Will Using an On-Screen Keyboard Stop Keyloggers?

Will using the on-screen keyboard in Windows stop keyloggers?

The short answer is very simple: no.

I get a surprising amount of push-back on this, but the truth remains: while it might stop some, it’s nothing you can count on to be 100% effective.

Keyloggers are a form of malware that record your keystrokes to capture things like your login usernames and passwords so hackers can get into your accounts. Let’s look at the path of keystrokes from your finger to your computer to see the various ways your keystrokes can be intercepted and logged.

The keyboard connection

Typically, when you type a key, a microprocessor within the keyboard sends signals via the cable connecting it to your computer.

Here we encounter the first point of vulnerability. No, not the microprocessor in the keyboard (technically possible, but exceptionally unlikely) — but the cable, or rather, what the cable plugs into.

Particularly lucrative targets are public computers, where someone comes along and installs a physical device between the computer and keyboard: a device that intercepts and logs every keystroke entered. Sometime later they come back, remove the device, and take with it all the information users of that computer entered.

As it turns out, wireless keyboards can be worse. Wireless keyboards actually broadcast the keystrokes you’re typing. Any receiver within range can “listen in”. Wireless keyboards do encrypt their data, so in theory, the information should be safe, but the quality of the encryption can vary based on the age of the keyboard and the vendor. In addition, the concept of “in range” turns out to be much further than most people think, particularly for a thief with equipment dedicated and tuned to this purpose.

The good news is that your on-screen keyboard does protect you against these two specific types of keyboard-related threats. By using an on-screen keyboard, you’re bypassing those components of the keyboard hardware that could be compromised.

The bad news is that hardware-based keyloggers are rare. Much more common are software-based threats.

The keyboard software

Once your keystrokes arrive at the computer from the keyboard, they are processed by a keyboard device driver which (to oversimplify) handles the translation of the keyboard “scan codes”, as they’re called, to the letters, numbers, and symbols Windows applications expect.

Keyloggers typically insert themselves into the receiving end of this process: they get the keystrokes from the keyboard as they are passed on to Windows.

This is where the on-screen keyboard scenario gets interesting.

The on-screen keyboard application is a “virtual” keyboard. It has its own device driver, which, to Windows, “looks like” a real keyboard.

As a result, the keystrokes it sends to Windows can quite easily be captured by the same key-logging software capturing keystrokes from the real keyboard, if that key logger has been installed in the proper place.

But it gets worse. Much worse, actually.

A keylogger is just malware

Perhaps the most important concept to remember here is that keyloggers are just another form of malware.

And malware can do anything; keyloggers can capture much more than just keystrokes.

You use the onscreen keyboard by using your mouse to point and click at the image of a key on the keyboard. A keylogger could, then, for every mouse click:

  • Capture the location of the mouse on the screen.
  • Capture a screenshot image of the screen, or just the area “around” the mouse pointer.

The keylogger has captured a series of images showing exactly where you clicked and in what order. In other words, it’s captured your virtual keystrokes.

Note that this approach to keylogging also bypasses one of the more common so-called security techniques of randomizing the keyboard layout on the screen. You still have to be able to see where to click, and the logger simply logs what you see and where you click, regardless of how the keyboard is laid out.

Keyloggers as threats

How big a threat is all this?

It depends on whom you ask. In my opinion, “normal” keyloggers — those that record only keystrokes — are a fairly common threat, and are one reason why anti-malware protection, general internet safety, and the use of common sense is so important. So yes, they’re out there.

The real question is, how pervasive are the more sophisticated keyloggers, which do more than capture keyboard keystrokes, but use other techniques to effectively achieve the same result?

It’s hard to say, but I have to say it again: keyloggers are “just” malware. If they’re on your machine at all, you have a problem, and that problem may not be limited to logging what you type. Like any malware, you might not even realize it’s there until it’s too late. As a result, focusing on solutions targeted only at thwarting keyloggers is not only fundamentally misguided; it diverts your attention from a much bigger problem. If you have a keylogger, you have malware.

Focus on avoiding or removing malware of all sorts, and you’ll be avoiding or removing keyloggers as a side effect.

And I would never rely on a virtual keyboard of any sort as a security measure.

Originally published as Will Using an On-Screen Keyboard Stop Keyloggers? on Ask Leo!