Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns

An anonymous reader cites an article on Ars Technica: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification (PDF) comes more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices."If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."

Clever attack on a very old vulnerability

[dgatwood]

Most of us have known for almost a decade that many of Microsoft's wireless mice and keyboards use an insecure protocol. So although this is a clever piece of hardware, it's really sad if anybody is still using vulnerable hardware.

This is just another reason why every time I review a wireless keyboard or mouse or trackball or trackpad, if it isn't Bluetooth, that's usually the first complaint in my review. We have standards for a reason, and those standards are at least moderately robust against this type of attack. Unfortunately, too many keyboard/mouse manufacturers try to cut corners by using whatever cheap custom hardware they've been using for a decade, and they wonder why they get lousy range (not to mention lousy security).

Re:Clever attack on a very old vulnerability

[jaymemaurice]

I bought the Microsoft Cordless Bluetooth Elite desktop package when it first came out. It was twice the price of the non-Bluetooth version... a considerable premium most "I just want a wireless keyboard" people wouldn't pay. Cool thing is the included Bluetooth receiver actually stored the keys and operated in HID mode even before the operating system booted.

Problem is time and time again consumers will buy the cheaper option... cheaper keyboard, cheaper cell phone charger etc.

Re:Use a USB Condom

[bluefoxlucid]

The problem is you can conceal a radio in that little pink piece of shit, and then when you plug it into USB it powers up the radio and listens for your bluetooth and RF keyboards, logs keys, and then connects to whatever wifi it can find and e-mails all your passwords to some asshole in Beijing.

Once again the perils of wireless show their heads

Wireless is insecure. It's that simple. Do not trust anything that transmits your data without a physical wire because, no matter what protocol, passwords or encryption are used it will always, without a shadow of a doubt, be broken.

Trust copper wire not omnidirectional transmitters.

Re:Use a USB Condom

[operagost]

In other words, it's like a USB cable from the Dollar Tree.

You'd be limited to slow charging, since it can't negotiate rate, and some devices like Blackberrys will refuse to charge at all.

Re:Once again the perils of wireless show their he

[dgatwood]

Wireless is insecure. It's that simple. Do not trust anything that transmits your data without a physical wire because, no matter what protocol, passwords or encryption are used it will always, without a shadow of a doubt, be broken.

If you know where the keyboard is located physically and have a sensitive enough array of directional antennas, you could theoretically detect the voltage spikes from each individual keyswitch closing. And you could probably do some sort of advanced Van Eck phreaking to sniff the USB data lines as well.

Besides, physical security is a minimum requirement for electronic security. By the time you let someone plant unknown hardware inside your building, you've already lost, because they could just as easily replace your USB keyboard with a modified version that retransmits the signal or stores the keystrokes.

Re:Use a USB Condom

[Rei]

There might come a day. ;)

A friend of mine was joking the other day about his coffee machine. It's always warm, even when it's not on, and far larger than is needed to make coffee, which he finds suspicious - maybe it's actually a clever ploy to mine bitcoin on stolen electricity, he suggested. The more I think about it, the more I think that's genius, a perfect scheme for a nefarious manufacturer in China ;) The cost of a sim card dongle won't add much to the cost of the mining hardware the cost of the electricity is over half the total cost of mining, and people would actually pay to acquire the hardware and host it in their own climate-controlled "data center" (home). They could make them, then sell them on ebay for cut-rate prices. So long as it actually makes coffee and doesn't break in that regard, I really doubt many people would notice. And of those who noticed, who would think to break it open to see if there's any bitcoin-mining hardware inside, rather than just defective wiring?