Slashdot Mirror
Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns (arstechnica.com)
An anonymous reader cites an article on Ars Technica: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification (PDF) comes more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices."If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
The F.B.I. are G-men you know.
I got a couple of these last year. The data lines aren't connected (YMMV on the other claims). Use adapters as needed.
Practice safe charging, /..
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Most of us have known for almost a decade that many of Microsoft's wireless mice and keyboards use an insecure protocol. So although this is a clever piece of hardware, it's really sad if anybody is still using vulnerable hardware.
This is just another reason why every time I review a wireless keyboard or mouse or trackball or trackpad, if it isn't Bluetooth, that's usually the first complaint in my review. We have standards for a reason, and those standards are at least moderately robust against this type of attack. Unfortunately, too many keyboard/mouse manufacturers try to cut corners by using whatever cheap custom hardware they've been using for a decade, and they wonder why they get lousy range (not to mention lousy security).
Check out my sci-fi/humor trilogy at PatriotsBooks.
Especially not used electronics.
"Hey! But I do it all the time with no problems!"
That's what you think.
Wireless is insecure. It's that simple. Do not trust anything that transmits your data without a physical wire because, no matter what protocol, passwords or encryption are used it will always, without a shadow of a doubt, be broken.
Trust copper wire not omnidirectional transmitters.
In a security issue. What a surprise.
Beware? There is nothing you could do about this attack other than not using wireless keyboard with insecure data transmission protocol (i.e. all of them).
DUH~~~
Assim, ó: Avisa pro filha da puta do teu pai, que o plano dele deu certo, e que eu odeio a merda da tua familia, e quando essa merdinha vier aqui vou dar um bom motivo pra ficar preso.
Logitech discontinued their Bluetooth desktop keyboards and mice too, All their desktop keyboards and mice now use the Unity dongle, who knows about the encryption on those. They still sell a couple of tablet oriented bluetooth keyboards but those are chicklet key and flat.
My MX 5500 Revolution is now dying and there is no decent and affordable bluetooth replacement. Someone on Amazon is asking $700 for a new in the box MX 5500, not sure if they have sold any for that amount.
If you know where the keyboard is located physically and have a sensitive enough array of directional antennas, you could theoretically detect the voltage spikes from each individual keyswitch closing. And you could probably do some sort of advanced Van Eck phreaking to sniff the USB data lines as well.
Besides, physical security is a minimum requirement for electronic security. By the time you let someone plant unknown hardware inside your building, you've already lost, because they could just as easily replace your USB keyboard with a modified version that retransmits the signal or stores the keystrokes.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The cleaning crew is usually not supervised at all times. Or is it?
Ok, why don't you build something (on a $20 budget) that can inconspicuously tap my wired keyboard, then?
that using random USB devices on your phone may be a bad idea...
The good news is that even if the FBI & Feinstein & Company get their anti-strong-encryption law passed, these unsecure Microsoft keyboards will still be legal to use, whereas anything that uses strong encryption and isn't susceptible to hacks like this would be illegal... because encryption is obviously bad for America. You know, terrorism, blah, blah, blah.
Is buying it good enough?
Google: pc keyboard hardware keylogger
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
in 20+ years has this been such a piece of shit technology. A usb controller can have rock solid performance, and then suddenly be prone to "interference" from power condition, bad power supplies, "EMI" , hostile takeover or interference from other controllers
It looks just like your computers, apparatus, cellular, and peripheral electronic devices. Microsoft even brands apparatus that is completely indistinguishable from authentic input devices resembling the form and function of "actual" keyboards, mice, game consoles, and even smart phones and mp3 players. Holy crap, next thing we'll find out is they manufacture it all in China, like traditional American corporate profitability. Its way cheaper to have it built by a highly skilled low cost labor force subsidized by foreign interests financed by the very dollars sheltered from domestic labor costs (but never domestic spending) that remains offshore hidden in corporate shells and other tax havens that never disclose the extent of slush funds and laundered money operations that are the real backbone of economic prosperity, whatever secret hole it slithers away to hide inside, far, far, away from equality, accountability, fairness, honestly, transparency, or justice that we demand from everyone but ourselves.
You forgot to include the RF search tag.
If you have physical access, you don't need a keylogger.
There have been some papers using the 10$ RTL-SDR for this application. You need to be quite close to the keyboard for it to work (a few m at most). Keyboards with unshielded USB cables work better of course.
but trust them to keep you safe?
Dicks. dbt
This message from the US Board of Trade/US Government.
No copper is going to save you if somebody targets you specifically. Big or not so big brother can just install hardware or software bug inside your computer and you will never know.