Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes — saving them both locally and online.
This is no toy. KeySweeper includes a web-based tool for live keystroke monitoring, can send SMS alerts for trigger words, usernames, or URLs (in case you want to steal a PIN number or password), and even continues to work after it is unplugged thanks to a rechargeable internal battery. That’s an impressive list of features, especially given that Kamkar told VentureBeat the whole process “took a few days” including a few over Christmas break and this past weekend when he decided “to properly document it.”
This “spy tool” only affects Microsoft wireless keyboards, and it allegedly works with many, if not most, of them. As a result, we reached out to let the company know. “We are aware of reports about a ‘KeySweeper’ device and are investigating,” a Microsoft spokesperson told VentureBeat.
KeySweeper exploits multiple bugs, including the fact that all Microsoft keyboards use the same first byte in their MAC address. Along with a few other holes, it can thus allegedly decrypt any Microsoft keyboard nearby without having to specify its MAC address first.
Kamkar told VentureBeat that he tested KeySweeper “on a brand new keyboard I purchased only a few weeks ago from Best Buy.” Naturally he hasn’t tested it on all Microsoft keyboards — that’s a claim the company will undoubtedly have to verify itself.
In the meantime, Kamkar has put together a walkthrough video for a more in-depth look of KeySweeper:
Kamkar says the unit cost for KeySweeper ranges from $10 to $80, depending on which functions you require. The hardware breakdown is as follows:
- $3 – $30: An Arduino or Teensy microcontroller can be used.
- $1: nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz.
- $6: AC USB Charger for converting AC power to 5v DC.
- $2 (Optional): An optional SPI Serial Flash chip can be used to store keystrokes on.
- $45 (Optional): Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
- $3 (Optional if using FONA): The FONA requires a mini-SIM card (not a micro-SIM).
- $5 (Optional, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.
As for the software, the primary code is installed on the microcontroller, while the web-based backend uses jQuery and PHP. KeySweeper’s source code and schematic are available on GitHub.
KamKar hopes his project will do more than just give would-be spies a how-to guide. He told VentureBeat: “I hope this creates pressure to ensure that we have proper encryption in new wireless products that come out!”
Update: “Keyboards from multiple manufacturers are affected by this device. Where Microsoft keyboards are concerned, customers using our Bluetooth-enabled keyboards are protected from this type of attack,” a Microsoft spokesperson told VentureBeat. “In addition, users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advanced Encryption Standard (AES) technology.”
Kamkar is checking if the technique does indeed work on keyboards from other manufacturers. However, he did note that his keyboard was manufactured just last year:
So even though these are old designs, Microsoft is still selling wireless keyboards that are affected by this issue. The company wouldn’t comment on whether this is enough to push them towards replacing the old designs.