Universities often need to have a number of computers in classrooms ready for faculty and staff to use for presentations and Internet access, which can be a security challenge. Carleton University is the latest to find that out when a regular inspection discovered USB keylogging devices had been plugged into six classroom PCs.

The computers themselves can’t store data, said Beth Gorham, Carleton’s manager of public affairs, so there was no risk of university data being captured. However, the PCs are connected to the campus network so keyloggers would be able to capture login information. As a result all staff, faculty, contract instructors and teaching assistants have been ordered to change their passwords. In addition, the university has recommended all students do the same “out of an abundance of caution.”

“We have no indication that any personal information has been obtained,” she said.

Discovery of the devices was made a week ago during a regular inspection of classroom devices by the instructional media services staff, Gorham said. Until now because presenters use USB memory sticks for presentations the USB ports of the computers hadn’t been locked, Gorham said.

However, she said, since the discovery “those computers and other were secured [with locks] so this can’t happen again.” And as a result of the incident classroom inspections have been stepped up.

The university has some 3,200 Windows-based workstations in offices and classrooms.

USB keyloggers are a difficult physical security problem. They look exactly like an ordinary USB memory stick. Usually they will be plugged into the cord from a PC or Mac keyboard, which then plugs into a USB port at the back of a computer. If the device is the same colour as the keyboard cord it wouldn’t be easily seen — especially if plugged into the back of a PC. There are also reports of wireless keyloggers that look like USB chargers but pick up and relay keystrokes.

Unlike software-based keyloggers that come in malware, hardware-based keyloggers can’t be detected by anti-virus software. They are easily purchased on the Internet, where manufacturers and distributors boast of capabilities like encryption.

This isn’t the first time Carleton has had to deal with a keylogging attack. In 2008 a university student was charged with mischief to data and unauthorized use of a computer after he used keylogger software and magnetic stripe card reader software used at the time for security to access the campus network, then sent a report to the university on how he did it. He explained his goal was to prove the network wasn’t secure. The charges were later dropped.

Last November the university was hit by a ransomware attack that infected over 3,000 PCs.