Wireless Keylogger Masquerades as USB Phone Charger

msm1267 writes: Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards. The device is known as KeySweeper, and Kamkar has released the source code and instructions for building one of your own. The components are inexpensive and easily available, and include an Arduino microcontroller, the charger itself, and a handful of other bits. When it's plugged into a wall socket, the KeySweeper will connect to a nearby Microsoft wireless keyboard and passively sniff, decrypt and record all of the keystrokes and send them back to the operator over the Web.

And this is good why?

[Iniamyen]

I am not a security expert, but what non-nefarious purpose does this product serve?

Re:And this is good why?

[AK+Marc]

What if you want to sniff your own keyboard?

Re:And this is good why?

[fightinfilipino]

What if you want to sniff your own keyboard?

when i do this i just end up snorting cookie and chip crumbs.

Re:And this is good why?

[slacktide]

It's purpose is clearly to force wireless device manufacturers to use secure data transmission protocols.

Re:And this is good why?

people could be secretly using this technology already, could have been for the past 10 years or more, to spy on you.

by making it easy and publicizing it, this teaches you today about the risks you have already been facing which is good because perhaps now you will take steps and do something about it.

Re:And this is good why?

It raises awareness to just how insecure wireless keyboards are, so that hopefully people will stop using them for anything important.

Re:And this is good why?

[Opportunist]

This is good because he told us instead of handing us a USB charger.

"But if he wouldn't develop it, it would be better!"

Nope. Because there is no such thing as security by apathy. Nobody has the monopoly on ideas, and this is hardly the first hack of this kind. Hiding microelectronics in inconspicuous everyday items is as old as, well, the Thing. Think the US would have been spied upon if they themselves knew such a device can be developed?

And do you think you can be spied upon with such an item now?

Re:And this is good why?

All I want to say to any would-be hacker that wants to know what's going on in, on, or around my computer is: sniff my dump.

The relevant excerpt:

"Simon," the Boss begins, "we have a formal complaint about you from one of the new system programmers. He claims that you are being unnecessarily offensive to him."

"I'm afraid I haven't the faintest idea what you're talking about."

"He claims that you told him to do something with your faeces."

"I beg your pardon?" I reply, shocked. "There must be some mistake. The last time I spoke to him I told him that I had a system crash core that I'd like him to examine. I cannot possibly be held responsible for the strange way in which he interpreted that."

"You were leaving the toilet at the time."

"Purely coincidental. I simply mentioned it when the opportunity arose."

"Mentioned? It was more of a shout wasn't it? I believe I heard it myself from in here."

"I concede that it may have been slightly more than a whisper, but that was only because of the deference that I feel for his wealth of professional knowledge..." (Well, it was worth a shot).

"The words 'sniff my dump' do not engender in MY mind a feeling of professional respect."

Re:And this is good why?

[fustakrakich]

The nefarious against the nefarious is non-nefarious..?

Re:And this is good why?

[Drewdad]

It's good, because it reveals a security flaw that could be exploited. By providing plans, it allows people to verify the finding.

If someone, like myself, is security conscious, then it helps to identify another threat vector.

Re:And this is good why?

[Archangel+Michael]

In Spy vs Spy, which spy did you root for?

Re:And this is good why?

[gstoddart]

And do you think you can be spied upon with such an item now?

Of course you bloody well can.

Are you going to run around unplugging every USB wall charger in your vicinity on the presumption it's bugged? Think you'll be in the airport and force everyone to unplug their USB chargers? Think that won't get you a beating?

Unless you have control over every single thing which is plugged in, you absolutely can still be spied on like this.

The form factor is trivially altered -- so then you're policing anything with a plug -- but the attack vector is unchanged, because apparently it's utterly trivial to spy on wireless keyboards.

You are no more or less secure with the knowledge this can be done, unless you stop using wireless keyboards. Because you simply can't police every electrical plug in your vicinity.

Consumer electronics aren't built for security. They're built for convenience, and we see time after time that security is either non-existent, or so completely trivial as to effectively be non-existent.

Re:And this is good why?

[Opportunist]

Well, then I guess the lesson is to not use wireless keyboards.

In the end, you have learned something. Information you have can never be harmful to yourself. At least not by itself.

Re:And this is good why?

[Imagix]

Spy.

Re:And this is good why?

[gweihir]

It is a demonstration what can be done. As such it servers to improve risk-management by potentially affected people.

Re:And this is good why?

[blueg3]

Demonstrating that people should be using wireless keyboard protocols that don't suck.

Re:And this is good why?

[houghi]

So you are going to unplug it and think you are safe? Watch the video. It is also battery driven, so unplugging it won't work.

Further: This is just a design idea. You could easily put it into e.g. a USB device or anything else or just tape it with a battery under a desk.

And I understand that they are not build for security, but they are used for it. People doing their bank business. They use it to log into email accounts. They are used to order things online where they enter credit card numbers.

Re:And this is good why?

[Impy+the+Impiuos+Imp]

Smells like Doritos and shame.

Re:And this is good why?

[alen]

say my monitor is broken and i want to know what i'm typing?

Re:And this is good why?

[Firethorn]

Unless you have control over every single thing which is plugged in, you absolutely can still be spied on like this.

You'd also have to flip the breakers as well, not to mention wait until any integrated batteries have time to die.

I've seen this sort of stuff connected within the wall box the socket is in. They're already illegal, so you don't have to use 18 gauge wire or whatever while worrying about fire code - just tack on some whisker-thin wires (28 gauge?) for power. Heck, see if you can shove it OUT of the box.

Re:And this is good why?

[g0bshiTe]

Illustrates why you should use a wired keyboard.

Re:And this is good why?

[rthille]

If you're in the airport and you're using a wireless keyboard, you're a wanker...

Re:And this is good why?

[Lumpy]

Don't buy cheap keyboards and mice and use bluetooth.

Problem solved.

Re:And this is good why?

[CaptainDork]

You can test that with a magnet.

Re:And this is good why?

[sumdumass]

That does sort of raise the question of if you can sniff it, can you replay it?

If so, with a few keyboard shortcuts and control tans, you could have your neighbor sending penis to every email address he knows.

Re:And this is good why?

[sumdumass]

Ever hear of acustic cryto analizing?

Basically, with varying degress of success, a microphpne recording you typing and some software can decode your keystrokes on a wired keyboad. I'm waiting on someone to perfect the van eck effect/phreaking.. although i think that was limited to CTR monitors. Its been a while since i looked at either.

Re:And this is good why?

[BronsCon]

None. But it's good to know about.

Re:And this is good why?

[BronsCon]

Those use Bluetooth and, while probably not perfectly secure, are much more difficult to attack (unless they use a hardcoded passcode like 0000 or 1234)

Re:And this is good why?

[al0ha]

Dang this is NOT A STORY and the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR.

Re:And this is good why?

[Ol+Olsoc]

It's purpose is clearly to force wireless device manufacturers to use secure data transmission protocols.

I wonder if he teaches his kids about gravity by throwing one of them off a cliff?

Re:And this is good why?

[davester666]

then I wake up with my pants around my ankles, feeling like something bad just happened....

Re:And this is good why?

[hankwang]

"the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR."

The only meaningful hits on 'schneier microsoft wireless keyboard' is just a few broken links to a Dreamlab study: http://www.google.com/search?q...,

Those were using a 27 MHz transmitter (near field, i suppose) and an association process that at least uses a different xor key each time. TFA claims that the newer 2.4 GHz keyboards always use the same xor key, 0xCD. TFA mentions at least two recent keyboard models that use this protocol. (Maybe I overlooked other ones)

It seems that there is only the MS "2000 AES for business" keyboard that is explicitly marketed as using AES. http://www.microsoft.com/hardw...

Re:And this is good why?

[tehcyder]

What if you want to sniff your own keyboard?

I can only imagine you'd want to do this to see what your wife/kids/cat was using it for.

Re:And this is good why?

[tehcyder]

It's purpose is clearly to force wireless device manufacturers to use secure data transmission protocols.

I genuinely can't tell whether or not you're joking. Excellent.

Re: And this is good why?

[iluvcapra]

Don't BT keyboards do a key exchange? They just use the passcode for initial identification, but the actual event stream is encrypted with a session public key.

Re: And this is good why?

[BronsCon]

The key is derived from the passcode, if I recall correctly.

Re:And this is good why?

[sentiblue]

Disagreed.... Every keylogger is built with some sort of "stealing" intention in mind.... I dont for a second believe that things like this are made to encourage better security.

If this dude is lucky enough... he can actually steal usernames/passwords and URLs and lots of other things... but then again at public places to steal like airports and hotels... people don't normally use MS wireless keyboards... they simply use tablets/laptops... that's why I used the term "lucky".

One more reason to use a wired keyboard

[Jeremi]

As if having to replace keyboard-batteries every 6 months wasn't reason enough. Is there really any benefit to having a keyboard be wireless, outside of a living room TV/PC scenario?

Re:One more reason to use a wired keyboard

[Drethon]

That was my thought. Why broadcast any data unencrypted ever? Maybe wireless mouse data as I can't see that being particularly useful...

Re:One more reason to use a wired keyboard

[Firethorn]

Why broadcast any data unencrypted ever?

Because broadcast to everyone is the purpose.

Otherwise the problem with wireless keyboards isn't 'just' that they're unencrypted, because some boast that they are encrypted, and they technically are. It's just that an 8 bit key is worth about as much as ROT-13.

Re:One more reason to use a wired keyboard

[Falos]

> wireless mouse data
Kind of sounds like an interesting challenge. Countless points of failure, though, even with a predetermined OS, web browser, etc.

Re:One more reason to use a wired keyboard

[gurps_npc]

Yes. You are not actually sitting at a desk. I routinely double screen - my monitor is on my living room coffe table, I type on the keyboard while sitting on my couch. In the back ground is the News on my regular TV.

Re:One more reason to use a wired keyboard

[OzPeter]

As if having to replace keyboard-batteries every 6 months wasn't reason enough.

The batteries thing was one reason why I like my Logitech wireless keyboard as it is powered by solar cells - no battery changing at all.

But now .. hmm .. I totally didn't think about sniffing the keyboard.

Re:One more reason to use a wired keyboard

[PRMan]

I have arcade joysticks and driving wheels which I also hook up to my PC. It's a lot easier to move the keyboard when it's not attached. Other than that, nothing really.

Re:One more reason to use a wired keyboard

[sinij]

A device that broadcast over sufficiently large range random flood of mouse clicks would be a very effective DoS tool in a corporate settings.

Re:One more reason to use a wired keyboard

[ArcadeMan]

A real arcade gamer would mod his computer desktop to have a rotating control panel and put the keyboard on one of the three sides!

Re:One more reason to use a wired keyboard

[jeffmeden]

As if having to replace keyboard-batteries every 6 months wasn't reason enough.

The batteries thing was one reason why I like my Logitech wireless keyboard as it is powered by solar cells - no battery changing at all.

But now .. hmm .. I totally didn't think about sniffing the keyboard.

Logitech is actually out in front when it comes to encryption. Their 2.4ghz wireless keyboards going back almost 10 years have used 128 bit AES. Unless someone has leaked the pre-generated key algorithm, your chat history is safe and sound.

Re:One more reason to use a wired keyboard

[Nkwe]

A device that broadcast over sufficiently large range random flood of mouse clicks would be a very effective DoS tool in a corporate settings.

Or a device that broadcast a very specific non-random set of keystrokes. For example you could send the keystrokes to open up a command window followed by the keystrokes to download and execute malware. You could even send the keystrokes to type in the source code and compile the malware or a malware bootstrap process.

Re:One more reason to use a wired keyboard

[OhPlz]

Fewer cables. It's also nice if you want to make room for a book or pile of papers or something temporarily, there's no cord to argue with.

Re:One more reason to use a wired keyboard

[Blaskowicz]

Time to get the "telephone cord" style of cord back on keyboards. It was invented so you can move the cord more easily.

Re:One more reason to use a wired keyboard

[Barny]

I run two PCs with three displays. I typically use Synergy to mouse/keyboard share between them but, in case the network has issues, I keep a wireless controller hooked up to the second PC and the mouse/keyboard are in a drawer in the desk.

Re:One more reason to use a wired keyboard

[Smerta]

Serious question (in case it sounds like I'm being antagonistic):

Since AES is a block cipher, and an AES block is 16 bytes, and since keypresses appear to be transmitted "instantaneously", does that mean for each keypress, a 16-byte block is formed, and encrypted? And what about the encryption mode? (Otherwise doesn't it basically become ECB?)

Seems like a stream cipher would make more sense, although you'd need a protocol on top of that to stay synchronized, since packets can become lost/corrupted.

I could only find a very non-technical PDF on the topic. Interestingly, the wording seemed to imply something like a DH key exchange (one time, during pairing).

Re:One more reason to use a wired keyboard

[Fnord666]

Since AES is a block cipher, and an AES block is 16 bytes, and since keypresses appear to be transmitted "instantaneously", does that mean for each keypress, a 16-byte block is formed, and encrypted? And what about the encryption mode? (Otherwise doesn't it basically become ECB?)

You use the block cipher to generate what is essentially a random stream, then XOR it with the input stream as needed, turning your block cipher into a stream cipher.

Re:One more reason to use a wired keyboard

[houghi]

On a desk? At home I often lean back with my feet on the desk. Not having a cable makes that easier. A second and very important thing (perhaps not for you) is that it looks so much nicer.

Not everything needs to be functional.

Re:One more reason to use a wired keyboard

[AmiMoJo]

It's not that bad. This particular issue was found back in 2007 and Microsoft fixed it with proper encryption, that so far has remained uncracked (at least as far as we know). The batteries in my wireless keyboards last years. It's the mice that chew through them every six months.

Re:One more reason to use a wired keyboard

[sparkMonkey]

I've found a notable difference in battery life (both overall longevity and each session length) based on whether I plug the device into the PC for charging via USB or I take out the batteries and use a purpose-built charger. With the mouse, which uses up battery life fastest, it is fairly simple, and it means I always have one ready to go, so I can crank up report speeds without worrying about making it to the end of a gaming session. Unfortunately, it is a PITA on my keyboard, so I usually just charge via USB, and only pull those batteries for a proper charge on occasion.

Immature industry

Remember when we added networks to Windows 3.1? Remember how well that worked out? Remember how not having multi-user support totally didn't result in massive piles of insecure bug-ridden software full of viruses? Remember how antivirus software wasn't ever a thing?

Well, it seems we didn't learn here. Taking something that's not designed with security in mind and suddenly hitching it up to a network doesn't seem to be working well for anything really. What we've learned is that the market will quite happily replace everything we have with timebombs if it means they make a few bucks.

Re:Immature industry

[Sowelu]

I'm pretty sure I've heard of acoustic keyloggers. Yeah they probably have tough restrictions on where they need to be placed to be effective, but you might luck out. Bet you could put one of those into this thing and remove the "wireless keyboard" requirement.

Dewhat?

[TheCarp]

This is why I hate large swaths of consumer products.

If the keyboard is encrypting keystrokes and sending them to the system....and a third party device sitting in the corner with no configuration involving dumping and loading keys....then the data is NOT encrypted.

If you use the same static key, or one of a few easily derivable keys, I don't care how solid the encryption alcogrythem you use is.... I do not consider it encrypted, because the use case took "strong encryption" and turned it into "weak obfuscation".

So unless there is some esoteric trick they are using to exploit the system and get their hands on a key that should otherwise be secure.... then its a disservice to the public to even call it encryption, because unless that is the case and they were genuinely compromised from a use case that should have otherwise been secure.... then all they did was use a fancy obfuscator.

Re:Dewhat?

[Firethorn]

So unless there is some esoteric trick they are using to exploit the system and get their hands on a key that should otherwise be secure.... then its a disservice to the public to even call it encryption, because unless that is the case and they were genuinely compromised from a use case that should have otherwise been secure.... then all they did was use a fancy obfuscator.

When I was in the USAF I had great fun telling users that they could have a wireless keyboard & mouse just as soon as they found FIPS 140-2 compliant ones. I then told them that not only do none exist to our knowledge, but none are planned. The main problem being once you put serious encryption in there(as 140-2 requires), you're looking at a keyboard/mouse that are closer to smartphones than keyboards. IE a AA won't last a few months, you'll need to charge it like you do your smartphone. AES encryption also isn't intended for 8-16 bits at a time, so it's not really efficient there.

Re:Dewhat?

[sinij]

I work in InfoSec, and insecure implementation is widespread and the norm. This is unlikely to change, not until consumers start demand product certification.

In my experience, common implementation flaws are 1) hard coded keys, 2) leaking of secrets 3) weak randomization leading to predictable keys, 4) use of weak cryptography.

Re:Dewhat?

[Opportunist]

It's not even weak obfuscation. The "key" is the mac address of the device... which is sent along with every single packet.

Re:Dewhat?

[OzPeter]

This is unlikely to change, not until consumers start demand product certification.

But certification costs money. And I demand my cheap keyboard.

That and how the hell do you educate users that their keyboard has a security vulnerability (and does that mean having to keep an eye out for security patches for your keyboard?!?!? )

Re:Dewhat?

[The+New+Guy+2.0]

This is why you need Bluetooth in order to be sure there's enough processor in the keyboard to encrypt. Microsoft's proprietary system for this now has to be considered hacked.

Re:Dewhat?

[KingMotley]

When I was in the USAF I had great fun telling users that they could have a wireless keyboard & mouse just as soon as they found FIPS 140-2 compliant ones. I then told them that not only do none exist to our knowledge, but none are planned. The main problem being once you put serious encryption in there(as 140-2 requires), you're looking at a keyboard/mouse that are closer to smartphones than keyboards. IE a AA won't last a few months, you'll need to charge it like you do your smartphone. AES encryption also isn't intended for 8-16 bits at a time, so it's not really efficient there.

That's easy to solve. Since the keyboard and mouse are very likely near a PC, just run a charging cable to one of it's USB ports and never disconnect it. Then you can get rid of the battery completely. Problem solved. Then you've got a nice battery-less, always charged wireless keyboard and mouse. Tada!

Re:Dewhat?

[sinij]

Well, I advocate and practice usage separation. Have a secure device dedicated for "important" tasks like banking. This way you can have usability in most cases, and security in cases that requires it.

As to how do you educate users that their keyboard, smart TV, smart thermostat, router, in-car infotainment system, child monitoring system, fitness band, implanted defibrillator all require security patches? You can't. Unless they are Dick Cheney, who has a very well deserved reason to be paranoid.

Re:Dewhat?

[Archangel+Michael]

Most users don't care. Most users wouldn't care that their keyboard COULD be logged, even if they were told. MOST users are using wireless keyboards to type twitter and facebook posts.

Re:Dewhat?

[Dagger2]

And the "key" is xored with the plaintext to get the "encrypted" text, and the typed character is in a single byte. So you only actually need a single byte of the MAC address.

And it happens to be the first byte, which for these Microsoft keyboards is always 0xCD. So you don't even need to bother figuring out what the MAC address is.

Re:Dewhat?

[mlts]

This raises a question:

Why do we have these non-standard wireless keyboard protocols that have unknown (if not nonexistant) levels of security, when BlueTooth is a widely accepted standard, and has proven itself quite robust to attack (it isn't perfect, but BT 4.2 is pretty darn secure.)

Why doesn't MS and other keyboard makers bundle a BT dongle ($10 on Amazon), and go with a tried/true standard? If the keyboard supports USB for charging, then pairing is definitely not an issue. If not, it can come pre-paired (similar to how Apple pairs USB mice and keyboards when they are shipped with iMacs), or one can use one of many pairing methods.

Going with BT not just means that there is actual guarenteed security in place, but there are facilities for running at low power levels and not having to maintain a constant radio connection.

Re:Dewhat?

[TheCarp]

I would say this is pretty close to how I look at it now. I got a cheap wireless keyboard sure....but anyone sniffing the traffic is going to be bored to tears as I don't ever type anything the least bit confidential on it. Best you are getting is a bunch of youtube URLs and a whole bunch of wwwwwwwwwwwwwaaaaaaaaaaaaaaaasssssssssssssssddddddddddddddddddddddddfff

Re:Dewhat?

[Impy+the+Impiuos+Imp]

Adding noise is good, but It adds to the pollution slowing down that band.

Re:Dewhat?

[TheCarp]

The thing is, the cipher doesn't do the job alone, once you have a good cipher, you then need good key generation/negotiation, which pretty much requires some sort of authenticated pairing step which requires user interaction to complete.

Still pretty reasonable but, everyone wants "plug and play" and thats hard to reconcile with "safer play"

Re:Dewhat?

[Jeremi]

Most users don't care. Most users wouldn't care that their keyboard COULD be logged, even if they were told. MOST users are using wireless keyboards to type twitter and facebook posts.

They also use those same keyboards to log in to their bank accounts, so they'll care after the first time their checking account gets drained. (And for those that don't use on-line banking, they'll care after the first time their Facebook account starts posting goatse pics for their mom to see)

Re:Dewhat?

[John+Bokma]

alcogrythem

I like it, sounds like a good title for a steampunk book: "The Alcogrythem" by Neal Stephenson.

Re:Dewhat?

[goombah99]

the presentation was confusing. It seems that you still need the mac address to be able to listen at all. but you can brute force scanning for all of them. you just don't neeed it for the decrypt.

Re:Dewhat?

[Firethorn]

The thing is, the cipher doesn't do the job alone, once you have a good cipher, you then need good key generation/negotiation, which pretty much requires some sort of authenticated pairing step which requires user interaction to complete.

Which means you end up with, at least, a tiny LCD screen to show the pairing code. Which means you need enough logic to run the LCD screen and the pairing stuff.

I exaggerated a bit, with a cellphone battery the keyboard could probably last weeks. But a dumb keyboard is also in incredibly simple device, thus my statement 'closer to'. I also remember reading that for truly secure operation the keyboard would have to communicate with the computer a lot more, and more transmissions equates to shorter battery life.

Don't forget that while AES is a standard within FIPS 140-2, it's also far from the only requirement. Certifying your wireless keyboard would probably cost more than designing it in the first place, and the DoD won't let you use it unless it's certified(and maybe even not then). So you're looking at a LOT of expense for what would work out to a limited audience. Not that you wouldn't sell a few even if they were $10k apiece, but it's still a limited market.

Re:Dewhat?

[Dagger2]

Needing to know the MAC address is just a limitation of the nRF24L01+ chip he was using. Conveniently though, the chip has an undocumented feature (or bug) that lets you trick it into giving the full packet, including the MAC address header. The only brute force scanning he ends up doing is to scan through all the different frequencies.

Re:Dewhat?

[Blaskowicz]

That sounds good if you simply want keypresses to not land accidentally in another computer's receiver.

Re:Dewhat?

[TheCarp]

DoD are not the only people who require FIPS 140-2. I have worked at shops with various mixes of FERPA, HPAA, and PCI requirements for various parts of their operation, and I have run into it a couple of times; though I can't tell you (because I don't know) whether any of them have been strictly due to a regulatory requirement or a place where local policy simply adopted the recommendations from it.

In short, if such a device existed, it might actually end up on several companies prefered purchasing lists for their employees, or even cause other competing products to get disqualified as just the existence of one could call the others into question.

Re:Dewhat?

[TheCarp]

In the future keyboard designers should make the protocol more configurable so that on casual observation it is not so easy to determine what packets are data

Thats a very common misconception, but the fact is that is pretty exactly what they should NOT do.

Specifically that is, they should not even attempt to design their own method of securing the data. They should use fairly standard, well tested, modules produced by professional cryptographers. Full stop. These are solved problems, and there are several very well researched and well designed techniques for solving these issues.

There is always room for more such techniques but, to think that some engineer working on a keyboard is going to design one that is even as good as what we have as just....a submodule of his project is just not realistic.

Choose a solution for authentication/key negotiation....choose a cipher. Go back to designing the keyboard itself. That really is the best part.... since its a solved problem.... it really isn't a huge level of effort to fix correctly.

Plus its a keyboard...a "pairing" could be as simple as flipping a switch into pairing mode, then typing some text that shows on the screen of the device pairing with it. Its not like its some headset with only 2 buttons.

Re:Dewhat?

[TheCarp]

> Which means you end up with, at least, a tiny LCD screen to show the pairing code. Which means
> you need enough logic to run the LCD screen and the pairing stuff.

oooh I have been thinking about this.... I think it can be done even easier and cheaper.

Wireless keyboards generally require a wireless dongle. Put a usb port on the kb, used for emergency power obviously.... but... easy pairing. Just plug the dongle into the device, and press a button, they can do a key negotiation over their local USB connection. No LCD needed, maybe.... an LED and a button.

That should put an easy end to easy sniffing. Course if someone is coming into your house and plugging shit into the wall, maybe they can just replace your whole keyboard too.... fake the dongle and keyboard into each pairing with his device and MiTM you? or wholesale replace yours with his lookalike.... but, its certainly not casual sniffing at that point.

Re:Dewhat?

[steelfood]

What's scary is that it sounds like something you could actually sell, for a premium over the kind that uses a battery, to a government agency.

Re:Dewhat?

[TheCarp]

Which is all the more reason why system designers really should consider themselves as having a duty to care for them. The vast majority of users are not experts and any risks they expose themselves to in using the product really are things they can't be expected to understand. So products intended for non-professional markets especially; should really be designs to not expose inexpert users to risks as much as possible.

Re:Dewhat?

[Firethorn]

Wireless keyboards generally require a wireless dongle. Put a usb port on the kb, used for emergency power obviously.... but... easy pairing.

For such a keyboard I'd go with 'charging' and have it act like a normal keyboard while plugged into the computer. Something like 'up to 2 days of fairly heavy usage per 2 hours charging'. Easy pairing, perhaps, but I think you'd need to write some software to do that, not that you aren't anyways.

Course if someone is coming into your house and plugging shit into the wall, maybe they can just replace your whole keyboard too....

Already a concern, would actually be less of a one with the secure keyboard - because the computer won't talk to a replacement.

Re:Dewhat?

[Firethorn]

DoD are not the only people who require FIPS 140-2.

Point. It's a federal regulation, after all, and thus all departments with security concerns(such as the DoE) use it. Plus, lots of states follow federal rules due to the ease, and for private concerns it can also be a shortcut.

That being said, I once investigated the reason because even to me it seemed like a license to print money if you came out with one. I guess 'illegal' installations were easier and cheaper, too much competition with the expense and risk of trying to create one.

I wouldn't be surprised if they ended up costing around a grand for a keyboard/mouse combo.

Re:Dewhat?

[BronsCon]

Or, you put a USB port on the keyboard and design it so that, when the receiver dongle is plugged into the keyboard, the two exchange keys. Allow only one receiver pairing per device and only one device pairing per receiver, per type of device.

Even better, disable the radio when the receiver dongle is plugged into the keyboard for pairing, no data is transmitted wirelessly, require a password for the key exchange, require that the password be changed with every exchange, generate the key from a passphrase typed by the user, salted with the password (such that the same passphrase will generate a different key if reused), and optionally allow the key itself to be encrypted with a passphrase in the keyboard's storage.

The key exchange process would go something like this:
1) Plug dongle into keyboard; "Ready" light illuminates
2) Type current password and press ENTER; password is encrypted with current private key and sent to dongle, dongle decrypts password and replies with the password plaintext re-encrypted with public key, keyboard decrypts reply with private key and compares result with known plaintext (just typed); on success (e.g. plaintexts match), "Password" light illuminates
3) Type new password and press ENTER; password is stored temporarily in keyboard's RAM; on success "Exchange" light illuminates
4) Type passphrase to be used for new key (suggest random keystrokes) and press ENTER; all lights illuminate, "Exchange" light blinks
5) Keyboard begins generating an RSA keypair; and sends the public key, encrypted with the current private key, to the dongle, which then decrypts the key and replies with the plaintext key; on success, all lights illuminate, "Ready" light blinks
6) Keyboard encrypts the new public key with the new private key and sends to dongle, dongle decrypts using the new public key and compares the result; on success (e.g. both keys match) it discards the old key and records the new key before encrypting the plaintext password from step 2 and sending the result to the keyboard for verification; dongle then discards plaintext password
7) Keyboard decrypts password and compares with original plaintext; on success (e.g. passwords match), keyboard discards old key and password, encrypts new password with private key, then stores the result, all lights illuminate, "Password" light blinks
8) Type key passphrase and press ENTER, or simply press ENTER; if passphrase is entered, generate a hash of the passphrase, having the same length as the private key, and XOR the key against the result; if no passphrase is entered, key remains plaintext; on success, keyboard records the resulting key, all lights blink
9) Remove dongle from keyboard
10) Insert dongle into computer

If a the private key is encrypted with a passphrase, require the passphrase every time the keyboard is powered on; generate a key-length hash (which will be identical to the hash used in step 8 if the passphrase is correct) and XOR the stored key against that hash; this is the key the keyboard encrypts its transmissions with.

This whole post is long enough without going into detail about why certain steps are necessary; perhaps I'll do a full writeup sometime. If I do, I'll reply to this post with a link. Of course, this solution is also imperfect, as an attacker could disassemble the dongle and read the public key directly from the dongle's flash; it would have to be designed in such a way that the dongle could not be opened to that degree without damaging the flash beyond readability. Layering several different kinds of epoxy over it should do the trick in most circumstances.

Re:Dewhat?

[dave420]

If your bank account can be drained by using only intercepted keyboard data, you are with the wrong bank.

Re:Dewhat?

[Archangel+Michael]

LastPass makes me immune to THIS kind of attack.

Re:Dewhat?

[TheCarp]

I know I am a little late to the reply but...

> I prefer a wireless keyboard with a USB dongle that acts as a standard keyboard, thank you.

which is exactly what I prefer too but, which is why I say, ditch the driver. The driver is just one more place your scheme can be compromised, clearly the solution is to have the dongle capable of pairing without PC participation beyond, (possibly) providing power.

Re:Gee, thanks...

[Opportunist]

I've read the specs and seen the required skills to build one. If you can build one, you could come up with the relevant ideas yourself. If anything, he just saved people who want to build such a thing some time.

OTOH, he taught us not to accept strange gifts or use chargers we find lying around. Which is heaps easier than building one of those things.

Re:Gee, thanks...

[boristdog]

And you know, to not use wireless keyboards in any environment that could be compromised.

Come on, MS Keyboards are secure.

[140Mandak262Jamuna]

I am sure the Microsoft keyboards are well engineered and will not allow a random listener within earshot to snoop in on communications. Microsoft has a well earned reputation for placing security above everything else. It would not compromise the security for some trivial thing like ease-of-use for dimwitted user. The keyboard will be using encrypted communication between the wireless keyboard and the host PC. In almost all the conference rooms in our office we routinely use wireless keyboard to log in to the conf-room PC, then remote desktop to login to our workstations to make presentations. We would not do it, if someone is using a compromised USB charger in the conference room.

I have very good experience walking past grave yards whistling.

Re:Come on, MS Keyboards are secure.

[The+New+Guy+2.0]

Was this a joke? Nobody's laughing...

Re:Come on, MS Keyboards are secure.

[93+Escort+Wagon]

It would not compromise the security for some trivial thing like ease-of-use for dimwitted user.

No one who's used a Microsoft product would believe "ease of use" was given any significant amount of consideration by the design team.

Re:Come on, MS Keyboards are secure.

[Drewdad]

Is it a joke? Dunno. Do you define satire that way?

Re:Come on, MS Keyboards are secure.

[The+New+Guy+2.0]

Well, it's "flip"... it's a comment that states the opposite of the summary at the top.

Re:Come on, MS Keyboards are secure.

[desdinova+216]

wooosh

Re:I don't get it.

[Opportunist]

Come out of your basement, get into a corporate environment and you'll immediately spot a use case. In case that's not obvious enough, three words: Open Plan Office.

Or how about the fact that the average office building has walls that are, at best, not see-through... hmmm, I wonder if that office next to that law firm is available... what? Me spying on lawyers? Of course not officer, please come in, look around, as you can see I barely moved in yet, all I have is my laptop and my cellphone. Yeah, these new phones suck, the battery's always drained, it's almost like going back to threaded, ha, ha...

Yawn

[Old+Bitsmasher]

Oh, come on, people have been putting bugs in wall warts since there have been wall warts. Boris: Look, Natasha, nice little box, has constant power supply, wire for antenna. Natasha: Da. But not wood. Boris: Is now Nineteen-Sixties. Did you not see movie? Answer is "Plastic."

so you can see what you are typing in the password

[swschrad]

obviously, this will be big among executive offices, saves time trying every password they have used in the past 20 years to watch videos during phone conferences.

8 years late to the party

[al0ha]

Dang this is NOT A STORY and the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR.

It's 2015, not 2007 people...

Another use

[Russ1642]

Can I use one of these as a replacement for the original wireless keyboard receiver? If I get more than five feet from the original receiver the keyboard doesn't work. This device is probably much better.

Re:I don't get it.

[aaronb1138]

I work in corporate environments. You're still well within the range of physical proximity attacks. Acoustic keyboard analysis works on both wired and wireless keyboards. Wired keyboards are still subject to, and perhaps even easier to listen into their EMR characteristics.

A younger generation would be better served by a general understanding of EMR, more specifically the fundamental physics of electricity, inductance, and RF. Understanding the general underlying principals from the science side, then the security side, and one needs no introduction to such attack vectors. They are natural results of knowledge.

Another reason

[Trogre]

Another reason to avoid wireless keyboards unless absolutely necessary and security is of no concern.

Not too worried about this

[Quarters]

The receiver for my Microsoft wireless keyboard has to be 1' away from the keyboard or else I drop keystrokes pretty regularly. So unless this thing is laid right across the home-key row I'm not worried that it will pick anything useful up.

And this is good why?

[aaronb1138]

Mostly helping the hack job security companies have yet another dumb toy to trot out during demos and pentesting.

Re:I don't get it.

[CaptainDork]

The current generation would do well to fix this shit.

Re:Its good to put the threat in context

[PPH]

Back when WiFi was a New Thing, Boeing banned them on their intranet. Many people wanted to wander around with untethered laptops, so they'd bring a WiFi hub and plug it into their office Ethernet port.

The IT people called the electronics lab for help. One day, a couple of guys were pushing an HP spectrum analyzer attached to a microwave horn antenna/converter on a cart around the office, looking for hubs. By the end of the day, they had located every microwave oven on the premises.

Hwo does it connect to the internet?

[nikkipolya]

Fine, it's harvesting keystrokes. But how does it connect to the Internet to "send them back to the operator over the Web"?

Arduino Microcontroller?

[dohzer]

Arduino Microcontroller? Is that kind of like an Atmel one? Or one of the clones?

Playing dumb

[T.E.D.]

Is there any way I can play dumb, and get some of these from a hacker? I never ever buy wireless keyboards (just what I don't need- a less reliable human input device), but I could really use some free USB chargers.