in essence. The only subtlety in them lies in making them as undetectable and unkillable as possible, so users don't know the logger's there, and can't turn it off even if they do know. Key loggers have also evolved into more advanced products that monitor what people click on and pretty much everything else they do with their computer. These so-called "activity loggers" are more useful, these days, to spy on complex multitasking machines for which keyboard input is often secondary.

There are some people who have good reason to use key loggers. Financial institutions and military organisations, for instance. For law-enforcement people, activity loggers are the computer equivalent of phone taps.

Lots of people with less clear-cut reasons to use loggers do as well. For some employers, key loggers fit in with security cameras and e-mail monitoring as elements of what's usually referred to by a euphemism like "employee evaluation". Obvious and not-so-obvious privacy issues are raised by these policies. But I'm not going to talk about them. Because I'm too busy playing with a new toy.


It's called a KeyGhost, and it is the king of the key loggers.

A KeyGhost is a tiny gizmo that connects between an ordinary PC keyboard - AT or PS/2 - and a computer, and records every keystroke. The KeyGhost Standard has enough memory for 97,000 keystrokes; the more expensive KeyGhost Pro can store 500,000. They need no batteries, they need no software installed, and they'll work on any PC. You can plug them into one computer to record and into another to play back, if you like.

The KeyGhost Standard sells for $US139, the KeyGhost Professional for $US249, from the manufacturers, New Zealand outfit Working Technologies.

It may look simple, but it's not. The makers claim that very nearly all of the little microcontroller's eight kilobytes of ROM is taken up, with code compiled from nearly 120 kilobytes of source.

To retrieve recorded data from a KeyGhost, you type in its secret password - which defaults to "#keyghost", but can be changed to whatever you want. Now, a "ghost" types out a menu, as you watch:

Main menu >

1) Download entire log
2) Download section of log
3) Erase log
4) Optimize speed
5) Password change
6) Format memory chip
7) Arrows keys include
8) eXit

Select or [space] to exit >

You need to be in some sort of text editor - a word processor will do - to interact with KeyGhost once you've fed it its password. It works in exactly the same way as an old terminal-based computer system, with everything you type, or KeyGhost outputs, just being appended to the growing document.

The invisible KeyGhost

The regular KeyGhosts are hard enough to spot. They're just a little cable extension with a cylindrical case in the middle, and they'll hide easily behind any computer. The upcoming KeyGhost Mini is particularly insidious - it can look like a normal keyboard extension cable, or like an AT-to-PS/2 or PS/2-to-AT plug adaptor.

But these KeyGhosts can be disabled easily enough, by simply unplugging them from the keyboard cable, and plugging it straight into the computer. The plug-adaptor KeyGhost Mini can, of course, just be replaced with a normal plug adaptor.

The hardest to spot (and disable) KeyGhosts are the Security Keyboards, which have a KeyGhost built into the keyboard case.

The regular Security Keyboard is a plain PS/2 PC keyboard with a KeyGhost Standard or Professional built in. For $US50 more than the ordinary KeyGhost prices you get an ordinary straight keyboard; for $US60 more you can have a Microsoft Natural Keyboard with your KeyGhost built in.

I checked out the plain Security Keyboard, with a KeyGhost Professional.

Ordinary innocent keyboard

There's absolutely nothing about the Security Keyboard to suggest that it's anything other than a perfectly ordinary keyboard. It's got the same soft-touch, low-noise rubber dome keyswitches in it as every other ordinary 'board these days, it's got the normal complement of Windows keys; there's absolutely no reason to suspect there's anything amiss, unless you unscrew the case and have a good look.

Keyboard open

There are two obvious screws, and no fewer than 11 other ones hidden under little stick-on rubber foot things. Take all of 'em out, though, and it's easy enough to open the 'board.

Keyghost unit

Inside, a casual observer wouldn't see anything amiss - but there's a little heat-shrink-covered bundle spliced into the keyboard's cable.

Keyghost unit

Slice open the heatshrink and the KeyGhost board is revealed.

Keyghost unit side 2

On one side, one Atmel AT45D041A four-megabit Flash memory chip - four megabits is half a megabyte, hence the half-million character memory.

Keyghost unit side 1

On the other side, one Microchip Technology PIC16F876 microcontroller, along with a little Fairchild Semiconductor CD4066BCM quad bilateral switch.

If this were truly a covert-ops naughty-boy device, all of the semis would have their markings ground off, and the little circuit board would be cocooned in a blob of potting compound. Actually, I'm informed by Working Technologies that current KeyGhosts do have the Flash chip's markings removed, to make it harder for people who don't have the password, but do have some skill with electronics, to read the log.


I wrote this review way back in 2000. Some time in 2005, somebody decided to use the above section of the review, including the pictures, in a hoax story about "Dell Keyloggers". The story alleges that the above hardware was being hidden in Dell laptops, and who knows where else, at the order of the US Department of Homeland Security.

This is, of course, nonsense. But as of early 2009 the bogus story is still all over the Web, sometimes in the deluxe edition that includes my pictures too. There's a Snopes page about it, as well.

And now, back to the original review.


Unlike software key logging systems, the KeyGhost can be installed on password protected machines, on BIOS locked machines, on powered-down machines, or, indeed, on any machine to which you have five seconds of physical access. The Security Keyboard's no good for surreptitious installation unless your target's too dozy to notice a keyboard change - but tipping coffee on his old keyboard and bringing him the KeyGhost one when he complains could do the trick. All of the little in-line KeyGhosts are ideally suited to "invisible" installation.

And there's no way to get rid of the KeyGhost without physically removing it. You can swap the computer's whole hard drive for a new one and KeyGhost will still remember everything it heard before, and keep happily recording away.

Using it

In operation, the KeyGhost is as simple as it sounds. Plug it in, use it, it's a normal keyboard. Run a text editor and enter the unlock code, though, and up comes the menu. Now, you can squirt out all or part of the log into your editor, clear the log, or do a few housekeeping tasks.

The password can be up to 16 characters long and use any normal ASCII characters, so it's easy to make it something that nobody's ever going to type by accident.

You can also change the speed at which the KeyGhost "types" - it can be slowed down for compatibility with older machines, or set to maximum speed for faster results on modern PCs. It doesn't output terribly fast at the best of times; it can't spit much more than 5.5 kilobytes of data per minute down the keyboard cable, so dumping the whole half-megabyte memory of a KeyGhost Pro would take an hour and a half.

Half a million keystrokes is rather a lot, though. It's at least 80,000 words - about 160 pulp-paperback pages. How long it'd take the average computer user to fill the KeyGhost Pro memory, I don't know - different people doing different jobs input data at different speeds - but even the 97,000-keystroke KeyGhost Standard would probably have enough space for several days of input from most people. If you need more, Working Technologies also have special super-capacity models with one- or four-million-keystroke memories.

Decoding some stuff from a KeyGhost log dump is like reassembling shredded documents. Spreadsheet work, for instance, will look deeply cryptic; the KeyGhost records arrow key presses (although you can tell it not to, if you want), so figuring out what was done might be slightly less excruciating, but it's still the kind of thing you'd only bother doing if you were trying to catch Carlos the Jackal's financiers or figure out which employee bilked the company out of a million bucks last year.

But it's trivial to search a KeyGhost log dump for keywords - the name of your chief competitor, a password your employee shouldn't know, names of known associates of the suspect who doesn't know the fuzz has KeyGhosted every machine in the Internet cafe he visits when he sends e-mail to his confederates.


The KeyGhost is a powerful snooping tool. Like most powerful snooping tools, it can be used to do good things, and bad things.

Key loggers are a dead easy way to make an end run around password-protected systems. And a hardware-based key logger like the KeyGhost means you just need a few seconds to plug the thing in. Connect it, come back later and retrieve it, plug it into another computer at your leisure, dump the log to a file, and search for the username. If you don't know the username, you can scan through the file visually - even a prolific typist isn't going to generate that much text per day - or take advantage of the fact that the KeyGhost records power-on or Control-Alt-Delete combinations as "<PWR>".

Right after a <PWR> is usually a good place to look for a username, and right after the username, you'll find the password.

Again, there are people who have a legitimate use for gadgets with such capabilities - criminal investigators, chiefly. And there are other, perfectly innocent applications for an incorruptible data store like this - professional writers, for instance, can use it as a real-time backup device from which they can extract their copy even if their hard drive detonates after a week of un-backed-up typing. It's likely to be a lot less useful for programmers, though, since all of the hopping around involved in coding means that decoding a simple serial keystroke dump is likely to be a great deal harder than just writing the code again.

Frankly, the more I think about the legal and ethical issues surrounding gadgets like this, the harder I find it to figure out whether they're a good thing or not. But the genie's out of the bottle; the KeyGhost is a complicated little item, but it's not as if it took a multinational corporation a hundred years to design. There's no way these gizmoes could be stamped out even if all of the world's governments decided to do it. So we're going to have to live with them, whether we like 'em or not.

Observed objectively - as a tool to do a job - the KeyGhost is a great product. The price isn't outrageous, the memory capacity is ample, and it's easy to use. If you need a keystroke logger, you'll love this one.

Review KeyGhost Security Keyboard kindly provided by Working Technologies.

UPDATE: I've checked out the newer KeyGhost II Professional now as well. Click here to read all about it!

New model!

KeyGhost Pro

I've checked out the newer KeyGhost II Professional now as well. Click here to read all about it!

Software monitors

There are plenty of activity monitors for current operating systems - Hook Dump, for instance, is one of the better free ones for Windows 95/98  . It's easy to find pages and pages of other loggers, monitors and similar security-related packages, though.

Some loggers record the logged keystrokes as the original keyboard "scancodes", not the translated ASCII that gets displayed on the screen; this lets you use whatever keymap you like for the output, making the logger easily useable with international and specialised key layouts. It also makes the output file harder to identify.

Give Dan some money!
(and no-one gets hurt)