Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns (arstechnica.com) 49
An anonymous reader cites an article on Ars Technica: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification (PDF) comes more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices."If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
Use a USB Condom (Score:2)
I got a couple of these [amzn.to] last year. The data lines aren't connected (YMMV on the other claims). Use adapters as needed.
Practice safe charging, /..
Re:Use a USB Condom (Score:4, Informative)
The problem is you can conceal a radio in that little pink piece of shit, and then when you plug it into USB it powers up the radio and listens for your bluetooth and RF keyboards, logs keys, and then connects to whatever wifi it can find and e-mails all your passwords to some asshole in Beijing.
At least they are anti-encryption law compliant (Score:2)
The good news is that even if the FBI & Feinstein & Company get their anti-strong-encryption law passed, these unsecure Microsoft keyboards will still be legal to use, whereas anything that uses strong encryption and isn't susceptible to hacks like this would be illegal... because encryption is obviously bad for America. You know, terrorism, blah, blah, blah.
Re:Use a USB Condom (Score:5, Interesting)
There might come a day. ;)
A friend of mine was joking the other day about his coffee machine. It's always warm, even when it's not on, and far larger than is needed to make coffee, which he finds suspicious - maybe it's actually a clever ploy to mine bitcoin on stolen electricity, he suggested. The more I think about it, the more I think that's genius, a perfect scheme for a nefarious manufacturer in China ;) The cost of a sim card dongle won't add much to the cost of the mining hardware the cost of the electricity is over half the total cost of mining, and people would actually pay to acquire the hardware and host it in their own climate-controlled "data center" (home). They could make them, then sell them on ebay for cut-rate prices. So long as it actually makes coffee and doesn't break in that regard, I really doubt many people would notice. And of those who noticed, who would think to break it open to see if there's any bitcoin-mining hardware inside, rather than just defective wiring?
Re: (Score:2)
In other words, it's like a USB cable from the Dollar Tree.
You'd be limited to slow charging, since it can't negotiate rate, and some devices like Blackberrys will refuse to charge at all.
Clever attack on a very old vulnerability (Score:3)
Most of us have known for almost a decade [hackaday.com] that many of Microsoft's wireless mice and keyboards use an insecure protocol. So although this is a clever piece of hardware, it's really sad if anybody is still using vulnerable hardware.
This is just another reason why every time I review a wireless keyboard or mouse or trackball or trackpad, if it isn't Bluetooth, that's usually the first complaint in my review. We have standards for a reason, and those standards are at least moderately robust against this type of attack. Unfortunately, too many keyboard/mouse manufacturers try to cut corners by using whatever cheap custom hardware they've been using for a decade, and they wonder why they get lousy range (not to mention lousy security).
Re: (Score:3)
I bought the Microsoft Cordless Bluetooth Elite desktop package when it first came out. It was twice the price of the non-Bluetooth version... a considerable premium most "I just want a wireless keyboard" people wouldn't pay. Cool thing is the included Bluetooth receiver actually stored the keys and operated in HID mode even before the operating system booted.
Problem is time and time again consumers will buy the cheaper option... cheaper keyboard, cheaper cell phone charger etc.
Re: (Score:1)
I never knew my laptop had bluetooth, still can't find it listed in devices. Yet, once in a while (Win10), it will magically 'appear' in my notifications tray. I used task manager to "disable" it, yet it still appears at random times. I've/my laptop has been owned/pwned, methinks.
Logitech=no bluetooth (Score:2)
Logitech discontinued their Bluetooth desktop keyboards and mice too, All their desktop keyboards and mice now use the Unity dongle, who knows about the encryption on those. They still sell a couple of tablet oriented bluetooth keyboards but those are chicklet key and flat.
My MX 5500 Revolution is now dying and there is no decent and affordable bluetooth replacement. Someone on Amazon is asking $700 for a new in the box MX 5500, not sure if they have sold any for that amount.
Re: (Score:2)
Anyone that actually supports any of the candidates on this election is dumb as a brick.
It's clearly a case of "choosing your own kind of hell" than anything else.
Re: (Score:2)
And NEVER EVER buy gear made in China. That is just asking Bill Cosby for three blue pills and wine.
VOTE TRUMP 2016
Better yet, never buy gear that has ANY components made in China! May as well go Amish.
Re: (Score:2)
I don't know about you, but I hand-craft all of my electronics myself from locally-sourced artisanal hardwood and kitchen twist-ties. It's the only way to be sure.
Once again the perils of wireless show their heads (Score:3, Insightful)
Wireless is insecure. It's that simple. Do not trust anything that transmits your data without a physical wire because, no matter what protocol, passwords or encryption are used it will always, without a shadow of a doubt, be broken.
Trust copper wire not omnidirectional transmitters.
Re: (Score:1)
Re: (Score:2)
Is buying it good enough?
Google: pc keyboard hardware keylogger
Re: (Score:3)
If you know where the keyboard is located physically and have a sensitive enough array of directional antennas, you could theoretically detect the voltage spikes from each individual keyswitch closing. And you could probably do some sort of advanced Van Eck phreaking to sniff th
Re: (Score:2)
Re: (Score:2)
No copper is going to save you if somebody targets you specifically. Big or not so big brother can just install hardware or software bug inside your computer and you will never know.
Re: (Score:2)
So, in other words, the FBI finally figured out how to solve that Apple iPhone problem.
Beware?! (Score:2)
Re: (Score:2)
The only thing I ever use wireless keyboards for is for HTPC and similar functions. Only as a remote control and NOT for anything work or security related. This is as much for reliability as security, as back in the day wireless keyboards (and especialy mice) were flaky and ate batteries at an unholy rate.
The ONLY reason I use a wireless keyboard for certain things with my HTPC (and now my Nvidia shield) is that the security of a wire is unnecessary, and incredibly inconvenient while sitting on my couch
I never would have guessed... (Score:1)
Re: (Score:2)
Re: (Score:2)
News flash: spying apparatus isn't disguised (Score:2)
It looks just like your computers, apparatus, cellular, and peripheral electronic devices. Microsoft even brands apparatus that is completely indistinguishable from authentic input devices resembling the form and function of "actual" keyboards, mice, game consoles, and even smart phones and mp3 players. Holy crap, next thing we'll find out is they manufacture it all in China, like traditional American corporate profitability. Its way cheaper to have it built by a highly skilled low cost labor force subsi