Biz & IT —

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes

Always-on sniffer remotely uploads all input typed into Microsoft Wireless keyboards.

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes

It sounds like the stuff of a James Bond flick or something described in documents leaked by former NSA subcontractor Edward Snowden. In fact, the highly stealthy keystroke logger can be built by someone with only slightly above-average technical skills for as little as $10. Called KeySweeper, it's a device disguised as a functioning USB wall charger that sniffs, decrypts, logs, and transmits all input typed into a Microsoft wireless keyboard.

KeySweeper is the brainchild of Samy Kamkar, a hacker who has a track record of devising clever exploits that are off the beaten path. The namesake of the Samy worm that inadvertently knocked MySpace out of commission in 2005, Kamkar has concocted drones that seek out and hack other drones and devised exploits that use Google Streetview and Google Wi-Fi location data to stalk targets. His hacks underscore the darker side of the connected world that makes it possible for bad guys to monitor our most private communications and everyday comings and goings.

KeySweeper follows the same path. Unveiled on Monday, it provides the software and hardware specifications for building a highly stealthy sniffing device that plucks out every keystroke inputted to a Microsoft wireless keyboard. The device can either log the input on a chip for physical retrieval later, or it can use an optional GSM chip to transmit the keystrokes wirelessly to the attacker. For maximum efficiency, it can be programmed to send the operator SMS messages whenever certain keywords—think "bankofamerica.com," "confidential," or "password"—are entered. The entire sniffing device can be stashed inside an AC USB charger that powers the device. It recharges when plugged in and runs off of battery when not connected to a power source. To people being spied on, it looks like just another USB charger plugged into a wall socket.

KeySweeper - covert Microsoft wireless keyboard sniffer using Arduino and nRF24L01+

The guts of the hardware is an Arduino or Teensy microcontroller and an nRF24L01+ radio frequency chip. While the chips are designed to communicate only over proprietary protocols, Kamkar figured out how to modify them to promiscuously sniff Microsoft keyboards by borrowing from previous sniffing attacks. Other optional hardware components include an SPI Serial Flash chip for storing keystrokes, an Adafruit FONA board, A SIM card, and a 3.7V Lithium-Ion battery. Most of the available software runs on the microcontroller, but Kamkar also provides web-based backend apps that remotely log keystrokes and provide a Web interface for live monitoring of targeted keyboards.

Key stashed under the door mat

The weakness that makes exploits like KeySweeper possible is encryption routines built into Microsoft wireless keyboards that can fairly be described as lackadaisical. Keystrokes are encoded with the XOR algorithm using the keyboard MAC address as the key. Since the nRF24L01+ chip can read the MAC address, the measure provides little security against moderately determined hackers. To make things even easier on attackers, all Microsoft keyboards begin with 0xCD as the MAC. As a result, even if an attacker doesn't know the MAC address, we can decrypt a keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC (see the section subtitled "Decrypting Keystrokes" for more on this).

A slide from a presentation on an earlier Microsoft wireless keyboard exploit called KeyKeriki showing part of the decryption process.
A slide from a presentation on an earlier Microsoft wireless keyboard exploit called KeyKeriki showing part of the decryption process.

The inadequate XOR encryption baked into Microsoft wireless keyboards isn't new. The weakness was brought to light a few years ago by previous white hats Travis GoodspeedThorsten Schröder, and Max Moser. Those earlier exploits, however, required much larger computers that consumed much more power, making an inexpensive, highly stealthy, and always-on device like KeySweeper infeasible. Kamkar's contribution is applying the previous work to build a sniffer that a janitor, co-worker, or other person can surreptitiously plant within range of a targeted keyboard and then walk away. KeySweeper makes the perfect companion to CreepyDOL, a low-cost DIY tool for stalking mobile Wi-Fi users.

Readers who want to protect themselves against KeySweeper-style attacks should permanently eschew the use of Microsoft wireless keyboards, update: or at least test their Microsoft wireless keyboard against KeySweeper-style exploits to ensure it's not vulnerable. The keyboard Kamkar tested for his research was a brand new model purchased two weeks ago from a Best Buy store, so there's ample evidence the attack works against at least some Microsoft keyboards. That said, an Ars reader has pointed this this 2011 article reporting the release of a Microsoft keyboard with 128-bit AES encryption. Microsoft's website lists only a single model of keyboard that offers that protection.

Wired keyboards and wireless keyboards based on Bluetooth are immune to this class of attack. That's not to say this latter category of keyboards aren't susceptible to sniffing hacks that monitor electromagnetic radiation and vibrational patterns, but those types of attacks are much more theoretical and much harder to carry out in practice. KeySweeper, by contrast, is ready now. As Kamkar joked in his writeup:

My friend Dana lent me her doll soldering iron. I don't quite understand what she uses it for, but it's a soldering iron with an attachable razor. This is great for cutting through plastic, and dolls, I presume. She took the iron back as soon as I explained what the device would do. Apparently she does not support this, though I'm not sure why. I'm sure I'll find out after I sniff more keystrokes from her keyboard.

Update: Microsoft has issued the following statement:

Keyboards from multiple manufacturers are affected by this device. Where Microsoft keyboards are concerned, customers using our Bluetooth-enabled keyboards are protected from this type of attack. In addition, users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advance Encryption Standard (AES) technology.

Listing image by Samy Kamkar

Channel Ars Technica