Researcher builds $10 USB wall charger which can read data from any Microsoft wireless keyboardBugs ExploitedThe exploit
Bugs Exploited
The device, masquerades as a working USB wall charger. However, it secretly monitors any Microsoft wireless keyboards within range and “passively sniffs, decrypts, logs and reports back” everything typed on them, its creator claims. It can be used to log every input a user keys in, onto his machine. The apparent flaw in the Microsoft’s wireless keyboard transmitters has been exploited by the KeySweeper’s creator Samy Kamkar. Samy is a security researcher and entrepreneur who has previously flagged up issues with Parrot drones, illicit smartphone tracking and the PHP programming language. The KeySweeper uses GSM protocol to report back to the handlers thus making it very difficult to locate. According to Samy, KeySweeper can be constructed by investing as little as $10 with optional features including sending SMS alerts when keywords are entered, and an internal rechargeable battery – meaning the device can keep logging keystrokes even when unplugged. Microsoft keyboards are known to use encrytpion mechanisms before transmitting data.
Samy alleges to have found multiple bugs in the encryption which allowed him to decrypt the data being transfered. Keysweeper stores the captured keystrokes both online and locally, and then send it back to the KeySweeper operator over the Internet via an optional GSM chip.
$3 – $30: An Arduino or Teensy microcontroller can be used. $1: nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz. $6: AC USB Charger for converting AC power to 5v DC. $2 (Optional): An optional SPI Serial Flash chip can be used to store keystrokes on. $45 (Optional): Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device. $3 (Optional if using FONA): The FONA requires a mini-SIM card (not a micro-SIM). $5 (Optional, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.
A Microsoft spokesperson told VentureBeat that they “are aware of reports about a ‘KeySweeper’ device and are investigating.”
The exploit
The weakness of the encryption algorithm used by Microsoft lies in the fact that it uses a simple XOR operation with the computers MAC address as the key value. Since the nRF24L01+ chip can read the MAC address, the measure provides little security against moderately determined hackers. To make things even easier on attackers, all Microsoft keyboards begin with 0xCD as the MAC. As a result, even if an attacker doesn’t know the MAC address, we can decrypt a keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC. This flaw isn’t a newly discovered one, many white hats like Travis Goodspeed, Thorsten Schröder, and Max Moser having brought this flaw to the surface multiple times. However, those attacks needed much larger & powerful computer systems to work. In comparison, a device like KeySweeper is revolutionary. The keyboard Kamkar tested for his research was a brand new model purchased two weeks ago from a Best Buy store, so there’s ample evidence the attack works against at least some Microsoft keyboards. That said, an Ars reader has pointed this this 2011 article reporting the release of a Microsoft keyboard with 128-bit AES encryption. Microsoft’s website lists only a single model of keyboard that offers that protection. Microsoft has released an official statement regarding this successful hack and it is as follows: