Microsoft Wireless Keyboards Allegedly Susceptible to Keylogger Disguised as USB Charger

Security researcher Samy Kamkar, well known for his prolific and creative work in exposing vulnerabilities on the Web and in various electronic products, has released details of a keylogger that can sniff keystrokes transmitted from several models of Microsoft wireless keyboards. The device is so tiny that it can be hidden inside common products. Kamkar has shown off a working device hidden inside a USB charger and, thus completely disguising it.

As noted by Ars Technica, the device, called KeySweeper, sounds like something right out of a spy movie. It works because Microsoft uses weak security to encrypt the proprietary connection between the wireless keyboards and their receivers. Making matters worse, each keyboard's wireless MAC address, which can easily be skipped, is used as the encryption key.

The hardware required is a tiny Arduino or Teensy board with a Nordic Semiconductor nRF24L01+ radio frequency transceiver. The design is customisable enough to allow for a battery, SIM card and integrated flash storage. Using these components, the KeySweeper could be hidden inside any ordinary-looking product and work even if it was lying on a table or in a drawer near the intended victim. An entire device can be assembled for less than $10 (approximately Rs. 620).

Kamkar has published details including schematics and source code on his website. He also warns anyone trying to replicate the device that it is potentially dangerous to modify chargers, which plug directly into AC outlets. The device can just as easily receive power from any other source.

KeySweeper could either store keystrokes locally or transmit them via cellular networks. Going beyond this, the device could even send SMS messages to grab an attacker's attention when specific keywords such as usernames, web addresses, etc are typed.

Kamkar claims he purchased a brand new Microsoft wireless keyboard from a retail chain in order to demonstrate the vulnerability. Microsoft, however, has issued a statement to Ars Technica which claims that only devices sold prior to July 2011 are affected, since the company started using better AES encryption at that time. Wireless keyboards using Blueooth rather than proprietary RF are not susceptible to KeySweeper.

The vulnerability in Microsoft's keyboards has been known for a while, but it was previously believed that much larger and more powerful equipment would be needed in order to sniff keystrokes. Those who regularly type sensitive information would of course be even more secure with an ordinary wired keyboard.

Kamkar is perhaps best known as the author of the Samy worm, which, in 2005, became known for being the first to exploit Web 2.0 cross-site scripting vulnerabilities and propagate itself. The Samy worm caused MySpace to go down for several days. Kamkar is a regular speaker at security conferences and has worked to identify weaknesses in RFID and wireless payments systems, expose persistent user tracking,circumvent Internet censorship, and shield users from governments that snoop on communications. In 2011, he published data proving that Apple, Microsoft and Google had been tracking smartphone users' locations en masse. Most recently, he developed a way to hijack unmanned drones and force them to accept his own commands.