KeySweeper – FBI warns about fake USB chargers

The FBI has issued an official advisory notification to its private industry partners. In it, the FBI warns about KeySweeper – a fake USB charger that can target wireless Microsoft keyboards,

KeySweeper is a covert device that resembles a functional Universal Serial Bus (USB) enabled device charger which conceals hardware capable of harvesting keystrokes from certain wireless keyboards.

The device is designed to be placed “strategically in an office or other location where individuals might use wireless devices.” The fake USB charger works by detecting radio frequency (rf) signals sent between a wireless keyboard and its associated dongle. It can then decrypt this information, presenting a major security risk.

Keysweeper is effectively an Arduino device hidden inside the shell of a fake USB charger. The device collects all keystrokes made on the keyboard. It then stores this data either online or locally.

keysweeper usb open

It can even send hackers SMS alerts based on “trigger words” typed on the keyboard. This includes usernames or URLs, so that passwords are sent in real-time.

Keysweeper is a hacking tool developed by privacy and security researcher Samy Kamkar. Kamar provides the open source code that operates this device, and his website provides detailed instruction on how to build one.

It exploits a careless flaw built into the encryption used by Microsoft to protect its wireless keyboards from precisely this kind of attack. Keystrokes are protected by the XOR algorithm using the MAC address of the keyboard as the key.

I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD). This means even if we do not know the MAC address, we can decrypt the keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.

Keysweeper decrypt

So which keyboards are affected by KeySweeper?

This attack should work against many WiFi based Microsoft (and possibly other manufacturers’) keyboards. Bluetooth keyboards are not vulnerable, and keyboards that do not use XOR encryption should also be immune to the attack. A good example of this is the Wireless Desktop 2000. Despite being released back in 2011, it employs AES-128 encryption instead.

If you are worried, the best advice is to test your keyboard using the exploit outlined by Kamer. Or just not use a Microsoft keyboard, although Microsoft responded with the following statement,

Keyboards from multiple manufacturers are affected by this device. Where Microsoft keyboards are concerned, customers using our Bluetooth-enabled keyboards are protected from this type of attack. In addition, users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advance Encryption Standard (AES) technology.

Keysweeper spy software

The FBI suggests simply to not use a wireless keyboard at all!

The primary method of defense is for corporations to restrict the use of wireless keyboards. Since the KeySweeper requires over-the-air transmission, a wired keyboard will be safe from this type of attack.

Additional practices suggested are to limit the number of available charging outlets, to learn which charges are being used in an office, and to immediately remove any unknown chargers.

I will leave you with Kamar’s slightly sick joke,

My friend Dana lent me her doll soldering iron. I don’t quite understand what she uses it for, but it’s a soldering iron with an attachable razor. This is great for cutting through plastic, and dolls, I presume. She took the iron back as soon as I explained what the device would do. Apparently she does not support this, though I’m not sure why. I’m sure I’ll find out after I sniff more keystrokes from her keyboard.”

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


Leave a Reply

Your email address will not be published. Required fields are marked *