KeyGhost II Professional

Review date: 26 October 2000.
Last modified 03-Dec-2011.

 

Sorry, but I am not at liberty to show you what this product looks like.

KeyGhost Pro

When I reviewed the KeyGhost Security Keyboard (review here), I opened the thing up and cut the heat-shrink and took pictures of the hardware.

The nice people at KeyGhost Ltd asked me, in the politest possible way, not to do that with the next one they sent me.

Because the whole idea of this gadget is that people not know what it is. That they think it's a plain keyboard, or a plug adapter, or, as in the case of the KeyGhost II Professional, some kind of electro-magnetic emissions compliance lump in the middle of an innocent little bit of cable.

OK, I'm being over-dramatic. You can see a picture of the KeyGhost II Professional plugged in-line with a keyboard right here on the KeyGhost site. That's not exactly the model I've got, but it looks much the same. It's the precise components inside that the makers would prefer people not know about.

There's a reason for that. The reason is that most people who find about KeyGhosts express the opinion that these gadgets are pure concentrated evil in a little beige box. They may express that opinion with a delighted grin, but they express it just the same.

A KeyGhost is a hardware key logger. It records everything that's typed on a keyboard, and can spit it all out again on command.

It uses no system resources. It needs no batteries. It needs no supporting software. You can install it on any computer in seconds, remove it just as easily, and plug it into any other machine to read back the log. It'll work on any computer that accepts a PS/2 or AT-type keyboard; it comes with PS/2 connectors, but you get a couple of plug adapters in the box for the old-style larger plugs.

You plug the KeyGhost between keyboard and computer - or have one hidden inside the keyboard, if you've got that version - and the thing silently and invisibly records every single keystroke, up to the maximum its memory can hold. Then it starts overwriting the oldest keystrokes.

This one, the Pro, has a capacity of more than 500,000 keystrokes - more, because it does on-the-fly basic compression of repeated keystrokes. A fast typist belting along non-stop at 80 words per minute would take about 19 straight hours to fill that much storage. And then, probably, die. For most computer users, 500,000 characters is enough for weeks of monitoring.

If you don't need half-million-keystroke capacity, the cheaper and somewhat less featureful KeyGhost Standard has a 97,000 character memory. If you for some reason need more storage, there's a two million character Professional SE model.

When you open a text editor or word processor and type in the KeyGhost's password (it's "vghostlog" by default, but you can set it as any eight to twelve character upper or lower case alphabet-letter string), a "ghost" types out a menu for you, like so:

[C] safe mode

***
KeyGhost II Pro v5.8.6
www.keyghost.com

Menu >

1) Entire log download
2) Section log download
3) Wipe log
4) Format memory
5) Arrow keys
6) Optimize speed
7) Password change
8) Diagnostics
9) eXit

Select >

...and you can choose the options you want.

If you press any key other than what the KeyGhost expects to see for whatever menu you're in, it goes back to logging mode. So if you absent-mindedly switch to another app, no problem. As far as that app's concerned, you just typed <enter>Now logging ...<enter>, but that probably won't be a problem.

All of this stuff is the same as it was with the KeyGhost I reviewed before. This is one of the external ones that you can put in-line with any AT or PS/2 keyboard, not one of the ones built into a 'board, but the external ones were around before as well.

The KeyGhost manufacturers, though, have not been standing still.

New stuff

The KeyGhost now compresses repeated keystrokes as they're stored, and also displays them in a short form when you download the log. Any time the you do the same thing more than four times - say, pressing Z six times - the log will spit it out as "zzzz(z(2x))". This goes for arrow keys, too; someone scrolling through a document with the down arrow won't eat pages of log, but just come out as something like "<dwn><dwn><dwn><dwn>(<dwn>(67x))". You can turn off arrow key logging, if you like.

The KeyGhost also now logs modifier keys, and prints them in the log as "<ctrl-s>" and so on. So you can see when the user copied or pasted with the keyboard, or saved a document, and so on. If there are odd quadruple-bucky-cokebottle commands that someone should have no cause to use - or even know - you can pick 'em up.

The KeyGhost doesn't grab every unusual key - some keys, after all, don't actually send a keycode to the computer at all. But the thing gets most of 'em.

Print Screen comes out as an asterisk, and Scroll Lock, Pause/Break, Num Lock and Caps Lock are all invisible to the logger - though, of course, it can see the effect that the two Lock keys have. Insert, Home, End, Page Up and Page Down are all picked up. Function keys, cursor keys, Windows key; no problem. And the thing detects power-ups ("<pwr>") and plug-ins ("<on>"), too.

I found my review KeyGhost wasn't without a trace or two of personality - it decided, now and then, that the Alt key was being held down when it certainly wasn't. This resulted in big blocks of "<alt-k><alt-n><alt-o><alt-w><alt-spc><alt-t><alt-h><alt-e>" and so on in the log. This didn't happen often, though, and apart from that it performed exactly as advertised.

Up yours, CIA!

The Professional-model KeyGhosts also now have strong (128 bit) encryption of the memory contents. Anybody who doesn't know the password is going to have a dickens of a time getting the log out of a KeyGhost. Even if they've got billions of bucks to throw at it.

It's not really 128 bit encryption, because the eight-to-twelve character case sensitive password only gives you some 398,541,260,467,162,000,000 possible passwords, which is a less-than-69-bit number. Distributed.net could probably brute-force it in a decade, tops, compared with the zillions of years that brute-force cracking real 128 bit encryption would take.

But distributed.net has literally tens of thousands of processors at its disposal; in straight CPU grunt, it makes the world's fastest supercomputers look sick. And you're still talking years and years of processor time to crack KeyGhost-level encryption, even after you take into account how much faster distributed.net would get, thanks to CPU speed increases, while you were working on the problem.

So it's safe to say that, failing any unexpected weaknesses in the KeyGhost's encryption algorithm or stunning advances in quantum computing, nobody who takes your logger away from you is likely to be able to find out what's been logged without employing time-honoured methods involving phone books, pick-axe handles and rubber hoses, to persuade you to divulge the password.

If you only pick an eight character password and they scan that keyspace first, they'll crack the code before they've touched more than one seven-millionth of the total possible keyspace. Pick a 12 character one, though, and you're safe.

If you forget the password, mind you, you're up a certain high-nitrogen waterway without any means by which to propel your barbed wire canoe.

Serial squirting

Another innovation in the newer KeyGhosts is enhanced download speed.

The PC keyboard interface is quite stunningly unsuitable for rapid data transfer. At the KeyGhost's maximum speed - which current computers are likely to be able to handle with no trouble - it can only deliver about 150 characters per second to the computer.

The notation differences and compression can change the total size of the delivered log, but you're still talking nearly an hour to download the whole memory contents of a KeyGhost Pro, and more than ten minutes even for the KeyGhost Standard.

Half a megabyte's not much data to deal with if you've got even a modestly speedy connection, though. Serial would do. A simple 56 kilobit serial connection will give you half a megabyte in about a minute.

Turbo Download adapter

So here's the Turbo Download Adapter. It plugs into the PC serial port. You download the (Windows-only, as yet) software from keyghost.com, you plug the adapter into the serial and the keyboard port on the computer, and you plug the KeyGhost and keyboard into the PS/2 socket on the adapter. Run the software, give it your password, tell it where to save the plain-text log file, and one 56 kilobit per second transfer later, you've got your data.

The price tag

The only thing stopping J. Random Script Kiddie from buying a crate of these things and polluting a whole office, school or what have you, is that they're rather expensive. The KeyGhost Pro, as reviewed, is $US249; the Turbo Download Adapter's another $US49. Even the plain KeyGhost Standard is $US139.

You're paying for the substantial development time that went into the product, of course, and by military-industrial-complex standards the things are cheap as chips. But as I write this, $US249 is more than $AU470. And that's without shipping from the makers, in New Zealand. You can get discounts for bulk purchases.

Overall

If the price isn't a problem for you - or you've got enough of a need for a KeyGhost that you'll just go ahead, sell a kidney and buy one anyway - then this is a device that performs pretty much exactly as advertised. With the serial adapter, you can easily extract a lot of data quickly.

And with the encryption in the Pro models, people with earpieces and shoulder holsters will be entirely satisfied - or deeply annoyed, as the case may be - with the level of data security the KeyGhosts offer.

As I said in the last review, the world might be a better place if these sorts of gizmoes could by some means be removed from existence. Oh, sure, key loggers have valid, or at least legal, uses - companies that want to monitor their employees' business-related activities, military-installation paranoids, people who want an incorruptible backup of their own last umpteen keystrokes, law enforcement people with a license to snoop.

But they're also a simple and elegant way to harvest sensitive information from any computer user to whose machine you have physical access.

Any security consultant will tell you that if someone malicious gets physical access to your computer, you've got a big problem. But with a KeyGhost, an attacker only needs ten seconds alone with your computer. It doesn't matter if the machine is turned off, unplugged and without a monitor. Plug it in, go away, come back later and retrieve it.

That's about the only limitation the KeyGhost currently has - you need physical access to the computer twice, because there's no way to remotely access the device. The manufacturers are aware of this little problem. Give them time.

What do I think of this thing? Well, let's put it this way.

If you want it, you'll have to pry it from my cold, dead fingers.


Review KeyGhost II Professional kindly provided by KeyGhost Ltd

The other one

KeyGhost Security Keyboard

Here's my review of the original KeyGhost Security Keyboard.



Give Dan some money!
(and no-one gets hurt)