Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns (arstechnica.com) 49

An anonymous reader cites an article on Ars Technica: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification (PDF) comes more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices."If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
This discussion has been archived. No new comments can be posted.

Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns

Comments Filter:
  • I got a couple of these [amzn.to] last year. The data lines aren't connected (YMMV on the other claims). Use adapters as needed.

    Practice safe charging, /..

    • Re:Use a USB Condom (Score:4, Informative)

      by bluefoxlucid ( 723572 ) on Tuesday May 24, 2016 @02:30PM (#52173549) Homepage Journal

      The problem is you can conceal a radio in that little pink piece of shit, and then when you plug it into USB it powers up the radio and listens for your bluetooth and RF keyboards, logs keys, and then connects to whatever wifi it can find and e-mails all your passwords to some asshole in Beijing.

      • The good news is that even if the FBI & Feinstein & Company get their anti-strong-encryption law passed, these unsecure Microsoft keyboards will still be legal to use, whereas anything that uses strong encryption and isn't susceptible to hacks like this would be illegal... because encryption is obviously bad for America. You know, terrorism, blah, blah, blah.

    • In other words, it's like a USB cable from the Dollar Tree.

      You'd be limited to slow charging, since it can't negotiate rate, and some devices like Blackberrys will refuse to charge at all.

  • Most of us have known for almost a decade [hackaday.com] that many of Microsoft's wireless mice and keyboards use an insecure protocol. So although this is a clever piece of hardware, it's really sad if anybody is still using vulnerable hardware.

    This is just another reason why every time I review a wireless keyboard or mouse or trackball or trackpad, if it isn't Bluetooth, that's usually the first complaint in my review. We have standards for a reason, and those standards are at least moderately robust against this type of attack. Unfortunately, too many keyboard/mouse manufacturers try to cut corners by using whatever cheap custom hardware they've been using for a decade, and they wonder why they get lousy range (not to mention lousy security).

    • I bought the Microsoft Cordless Bluetooth Elite desktop package when it first came out. It was twice the price of the non-Bluetooth version... a considerable premium most "I just want a wireless keyboard" people wouldn't pay. Cool thing is the included Bluetooth receiver actually stored the keys and operated in HID mode even before the operating system booted.

      Problem is time and time again consumers will buy the cheaper option... cheaper keyboard, cheaper cell phone charger etc.

      • by Anonymous Coward

        I never knew my laptop had bluetooth, still can't find it listed in devices. Yet, once in a while (Win10), it will magically 'appear' in my notifications tray. I used task manager to "disable" it, yet it still appears at random times. I've/my laptop has been owned/pwned, methinks.

    • Logitech discontinued their Bluetooth desktop keyboards and mice too, All their desktop keyboards and mice now use the Unity dongle, who knows about the encryption on those. They still sell a couple of tablet oriented bluetooth keyboards but those are chicklet key and flat.

      My MX 5500 Revolution is now dying and there is no decent and affordable bluetooth replacement. Someone on Amazon is asking $700 for a new in the box MX 5500, not sure if they have sold any for that amount.

  • by Anonymous Coward on Tuesday May 24, 2016 @02:41PM (#52173681)

    Wireless is insecure. It's that simple. Do not trust anything that transmits your data without a physical wire because, no matter what protocol, passwords or encryption are used it will always, without a shadow of a doubt, be broken.

    Trust copper wire not omnidirectional transmitters.

    • by dgatwood ( 11270 )

      Wireless is insecure. It's that simple. Do not trust anything that transmits your data without a physical wire because, no matter what protocol, passwords or encryption are used it will always, without a shadow of a doubt, be broken.

      If you know where the keyboard is located physically and have a sensitive enough array of directional antennas, you could theoretically detect the voltage spikes from each individual keyswitch closing. And you could probably do some sort of advanced Van Eck phreaking to sniff th

    • by rch7 ( 4086979 )

      No copper is going to save you if somebody targets you specifically. Big or not so big brother can just install hardware or software bug inside your computer and you will never know.

  • Beware? There is nothing you could do about this attack other than not using wireless keyboard with insecure data transmission protocol (i.e. all of them).
    • The only thing I ever use wireless keyboards for is for HTPC and similar functions. Only as a remote control and NOT for anything work or security related. This is as much for reliability as security, as back in the day wireless keyboards (and especialy mice) were flaky and ate batteries at an unholy rate.

      The ONLY reason I use a wireless keyboard for certain things with my HTPC (and now my Nvidia shield) is that the security of a wire is unnecessary, and incredibly inconvenient while sitting on my couch

  • that using random USB devices on your phone may be a bad idea...
  • It looks just like your computers, apparatus, cellular, and peripheral electronic devices. Microsoft even brands apparatus that is completely indistinguishable from authentic input devices resembling the form and function of "actual" keyboards, mice, game consoles, and even smart phones and mp3 players. Holy crap, next thing we'll find out is they manufacture it all in China, like traditional American corporate profitability. Its way cheaper to have it built by a highly skilled low cost labor force subsi

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...