Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Hardware Hacking Build

Wireless Keylogger Masquerades as USB Phone Charger 150

msm1267 writes: Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards. The device is known as KeySweeper, and Kamkar has released the source code and instructions for building one of your own. The components are inexpensive and easily available, and include an Arduino microcontroller, the charger itself, and a handful of other bits. When it's plugged into a wall socket, the KeySweeper will connect to a nearby Microsoft wireless keyboard and passively sniff, decrypt and record all of the keystrokes and send them back to the operator over the Web.
This discussion has been archived. No new comments can be posted.

Wireless Keylogger Masquerades as USB Phone Charger

Comments Filter:
  • by Iniamyen ( 2440798 ) on Tuesday January 13, 2015 @04:05PM (#48805671)
    I am not a security expert, but what non-nefarious purpose does this product serve?
    • by AK Marc ( 707885 )
      What if you want to sniff your own keyboard?
    • by slacktide ( 796664 ) on Tuesday January 13, 2015 @04:15PM (#48805767)
      It's purpose is clearly to force wireless device manufacturers to use secure data transmission protocols.
      • by Lumpy ( 12016 )

        Don't buy cheap keyboards and mice and use bluetooth.

        Problem solved.

      • Re: (Score:2, Informative)

        by al0ha ( 1262684 )
        Dang this is NOT A STORY and the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR.
        • "the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR."

          The only meaningful hits on 'schneier microsoft wireless keyboard' is just a few broken links to a Dreamlab study: http://www.google.com/search?q... [google.com],

          Those were using a 27 MHz transmitter (near field, i suppose)

      • It's purpose is clearly to force wireless device manufacturers to use secure data transmission protocols.

        I wonder if he teaches his kids about gravity by throwing one of them off a cliff?

      • It's purpose is clearly to force wireless device manufacturers to use secure data transmission protocols.

        I genuinely can't tell whether or not you're joking. Excellent.

    • by Anonymous Coward on Tuesday January 13, 2015 @04:17PM (#48805785)

      people could be secretly using this technology already, could have been for the past 10 years or more, to spy on you.

      by making it easy and publicizing it, this teaches you today about the risks you have already been facing which is good because perhaps now you will take steps and do something about it.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      It raises awareness to just how insecure wireless keyboards are, so that hopefully people will stop using them for anything important.

    • by Opportunist ( 166417 ) on Tuesday January 13, 2015 @04:23PM (#48805851)

      This is good because he told us instead of handing us a USB charger.

      "But if he wouldn't develop it, it would be better!"

      Nope. Because there is no such thing as security by apathy. Nobody has the monopoly on ideas, and this is hardly the first hack of this kind. Hiding microelectronics in inconspicuous everyday items is as old as, well, the Thing [wikipedia.org]. Think the US would have been spied upon if they themselves knew such a device can be developed?

      And do you think you can be spied upon with such an item now?

      • And do you think you can be spied upon with such an item now?

        Of course you bloody well can.

        Are you going to run around unplugging every USB wall charger in your vicinity on the presumption it's bugged? Think you'll be in the airport and force everyone to unplug their USB chargers? Think that won't get you a beating?

        Unless you have control over every single thing which is plugged in, you absolutely can still be spied on like this.

        The form factor is trivially altered -- so then you're policing anything with

        • Well, then I guess the lesson is to not use wireless keyboards.

          In the end, you have learned something. Information you have can never be harmful to yourself. At least not by itself.

        • by houghi ( 78078 )

          So you are going to unplug it and think you are safe? Watch the video. It is also battery driven, so unplugging it won't work.

          Further: This is just a design idea. You could easily put it into e.g. a USB device or anything else or just tape it with a battery under a desk.

          And I understand that they are not build for security, but they are used for it. People doing their bank business. They use it to log into email accounts. They are used to order things online where they enter credit card numbers.

        • Unless you have control over every single thing which is plugged in, you absolutely can still be spied on like this.

          You'd also have to flip the breakers as well, not to mention wait until any integrated batteries have time to die.

          I've seen this sort of stuff connected within the wall box the socket is in. They're already illegal, so you don't have to use 18 gauge wire or whatever while worrying about fire code - just tack on some whisker-thin wires (28 gauge?) for power. Heck, see if you can shove it OUT of the box.

        • by rthille ( 8526 )

          If you're in the airport and you're using a wireless keyboard, you're a wanker...

    • It's good, because it reveals a security flaw that could be exploited. By providing plans, it allows people to verify the finding.

      If someone, like myself, is security conscious, then it helps to identify another threat vector.

    • by gweihir ( 88907 )

      It is a demonstration what can be done. As such it servers to improve risk-management by potentially affected people.

    • obviously, this will be big among executive offices, saves time trying every password they have used in the past 20 years to watch videos during phone conferences.

    • by blueg3 ( 192743 )

      Demonstrating that people should be using wireless keyboard protocols that don't suck.

    • by alen ( 225700 )

      say my monitor is broken and i want to know what i'm typing?

    • Illustrates why you should use a wired keyboard.
      • Ever hear of acustic cryto analizing?

        Basically, with varying degress of success, a microphpne recording you typing and some software can decode your keystrokes on a wired keyboad. I'm waiting on someone to perfect the van eck effect/phreaking.. although i think that was limited to CTR monitors. Its been a while since i looked at either.

    • Mostly helping the hack job security companies have yet another dumb toy to trot out during demos and pentesting.
    • None. But it's good to know about.
  • by Jeremi ( 14640 ) on Tuesday January 13, 2015 @04:06PM (#48805681) Homepage

    As if having to replace keyboard-batteries every 6 months wasn't reason enough. Is there really any benefit to having a keyboard be wireless, outside of a living room TV/PC scenario?

    • That was my thought. Why broadcast any data unencrypted ever? Maybe wireless mouse data as I can't see that being particularly useful...
      • Why broadcast any data unencrypted ever?

        Because broadcast to everyone is the purpose.

        Otherwise the problem with wireless keyboards isn't 'just' that they're unencrypted, because some boast that they are encrypted, and they technically are. It's just that an 8 bit key is worth about as much as ROT-13.

    • Yes. You are not actually sitting at a desk. I routinely double screen - my monitor is on my living room coffe table, I type on the keyboard while sitting on my couch. In the back ground is the News on my regular TV.
    • by OzPeter ( 195038 )

      As if having to replace keyboard-batteries every 6 months wasn't reason enough.

      The batteries thing was one reason why I like my Logitech wireless keyboard as it is powered by solar cells - no battery changing at all.

      But now .. hmm .. I totally didn't think about sniffing the keyboard.

      • As if having to replace keyboard-batteries every 6 months wasn't reason enough.

        The batteries thing was one reason why I like my Logitech wireless keyboard as it is powered by solar cells - no battery changing at all.

        But now .. hmm .. I totally didn't think about sniffing the keyboard.

        Logitech is actually out in front when it comes to encryption. Their 2.4ghz wireless keyboards going back almost 10 years have used 128 bit AES. Unless someone has leaked the pre-generated key algorithm, your chat history is safe and sound.

        • by Smerta ( 1855348 )

          Serious question (in case it sounds like I'm being antagonistic):

          Since AES is a block cipher, and an AES block is 16 bytes, and since keypresses appear to be transmitted "instantaneously", does that mean for each keypress, a 16-byte block is formed, and encrypted? And what about the encryption mode? (Otherwise doesn't it basically become ECB?)

          Seems like a stream cipher would make more sense, although you'd need a protocol on top of that to stay synchronized, since packets can become lost/corrupted

          • Since AES is a block cipher, and an AES block is 16 bytes, and since keypresses appear to be transmitted "instantaneously", does that mean for each keypress, a 16-byte block is formed, and encrypted? And what about the encryption mode? (Otherwise doesn't it basically become ECB?)

            You use the block cipher to generate what is essentially a random stream, then XOR it with the input stream as needed, turning your block cipher into a stream cipher.

    • by PRMan ( 959735 )
      I have arcade joysticks and driving wheels which I also hook up to my PC. It's a lot easier to move the keyboard when it's not attached. Other than that, nothing really.
      • A real arcade gamer would mod his computer desktop to have a rotating control panel and put the keyboard on one of the three sides!

    • by OhPlz ( 168413 )

      Fewer cables. It's also nice if you want to make room for a book or pile of papers or something temporarily, there's no cord to argue with.

      • Time to get the "telephone cord" style of cord back on keyboards. It was invented so you can move the cord more easily.

    • by Barny ( 103770 )

      I run two PCs with three displays. I typically use Synergy to mouse/keyboard share between them but, in case the network has issues, I keep a wireless controller hooked up to the second PC and the mouse/keyboard are in a drawer in the desk.

    • by houghi ( 78078 )

      On a desk? At home I often lean back with my feet on the desk. Not having a cable makes that easier. A second and very important thing (perhaps not for you) is that it looks so much nicer.

      Not everything needs to be functional.

    • by AmiMoJo ( 196126 ) *

      It's not that bad. This particular issue was found back in 2007 and Microsoft fixed it with proper encryption, that so far has remained uncracked (at least as far as we know). The batteries in my wireless keyboards last years. It's the mice that chew through them every six months.

  • by Anonymous Coward

    Remember when we added networks to Windows 3.1? Remember how well that worked out? Remember how not having multi-user support totally didn't result in massive piles of insecure bug-ridden software full of viruses? Remember how antivirus software wasn't ever a thing?

    Well, it seems we didn't learn here. Taking something that's not designed with security in mind and suddenly hitching it up to a network doesn't seem to be working well for anything really. What we've learned is that the market will quite happily

    • by Sowelu ( 713889 )

      I'm pretty sure I've heard of acoustic keyloggers. Yeah they probably have tough restrictions on where they need to be placed to be effective, but you might luck out. Bet you could put one of those into this thing and remove the "wireless keyboard" requirement.

  • Dewhat? (Score:5, Interesting)

    by TheCarp ( 96830 ) <sjcNO@SPAMcarpanet.net> on Tuesday January 13, 2015 @04:08PM (#48805711) Homepage

    This is why I hate large swaths of consumer products.

    If the keyboard is encrypting keystrokes and sending them to the system....and a third party device sitting in the corner with no configuration involving dumping and loading keys....then the data is NOT encrypted.

    If you use the same static key, or one of a few easily derivable keys, I don't care how solid the encryption alcogrythem you use is.... I do not consider it encrypted, because the use case took "strong encryption" and turned it into "weak obfuscation".

    So unless there is some esoteric trick they are using to exploit the system and get their hands on a key that should otherwise be secure.... then its a disservice to the public to even call it encryption, because unless that is the case and they were genuinely compromised from a use case that should have otherwise been secure.... then all they did was use a fancy obfuscator.

    • Re:Dewhat? (Score:5, Interesting)

      by Firethorn ( 177587 ) on Tuesday January 13, 2015 @04:20PM (#48805807) Homepage Journal

      So unless there is some esoteric trick they are using to exploit the system and get their hands on a key that should otherwise be secure.... then its a disservice to the public to even call it encryption, because unless that is the case and they were genuinely compromised from a use case that should have otherwise been secure.... then all they did was use a fancy obfuscator.

      When I was in the USAF I had great fun telling users that they could have a wireless keyboard & mouse just as soon as they found FIPS 140-2 compliant ones. I then told them that not only do none exist to our knowledge, but none are planned. The main problem being once you put serious encryption in there(as 140-2 requires), you're looking at a keyboard/mouse that are closer to smartphones than keyboards. IE a AA won't last a few months, you'll need to charge it like you do your smartphone. AES encryption also isn't intended for 8-16 bits at a time, so it's not really efficient there.

      • Re:Dewhat? (Score:5, Funny)

        by KingMotley ( 944240 ) on Tuesday January 13, 2015 @04:44PM (#48806047) Journal

        When I was in the USAF I had great fun telling users that they could have a wireless keyboard & mouse just as soon as they found FIPS 140-2 compliant ones. I then told them that not only do none exist to our knowledge, but none are planned. The main problem being once you put serious encryption in there(as 140-2 requires), you're looking at a keyboard/mouse that are closer to smartphones than keyboards. IE a AA won't last a few months, you'll need to charge it like you do your smartphone. AES encryption also isn't intended for 8-16 bits at a time, so it's not really efficient there.

        That's easy to solve. Since the keyboard and mouse are very likely near a PC, just run a charging cable to one of it's USB ports and never disconnect it. Then you can get rid of the battery completely. Problem solved. Then you've got a nice battery-less, always charged wireless keyboard and mouse. Tada!

        • What's scary is that it sounds like something you could actually sell, for a premium over the kind that uses a battery, to a government agency.

    • by sinij ( 911942 )
      I work in InfoSec, and insecure implementation is widespread and the norm. This is unlikely to change, not until consumers start demand product certification.

      In my experience, common implementation flaws are 1) hard coded keys, 2) leaking of secrets 3) weak randomization leading to predictable keys, 4) use of weak cryptography.
      • by OzPeter ( 195038 )

        This is unlikely to change, not until consumers start demand product certification.

        But certification costs money. And I demand my cheap keyboard.

        That and how the hell do you educate users that their keyboard has a security vulnerability (and does that mean having to keep an eye out for security patches for your keyboard?!?!? )

        • by sinij ( 911942 )
          Well, I advocate and practice usage separation. Have a secure device dedicated for "important" tasks like banking. This way you can have usability in most cases, and security in cases that requires it.

          As to how do you educate users that their keyboard, smart TV, smart thermostat, router, in-car infotainment system, child monitoring system, fitness band, implanted defibrillator all require security patches? You can't. Unless they are Dick Cheney, who has a very well deserved reason to be paranoid.
          • by TheCarp ( 96830 )

            I would say this is pretty close to how I look at it now. I got a cheap wireless keyboard sure....but anyone sniffing the traffic is going to be bored to tears as I don't ever type anything the least bit confidential on it. Best you are getting is a bunch of youtube URLs and a whole bunch of wwwwwwwwwwwwwaaaaaaaaaaaaaaaasssssssssssssssddddddddddddddddddddddddfff

        • Most users don't care. Most users wouldn't care that their keyboard COULD be logged, even if they were told. MOST users are using wireless keyboards to type twitter and facebook posts.

          • by Jeremi ( 14640 )

            Most users don't care. Most users wouldn't care that their keyboard COULD be logged, even if they were told. MOST users are using wireless keyboards to type twitter and facebook posts.

            They also use those same keyboards to log in to their bank accounts, so they'll care after the first time their checking account gets drained. (And for those that don't use on-line banking, they'll care after the first time their Facebook account starts posting goatse pics for their mom to see)

          • by TheCarp ( 96830 )

            Which is all the more reason why system designers really should consider themselves as having a duty to care for them. The vast majority of users are not experts and any risks they expose themselves to in using the product really are things they can't be expected to understand. So products intended for non-professional markets especially; should really be designs to not expose inexpert users to risks as much as possible.

    • Re:Dewhat? (Score:5, Informative)

      by Opportunist ( 166417 ) on Tuesday January 13, 2015 @04:31PM (#48805907)

      It's not even weak obfuscation. The "key" is the mac address of the device... which is sent along with every single packet.

      • Re:Dewhat? (Score:5, Informative)

        by Dagger2 ( 1177377 ) on Tuesday January 13, 2015 @05:04PM (#48806251)

        And the "key" is xored with the plaintext to get the "encrypted" text, and the typed character is in a single byte. So you only actually need a single byte of the MAC address.

        And it happens to be the first byte, which for these Microsoft keyboards is always 0xCD. So you don't even need to bother figuring out what the MAC address is.

        • the presentation was confusing. It seems that you still need the mac address to be able to listen at all. but you can brute force scanning for all of them. you just don't neeed it for the decrypt.

          • Needing to know the MAC address is just a limitation of the nRF24L01+ chip he was using. Conveniently though, the chip has an undocumented feature (or bug) that lets you trick it into giving the full packet, including the MAC address header. The only brute force scanning he ends up doing is to scan through all the different frequencies.

      • That sounds good if you simply want keypresses to not land accidentally in another computer's receiver.

    • This is why you need Bluetooth in order to be sure there's enough processor in the keyboard to encrypt. Microsoft's proprietary system for this now has to be considered hacked.

      • by mlts ( 1038732 )

        This raises a question:

        Why do we have these non-standard wireless keyboard protocols that have unknown (if not nonexistant) levels of security, when BlueTooth is a widely accepted standard, and has proven itself quite robust to attack (it isn't perfect, but BT 4.2 is pretty darn secure.)

        Why doesn't MS and other keyboard makers bundle a BT dongle ($10 on Amazon), and go with a tried/true standard? If the keyboard supports USB for charging, then pairing is definitely not an issue. If not, it can come pre-pa

    • alcogrythem

      I like it, sounds like a good title for a steampunk book: "The Alcogrythem" by Neal Stephenson.

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday January 13, 2015 @04:30PM (#48805897) Journal
    I am sure the Microsoft keyboards are well engineered and will not allow a random listener within earshot to snoop in on communications. Microsoft has a well earned reputation for placing security above everything else. It would not compromise the security for some trivial thing like ease-of-use for dimwitted user. The keyboard will be using encrypted communication between the wireless keyboard and the host PC. In almost all the conference rooms in our office we routinely use wireless keyboard to log in to the conf-room PC, then remote desktop to login to our workstations to make presentations. We would not do it, if someone is using a compromised USB charger in the conference room.

    I have very good experience walking past grave yards whistling.

  • Dang this is NOT A STORY and the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR.

    It's 2015, not 2007 people...
  • Can I use one of these as a replacement for the original wireless keyboard receiver? If I get more than five feet from the original receiver the keyboard doesn't work. This device is probably much better.

  • Another reason to avoid wireless keyboards unless absolutely necessary and security is of no concern.

  • The receiver for my Microsoft wireless keyboard has to be 1' away from the keyboard or else I drop keystrokes pretty regularly. So unless this thing is laid right across the home-key row I'm not worried that it will pick anything useful up.

  • Is there any way I can play dumb, and get some of these from a hacker? I never ever buy wireless keyboards (just what I don't need- a less reliable human input device), but I could really use some free USB chargers.

There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence. -- Jeremy S. Anderson

Working...