FBI Mum on Real-World KeySweeper Attacks

The FBI warned its business partners of the risks associated with KeySweeper, a device hidden in a USB wall charger that sniffs keystrokes from Microsoft wireless keyboards.

A private industry notification sent by the FBI in late April to its business partners warns of the risks associated with KeySweeper, a tool released in January 2015 by noted hardware hacker and researcher Samy Kamkar.

keysweeper charger

Sixteen months ago, Kamkar released the source code and instructions on how to build the device, which looks like a commodity USB wall charger (right), but is in fact a keylogger that sniffs keystrokes sent from any nearby wireless Microsoft keyboard.

The FBI advisory is dated April 29; the bureau would not comment on whether any real-world attacks had been carried out using KeySweeper.

“Unfortunately I cannot comment on the alert specifically, but in furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations,” an FBI spokesperson told Threatpost. “This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

A request for comment from Kamkar was not returned in time for publication. Kamkar said he was in the dark as to why the alert was released now.

“I don’t know of any real world attacks but I wouldn’t be surprised at all if it’s being used,” he told Threatpost.

The FBI advisory warns system administrators that since KeySweeper is an Arduino device, it’s modular and programmable and can used against a number of communication protocols used by wireless equipment.

“If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information,” the advisory says. “Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”

Given its size, KeySweeper fits inside a working USB wall charger. The device can sniff, decrypt and log keystrokes, sending them to an attacker over GSM.

“All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords,” reads a description of KeySweeper on its homepage. “If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.”

The device is relatively inexpensive to make (between $10 and $80 USD). According to the FBI advisory, there are enough resources available online that would enable an attacker to reprogram KeySweeper to sniff beyond just Microsoft wireless keyboards (some Microsoft keyboards that use AES encryption to secure communication between the keyboard and computer are immune to KeySweeper).

“A KeySweeper-like device could be used to harvest data from wireless devices other than wireless keyboards, to potentially include data from Bluetooth, Wi-Fi, or SMS traffic, depending on the difficulty of cracking a protocol’s chosen encryption method,” the advisory says. “Though the data could be collected, decryption depends on the configuration and protocol.”

The FBI suggests enterprises steer clear of wireless keyboards as a primary defense against KeySweeper sniffing, otherwise ensure that the keyboard uses AES to encrypt transmissions. Bluetooth keyboards are also reportedly safe given KeySweeper listens on a different channel than the one on which Bluetooth transmits, the FBI said. The FBI also advises organizations be vigilant about the use and integrity of wall chargers.

“The interesting thing to note is that when I released KeySweeper, only 1 out of 11 of their wireless keyboards had AES encryption. I’m looking now, and I believe all but *one* now have AES encryption,” Kamkar said.

KeySweeper isn’t the only hardware hack of its kind to target wireless keystrokes and mouse commands. The Mousejack attacks discovered by researchers at Bastille Networks allow an attacker from more than 200 meters away to abuse a vulnerability in the wireless dongle used by keyboards and primarily wireless mice. An attacker can take advantage of weak or non-existent encryption between a wireless mouse and the dongle and send commands from a relatively close distance that will be accepted by the host computer. The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on.

This article was updated May 25 with comments from Samy Kamkar.

Suggested articles