A $10 USB charger with built-in wireless keylogger means more security headaches
by Adrian Kingsley-Hughes
Think that keeping hackers out of your digital fortress is already hard work, or that that BYOD is a security timebomb waiting to blow up in your face? Well, here's something new for you to worry about - a $10 USB charger that features a built-in wireless keylogger.
KeySweeper is the brainchild of hardware hacker and security researcher Samy Kamkar. On the outside it looks like a regular wall wart, but on the inside is an Arduino microcontroller that allows the KeySweeper to connect to nearby wireless keyboards - Kamkar uses Microsoft keyboards in the demonstration - and passively sniff, decrypt and log all of the keystrokes. These keystrokes are then be transmitted over the Internet using an optional GSM module, or stored on flash memory inside the device.
Unplugging KeySweeper doesn't make you any safer either because it also features an internal battery.
This device is possible because of the painfully weak security employed by wireless keyboards.
How can you defend against this? Here are some options:
- 1. Because the device is passive, detecting it is next to impossible without a thorough physical examination of ALL your hardware. Remember, while this example is housed inside a USB charger, in theory it could be concealed inside anything that can provide power or house a big enough battery). You could audit all your hardware, and use anti-tamper mechanisms to prevent the keylogger from being fitted after inspection.
- 2. Don't use wireless keyboards.
UPDATE: Statement from Microsoft:
"Keyboards from multiple manufacturers are affected by this device. Where Microsoft keyboards are concerned, customers using our Bluetooth-enabled keyboards are protected from this type of attack. In addition, users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advance Encryption Standard (AES) technology." - a Microsoft spokesperson