Anti-Surveillance Keyboard Protection in Linux

Introduction

Previously, we discussed Xorg and its issues with keyboard data interception. Today, we’ll expand on that topic and talk about keystroke biometrics and how to avoid them.

The Threat

Keystroke tracking algorithms have long been able to fingerprint users based on indirect biometric indicators. The U.S. Army Research Laboratory wrote about this many years ago. This poses a privacy risk, as masking spatial information—such as changing your IP address via Tor—is not enough for true anonymity.

Users can be identified by the following factors:

• Typing speed
• Exact timing of each key press and release, and the interval between keys
• Duration of pauses while typing
• Number and types of errors made
• Error correction style (not the errors themselves, but how you fix them)
• Type of local keyboard used
• Whether the user is right- or left-handed
• Fast letter sequences indicating likely native language
• Keyboard layout, since key placement affects search time and error rates

However, this technique isn’t perfect: typing style can change throughout the day or depending on mood and energy. But nothing stops adversaries from building multiple profiles for the same user.

For safety, let’s assume adversaries already have samples of your keystroke fingerprints to compare with your “anonymous” Tor samples.

Mitigating the Threat

Typing on the most popular keyboard layout, en-US, can help reduce risk. Also, avoid typing directly in browsers with JavaScript enabled, as this opens up a deanonymization vector. The most reliable method is:

1. Write your text in an offline (not connected to the internet) text editor.
2. Copy and paste the finished, edited text into the web interface.

But accidents happen. You might be in a hurry and forget to follow this process. To protect yourself, you need automatic protection.

Kloak

After reading the U.S. Army Research Laboratory report, some smart folks created Kloak (Keystroke-Level Online Anonymization Kernel).

The program has two main goals:

• Make it harder for adversaries to identify the user
• Make it harder for attackers to mimic the user’s typing behavior

The first goal could theoretically be achieved if all users typed at the same speed and rhythm, but since everyone types differently, this isn’t practical. Instead, pseudo-anonymity is achieved by masking the user’s typing rhythm, making it harder for attackers to re-identify someone.

The second goal is to make it difficult to fake typing behavior and impersonate a user, possibly bypassing two-factor authentication that uses keystroke biometrics. This is done by making the time between keystrokes unpredictable.

An additional benefit of Kloak is that it helps prevent attacks that try to identify search queries in encrypted network traffic using information leaked through search engine autocomplete.

How It Works

Kloak captures the input device and writes delayed events to the output device. Capturing the device prevents any other application from reading its events. Events are scheduled for release in a separate thread, where a random delay is added before they are output.

This partially solves the problem discussed in the previous article—now, not every application can observe your input (abstract sniffing is disabled). If you run Kloak and then xinput test id, the second program won’t be able to read the input device.

Limitations

Kloak does not protect against all forms of keystroke biometrics that could be used for identification. In particular:

• If the delay is too small, it’s ineffective
• Repeated key presses are not masked
• If your system is set to repeat held keys at a unique rate, this can leak information
• Your writing style is still vulnerable to authorship analysis (stylometry)
• Higher-level cognitive behaviors, like editing and app usage, are still visible. These low-frequency actions are less studied but could potentially reveal your identity.

How to Use Kloak

On Arch Linux, you can install Kloak from the AUR. After installation, you need to find out which device number your keyboard is assigned. For this, use the xinput program:

xinput list

The command will display a list of input devices. Remember the id in the line where the left says “Virtual core keyboard” and the right says “master keyboard.” In our example, this is id=3.

Now, run Kloak as administrator:

sudo kloak

If you lose control of your keyboard after starting the program, press right Shift + left Shift + Esc to exit. You can set a custom rescue key combination with the -k option.

To make sure Kloak is running, start it in verbose mode:

sudo kloak -v

If you just run it as is, it will listen to all input devices, which may disable Wi-Fi or reset keyboard settings. To specify which device to listen to and replace, use:

sudo kloak -r /dev/input/event3

Replace “event3” with your actual id value.

With the -d flag, you can set the maximum delay (in milliseconds) that may occur between physical key events and the writing of those events to the user-level input device. A comfortable average delay is 100 ms. This reduces identification accuracy by about 20-30% and doesn’t create too much lag between you and the application.

sudo kloak -r /dev/input/event3 -d 100

Increasing the maximum delay improves masking effectiveness but reduces application responsiveness. This is a trade-off between usability and privacy. If you type quickly and notice a lag between keypress and character appearance, try lowering the delay. If you type slowly, you may be able to increase the delay without noticing much difference.

You can also obfuscate the mouse, not just the keyboard. To do this, simply enter:

sudo kloak -d 100

Now all input devices, including the mouse, will be obfuscated. This may be inconvenient, but it makes it much harder for any website to identify you by mouse movement.

Conclusion

Install Kloak on both your host and virtual machine, but use different delay values to protect yourself in case the VM is compromised. Experiment with different values up to 200 ms and choose what’s comfortable for you. Also, remember the publishing algorithm: write your text in an offline editor → then send it online.

Onion Market — a free P2P exchange on Telegram.