How a $10 USB Charger Can Record Your Keystrokes Over the Air

Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards.

Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards.

The device is known as KeySweeper and Kamkar has released the source code and instructions for building one of your own. The components are inexpensive and easily available, and include an Arduino microcontroller, the charger itself and a handful of other bits. When it’s plugged into a wall socket, the KeySweeper will connect to a nearby Microsoft wireless keyboard and passively sniff, decrypt and record all of the keystrokes and send them back to the operator over the Web.

“KeySweeper has the capability to send SMS alerts upon certain keystrokes being typed, e.g. “www.bank.com”. If KeySweeper is removed from AC power, it appears to shut off, however it continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power,” Kamkar said in a post explaining the new device.

Wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. The effective range of the KeySweeper device is likely about the typical range of a Bluetooth device, he said, but that could be extended using a low-noise amplifier. The KeySweeper project builds on previous work from Travis Goodspeed and Thorsten Schröder and Max Moser.

Kamkar spells out the process for determining the kind of chip that the keyboard is using and the frequency and protocol it’s using to communicate with the USB dongle. With that done, he then set about figuring out how to decrypt the keystrokes, which are encrypted as they move from the keyboard to the dongle.

[youtube https://www.youtube.com/watch?v=WqkmGG0biXc?rel=0&w=560&h=315]

“Thorsten and Max discovered the keystrokes are simply encrypted (xor’d) with the MAC address in ECB mode, which we are able to sniff after using Travis’ method of abusing the nRF24L01+ to both sniff and reveal MAC addresses. This “encryption” is the equivalent of taking a deck of cards, cutting it once, and calling it shuffled,” Kamkar said.

“After further investigation, I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD). This means even if we do not know the MAC address, we can decrypt the keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.”

The hardware portion of KeySweeper is designed to be as inconspicuous as possible, and Kamkar said it can be built with or without the GSM motherboard. He warns that the device can be dangerous because it doesn’t necessarily meet normal electrical standards and users without a good electrical background shouldn’t try to build one.

“KeySweeper uses extremely low-power and low profile hardware to remain as covert as possible. KeySweeper can be operated from a battery, or from ~3-20V DC power. Because we wish to keep KeySweeper powered at all times, we stealthily install it inside of an innocent wall USB charger which we expect to be always plugged in,” he said.

“In the case that the USB charger is unplugged, KeySweeper stealthily continues its operation using its (optional) internal battery. The moment KeySweeper is plugged back in, it switches back over to using AC power, and simultaneously recharges the battery.”

Kamkar, who has released a number of other hardware-based attack tools such as SkyJack and USBdriveby, said via email that there’s not a practical way to detect the KeySweeper attack.

“No, there is no way to detect the attack unfortunately (or fortunately, depending on which side of the table you’re sitting),” he said. 

Image from Flickr photos of ISTCE-IUL

Suggested articles

Discussion

  • Reggie on

    I would probably say that this particular hack is only good on the cheaper Microsoft keyboards that use ECB and not their business keyboards that use AES encryption. In looking at the video, he chose a very common Microsoft unit (Keyboard 800) as opposed to a more common Microsoft business keyboard (Keyboard 2000). While the Keyboard 2000 is $10-15 more, the HUGE difference between the two is one uses AES whereas the cheaper does not. Still, it goes to show how a simple hack with simple hack can do some real damage if you use wireless keyboards.
    • Blicky on

      @Reggie: ECB (Electronic Code Book) is just one mode of using AES. ECB transforms a block encryption algorithm (like AES, Twofish, or Blowfish) into a stream encryption algorithm (such as AES-ECB, AES-CBC, AES-CTR, or AES-GCM). This really emphasizes why it's so important for (non-security) folks not to attempt to reinvent cryptography primitives. In practical terms, ECB should almost never be used. GCM is preferable.
      • Reggie on

        @Blinky: Yes, I understand that. The point of me posting it that way is that those older Microsoft keyboard didn't, to my knowledge, use AES at all. While is is using ECB, I'm not sure as to what the actual encryption for those were/are. That particular hack has been out for 8 years now so it isn't necessarily new, but I haven't done much research into those keyboard in particular because I don't use them. The newer keyboards, which employ 128-bit AES encryption (I believe they are AES-CBC and not GCM, but I could be wrong) are much stronger and much harder to sniff.
  • Robert.Walter on

    Is this hack is applicable to apple's Bluetooth wireless keyboards as well. If not, why?
    • Reggie on

      No, this particular hack isn't applicable to Bluetooth keyboards from any vendor as that is a different wireless spec than what is being demonstrated here. This is breaking into the 27Mhz/2.4GHz (non-bluetooth) wireless keyboards that use wireless dongles and, in particular, cheaper Microsoft keyboards based on ECB that have been hackable for the last 8 years. That isn't to say that it is impossible to break into a bluetooth keyboard because those are pretty easy to do too, especially if the encryption isn't implemented properly or if simple PINs are used (0000,1234, etc). Not completely sure about Apple's implementation, but I do know that the Microsoft Bluetooth keyboards are fairly difficult to break.
07/18/18 2:00
Changes in Andariel group’s script may indicate that the #hackers may start using attack vectors other than ActiveX: https://t.co/GeGPm5ri6X

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.