Posted on 01/14/2015 11:50:55 AM PST by Second Amendment First
Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes — saving them both locally and online.
This is no toy. KeySweeper includes a web-based tool for live keystroke monitoring, can send SMS alerts for trigger words, usernames, or URLs (in case you want to steal a PIN number or password), and even continues to work after it is unplugged thanks to a rechargeable internal battery. That’s an impressive list of features, especially given that Kamkar told VentureBeat the whole process “took a few days” including a few over Christmas break and this past weekend when he decided “to properly document it.”
This “spy tool” only affects Microsoft wireless keyboards, and it allegedly works with many, if not most, of them. As a result, we reached out to let the company know. “We are aware of reports about a ‘KeySweeper’ device and are investigating,” a Microsoft spokesperson told VentureBeat.
KeySweeper exploits multiple bugs, including the fact that all Microsoft keyboards use the same first byte in their MAC address. Along with a few other holes, it can thus allegedly decrypt any Microsoft keyboard nearby without having to specify its MAC address first.
Kamkar told VentureBeat that he tested KeySweeper “on a brand new keyboard I purchased only a few weeks ago from Best Buy.” Naturally he hasn’t tested it on all Microsoft keyboards — that’s a claim the company will undoubtedly have to verify itself.
In the meantime, Kamkar has put together a walkthrough video for a more in-depth look of KeySweeper:
Kamkar says the unit cost for KeySweeper ranges from $10 to $80, depending on which functions you require. The hardware breakdown is as follows:
$3 – $30: An Arduino or Teensy microcontroller can be used. $1: nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz. $6: AC USB Charger for converting AC power to 5v DC. $2 (Optional): An optional SPI Serial Flash chip can be used to store keystrokes on. $45 (Optional): Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device. $3 (Optional if using FONA): The FONA requires a mini-SIM card (not a micro-SIM). $5 (Optional, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.
As for the software, the primary code is installed on the microcontroller, while the web-based backend uses jQuery and PHP. KeySweeper’s source code and schematic are available on GitHub.
KamKar hopes his project will do more than just give would-be spies a how-to guide. He told VentureBeat: “I hope this creates pressure to ensure that we have proper encryption in new wireless products that come out!”
How many people just leave a charger plugged in like that? The only time I plug in a charger is when I’m charging something.
Now our wall warts are spying on us!...........................
The basics of computer security?
1. Never use wireless anything.
“How many people just leave a charger plugged in like that? The only time I plug in a charger is when I’m charging something.
****************************************************************************************************
Interesting bit from the article:
“...KeySweeper... even continues to work after it is unplugged thanks to a rechargeable internal battery....”
Quite a few. I was over at my mother's just the other day, and pulled out her Ipad charger, telling her that it does draw power just plugged in alone, and reminded her that even each of the GFI outlets draw upwards of 50w/day.
I really don’t use much wireless except for a micro keyboard for stand alone thin clients.
Every paper shuffler I support either has one or wants one. They also want dual big monitors and their own printer.
Leave mine in my office plugged in all the time.
(switching to wired keyboard)
bttt
I’ve suspected that Arduino is the back door for many of these “Internet of Things”
If she has a 50W lamp plugged in it and turned on, then yes. But no, the ground fault interrupt outlet does not draw anything on it's own.
I have worked at one place where wireless devices were explicitly prohibited due to security reasons.
Last time I checked (probably a dozen years ago), there’s a National Semi part inside each one (doesn’t matter the brand), and when all is said and done, it draws 2w/hour just being connected.
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
i figured everyone knew wirless keyboards were easily plucked from the air
this just allows joe-average to install it and receive the info over the net
I just want to say hello to them and let them know that I know they are out there.
You forgot 2: See 1. /snark
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.