Researcher builds $10 USB wall charger which can read data from any Microsoft wireless keyboard

A security researcher has developed a USB wall charger which he claims can read data from any wireless keyboard manufactured by Microsoft. He has named the device as KeySweeper and has also released a do it yourself tutorial on GitHub.

Bugs Exploited

The device, masquerades as a working USB wall charger. However, it secretly monitors any Microsoft wireless keyboards within range and “passively sniffs, decrypts, logs and reports back” everything typed on them, its creator claims. It can be used to log every input a user keys in, onto his machine.

“KeySweeper is a stealthy Ardunio-based device camouflaged as a wall charger that wirelessly sniffs, decrypts, logs and reports-back all keystrokes from any Microsoft wireless keyboard in the vicinity,” Kamkar said.

The apparent flaw in the Microsoft’s wireless keyboard transmitters has been exploited by the KeySweeper’s creator Samy Kamkar. Samy is a security researcher and entrepreneur who has previously flagged up issues with Parrot drones, illicit smartphone tracking and the PHP programming language. The KeySweeper uses GSM protocol to report back to the handlers thus making it very difficult to locate.

All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.

According to Samy, KeySweeper can be constructed by investing as little as $10 with optional features including sending SMS alerts when keywords are entered, and an internal rechargeable battery – meaning the device can keep logging keystrokes even when unplugged. Microsoft keyboards are known to use encrytpion mechanisms before transmitting data.

Samy alleges to have found multiple bugs in the encryption which allowed him to decrypt the data being transfered. Keysweeper stores the captured keystrokes both online and locally, and then send it back to the KeySweeper operator over the Internet via an optional GSM chip.

“Even if we do not know the MAC address, we can decrypt the keystroke. Using a few-dollar Arduino and a US$1 Nordic RF chip we can decrypt these packets and see any keystroke of any keyboard in the vicinity that’s using the Microsoft wireless keyboard protocol and it doesn’t matter what OS is used.”

The breakdown of cost for building this spy tool is given below :

$3 – $30 : An Arduino or Teensy microcontroller can be used.

: An Arduino or Teensy microcontroller can be used. $1 : nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz.

: nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz. $6 : AC USB Charger for converting AC power to 5v DC.

: AC USB Charger for converting AC power to 5v DC. $2 (Optional) : An optional SPI Serial Flash chip can be used to store keystrokes on.

: An optional SPI Serial Flash chip can be used to store keystrokes on. $45 (Optional) : Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.

: Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device. $3 (Optional if using FONA) : The FONA requires a mini-SIM card (not a micro-SIM).

: The FONA requires a mini-SIM card (not a micro-SIM). $5 (Optional, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.

A Microsoft spokesperson told VentureBeat that they “are aware of reports about a ‘KeySweeper’ device and are investigating.”

The exploit

The weakness of the encryption algorithm used by Microsoft lies in the fact that it uses a simple XOR operation with the computers MAC address as the key value. Since the nRF24L01+ chip can read the MAC address, the measure provides little security against moderately determined hackers. To make things even easier on attackers, all Microsoft keyboards begin with 0xCD as the MAC. As a result, even if an attacker doesn’t know the MAC address, we can decrypt a keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.

This flaw isn’t a newly discovered one, many white hats like Travis Goodspeed, Thorsten Schröder, and Max Moser having brought this flaw to the surface multiple times. However, those attacks needed much larger & powerful computer systems to work. In comparison, a device like KeySweeper is revolutionary. The keyboard Kamkar tested for his research was a brand new model purchased two weeks ago from a Best Buy store, so there’s ample evidence the attack works against at least some Microsoft keyboards. That said, an Ars reader has pointed this this 2011 article reporting the release of a Microsoft keyboard with 128-bit AES encryption. Microsoft’s website lists only a single model of keyboard that offers that protection.

Microsoft has released an official statement regarding this successful hack and it is as follows: