The FBI’s Cyber Division is just now getting around to warning the private industry about a fake USB device charger that can log the keystrokes of certain wireless keyboards. The government is talking about KeySweeper, which was first revealed as a proof-of-concept attack platform by Samy Kamkar 15 months before the FBI’s current notification. Kamkar used a USB-based phone charger in his demonstration to show how this platform could reside anywhere and steal/decrypt keystrokes from any Microsoft-branded wireless keyboard in the vicinity.
“If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information,” the FBI warns. “Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”
According to Kamkar, the fake wireless device charger can use an internal battery, allowing it to sniff and log Microsoft wireless keyboard transmissions even when its unplugged from the wall and seemingly shut off. Collected data can be stored locally on a flash-based chip too, or sent over a GSM-based cellular network like AT&T and T-Mobile. Two KeySweeper devices can even exchange information wirelessly, and there’s a web-based tool for live keystroke monitoring as well.
The sneaky KeySweeper device created by Kamkar featured a 3.3v Arduino Pro Mini microcontroller, a nRF24L01+ RF chip that communicated using GFSK over the 2.4GHz band, and an AC USB charger for converting AC power to 5v DC. Optional components include an SPI Serial Flash chip for storing keystrokes, the Adafruit FONA board for using a 2G SIM card, and a 3.7v LiPo or LiOn battery for power when disconnected from a wall outlet.
KeySweeper’s primary code resides on the microcontroller while live monitoring of wireless keyboards is enabled by way of a web-based backend. This backend provides a web interface and uses PHP and JQuery to log all keystrokes. He also modified the Adafruit FONA library that enables the FONA to detect a new text message, and created a JQuery Terminal plugin that makes keyboard monitoring easier.
Microsoft wireless keyboards use a proprietary 2.4GHz RF protocol. To figure out the actual wireless language, Kamkar ripped apart a Microsoft wireless keyboard and examined the chip responsible for its wireless connectivity. He bought the exact same chip off eBay, and later began to build the actual USB charger device, as shown in a step-by-step tutorial here. Essentially, just about anyone can build this device on the cheap.
In his proof-of-concept, Kamkar reveals that his invention will send SMS alerts when the target wireless keyboard broadcasts specific keystrokes, such as the URL to a bank. He also acknowledges that KeySweeper is actually an extension of work previously done by Travis Goodspeed, and work by Thorsten Schroder and Max Moser.
Why the FBI has waited until now to warn the private industry about KeySweeper is unknown. However, the agency points out that the Microsoft wireless keyboards subject to keystroke sniffing are manufactured before 2011, but are still currently on the market to purchase. Kamkar claims that his device can sniff out any Microsoft wireless keyboard transmission, so private companies should keep an eye out for suspicious wireless chargers lounging around no matter what year the Microsoft keyboard was made.
