How a $10 USB Charger Can Record Your Keystrokes Over the Air

Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards.

Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards.

The device is known as KeySweeper and Kamkar has released the source code and instructions for building one of your own. The components are inexpensive and easily available, and include an Arduino microcontroller, the charger itself and a handful of other bits. When it’s plugged into a wall socket, the KeySweeper will connect to a nearby Microsoft wireless keyboard and passively sniff, decrypt and record all of the keystrokes and send them back to the operator over the Web.

“KeySweeper has the capability to send SMS alerts upon certain keystrokes being typed, e.g. “www.bank.com”. If KeySweeper is removed from AC power, it appears to shut off, however it continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power,” Kamkar said in a post explaining the new device.

Wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. The effective range of the KeySweeper device is likely about the typical range of a Bluetooth device, he said, but that could be extended using a low-noise amplifier. The KeySweeper project builds on previous work from Travis Goodspeed and Thorsten Schröder and Max Moser.

Kamkar spells out the process for determining the kind of chip that the keyboard is using and the frequency and protocol it’s using to communicate with the USB dongle. With that done, he then set about figuring out how to decrypt the keystrokes, which are encrypted as they move from the keyboard to the dongle.

[youtube https://www.youtube.com/watch?v=WqkmGG0biXc?rel=0&w=560&h=315]

“Thorsten and Max discovered the keystrokes are simply encrypted (xor’d) with the MAC address in ECB mode, which we are able to sniff after using Travis’ method of abusing the nRF24L01+ to both sniff and reveal MAC addresses. This “encryption” is the equivalent of taking a deck of cards, cutting it once, and calling it shuffled,” Kamkar said.

“After further investigation, I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD). This means even if we do not know the MAC address, we can decrypt the keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.”

The hardware portion of KeySweeper is designed to be as inconspicuous as possible, and Kamkar said it can be built with or without the GSM motherboard. He warns that the device can be dangerous because it doesn’t necessarily meet normal electrical standards and users without a good electrical background shouldn’t try to build one.

“KeySweeper uses extremely low-power and low profile hardware to remain as covert as possible. KeySweeper can be operated from a battery, or from ~3-20V DC power. Because we wish to keep KeySweeper powered at all times, we stealthily install it inside of an innocent wall USB charger which we expect to be always plugged in,” he said.

“In the case that the USB charger is unplugged, KeySweeper stealthily continues its operation using its (optional) internal battery. The moment KeySweeper is plugged back in, it switches back over to using AC power, and simultaneously recharges the battery.”

Kamkar, who has released a number of other hardware-based attack tools such as SkyJack and USBdriveby, said via email that there’s not a practical way to detect the KeySweeper attack.

“No, there is no way to detect the attack unfortunately (or fortunately, depending on which side of the table you’re sitting),” he said. 

Image from Flickr photos of ISTCE-IUL

Suggested articles