The Rootshell team have discovered a security issue in KeyScrambler, an anti-keylogger owned by QFX Software, which could enable hackers to bypass the software’s encryption.

Keyloggers provide hackers with the means of stealing sensitive data by recording the information typed by users on a keyboard. KeyScrambler intends to protect users by encrypting keystrokes as they enter the Windows Operating System (OS), so that a keylogger would only see gibberish.

Like all software, KeyScrambler must be able to switch on and off when users restart their machines. The Rootshell team identified this as a potential source of weakness if a hacker were able to exploit it.

Since the product is software-based, the Rootshell team correctly assumed that it utilises a kernel driver running within the Windows OS. The team reverse engineered the kernel driver to reveal how the software’s shutdown functionality works, and therefore the steps needed to perform a shutdown.

The Rootshell team have built a simple proof-of-concept (PoC) that continuously switches the keyboard encryption off, as demonstrated below.

In the video, the latest version of KeyScrambler is installed (version 3.15 as of December 2020), with the PoC running in the background.

The keyboard is being logged throughout, which shows that keystrokes are encrypted prior to the execution of the PoC, and unencrypted while it is running. When the software is switched off, KeyScrambler informs the user that the product has experienced a ‘failure’.

The issue seemingly affects all versions of KeyScrambler. In line with our Bug Release Terms, we gave the vendor 90 days of notice before disclosing it. QFX Software consider the issue to be a denial-of-service attack, but as the purpose of the product is to defend against malicious keylogging, we believe this to be a security bypass.

At the time of writing, no patch or fix is available, so we won’t make any technical information about the vulnerability public. KeyScrambler customers should contact QFX Software if they have any enquiries.

Rootshell’s Head of Research and Development, Dr Neil Kettle, said: “We continue to be committed to identifying software vulnerabilities before they can be exploited by hackers. We hope this work encourages security software vendors to be vigilant so they can provide the best protection possible for their users”.

Read more of our bug releases:

Rootshell Discover a Denial of Service Flaw in Dekart Private Disk Encryption Software

Rootshell Discover Remote Heap Corruption Bug Within MiniDLNA And Develop Proof Of Concept Exploit