A $10 USB charger can record your keystrokes wirelessly

---

A security researcher has developed a USB wall charger that can eavesdrop on nearly every Microsoft keyboard.

---

Although we shared this discreet hack from Samy Kamkar back in January, a recent tweet from Lifehacker triggered our memory and we just had to share again! KeySweeper is an Arduino-based keylogger for Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) that is cleverly camouflaged as a functioning USB wall charger. The stealthy ATmega328 driven device can sniff, decrypt, log and report back all keystrokes — saving users both locally and online.

Keystrokes are then relayed back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper comes within range of the target KeySweeper. In fact, the well-known hardware hacker suggests that an effective reach of KeySweeper is that of a typical Bluetooth device, but could be extended using a low-noise amplifier. A web-based tool enables the live keystroke monitoring.

Users can set up SMS alerts that are triggered when certain keystrokes in the form of words, usernames or URLS are being typed, e.g. “bank” or heck, even “www.atmel.com.” (*Shameless SEO plug.*) If KeySweeper is removed from AC power, it will give off the impression that it is shut off; however, the inconspicuous gadget continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.

As you are well aware, wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. Such units often encrypt their data before sending it wirelessly, but Kamkar claims to have discovered multiple bugs that make it easy to decrypt. While the researcher hasn’t tested the device on every Microsoft keyboard, he does believe that due to given their similarities, they will all be affected.

The KeySweeper project builds on previous work from Travis Goodspeed, Thorsten Schröder and Max Moser around the megaAVR controlled KeyKeriki.

Kamkar says the cost for KeySweeper can range anywhere from $10 to $80, depending on the operation and its necessary functions. Aside from the Arduino Pro Mini that he selected for its size, other components include:

• nRF24L01+ 2.4GHz RF chip which communicates using GFSK over 2.4GHz
• AC USB charger for converting AC power to 5v DC.
• (Optional) A SPI Serial Flash chip can be used to store keystrokes on.
• (Optional) Adafruit FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
• (Optional, if using FONA) The FONA requires a mini-SIM card — not a micro SIM.
• (Optional, if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.

It should be noted that the hacker does say a Teensy MCU can be used in place of the ‘duino. As for the software, the primary code is installed on the microcontroller, while the web-based backend uses jQuery and PHP to log all keystrokes and provide an interface for live monitoring of target keyboards. KeySweeper’s source code and schematic are available on GitHub.

Intrigued? You can access the entire build on Kamkar’s official page.

Hardware security is the only real security

I just came across the epic hack that Wired‘s Matt Honan had perpetrated on him. A hacker added a credit card number to his Amazon account. The next day they called Amazon and said they lost the password. “What is the number of the credit card on the account?” asked the helpful Amazon employee. Once they were in the Amazon account they got into his Google accounts, all helpfully linked by Matt himself, and then the Apple accounts. The hacker was some sociopath kid. He was not interested in money; he just wanted to hurt someone, so he wiped out all the pictures and data on Honan’s phone, computer, and yes, the precious precious cloud. Yes, my precious, one cloud to rule them all.

Just like the Ring in The Lord of the Rings, the cloud can be your worst enemy in the hands of a bad person.

Now initially Honan lamented that he lost all the pictures of his new baby and a bunch of other stuff. The next article showed how he got it all back in a couple days. He says he believes in the cloud even more now. Beats me why he thinks that. If he had not inadvertently left his 1Password account password in his Dropbox on his wife’s computer it might have been much more difficult to recover control of his accounts.

As to all the wiped data, well it was lost forever on the precious cloud, but the nice folks at DriveSavers got his SSD (solid-state drive) in his mac mostly recovered at a cost of $1,690. So since the whole thing gave him half a dozen popular articles to write-up, you could argue getting hacked was the best thing that ever happened to his career. It reminds me of when King Louis XIV’s minister Colbert asked a bunch of writers “What can France do for you?” One shouted back—“Throw us in prison.” It would give them something to write about and the time and solitude needed to write it.

DriveSavers have a full cleanroom to save hacked, damaged, or corrupted hard drives. They can also do forensic hardware analysis on solid state drives (SSDs) as in Matt Honan’s case.

What astonishes me is that this hack happened to a technically astute denizen of San Francisco. Maybe he should move to Silicon Valley, we know a lot about security here and Atmel’s group in Colorado knows even more. Not only did Honan misplace his trust in online accounts and the precious cloud, he kept no secure data backup. He courageously accepts the blame, but also tries to deflect some blame onto Apple and Google. Sorry, your data is your responsibility. Apple and Google quickly closed the social-manipulation hacks the sociopath used, but it is not their job to accept responsibility for your data. That is your responsibility.

This is what we keep harping on here at Atmel. Security is a key pillar in the Internet to Things, and the best security, the only real security, is hardware security. You don’t want these malicious hackers changing your thermostat, or running up your electric bill, or stealing your security camera feeds. Atmel has inexpensive tiny chips you can use to secure these gizmos. Some of our chips use symmetrical authentication. The security chip is programmed with your secret key, and you know the secret key. The microcontroller, and it doesn’t have to be an Atmel microcontroller— it can be anyone’s, sends a random number to the Atmel security chip. The Atmel chip does a mathematical operation on the random number using the secret key, and sends that result back to the microcontroller. The host microcontroller has a local Atmel security chip to do the same mathematical operation on the same random number and then it compares the two results. If they don’t match, the code stops executing. That way no-one can put in bogus code and take over your gizmo. It gives you secure boot and secure downloads and upgrades. You can also use Atmel security chips to verify a battery or accessory is genuine and not some knock-off product.

Atmel’s CryptoAuthentication™ system uses hardware and extreme security to protect your system.

Now since the microcontroller is connected to the Atmel security chips by way of a common SPI port, you might fear a hacker could snoop on the communication and learn the random number sent to the Atmel chips or the mathematical result sent from it to the micro. That’s the beautiful part of this. The micro generates a new random number every time. If the host micro is too small and simple to generate a reliable random number, the tiny Atmel security chip has its own true random number generator (TRNG). So the micro can query the Atmel chip for the number, then query for the result, then do the same operation using the same secret key. So snooping on the serial port will only give you the last serial number and the result. You will have no idea of what the operation was that produced the result. Its like snooping and seeing the number 12 transmitted, but you still don’t know if that was based on 2 time 6 or 3 times 4. Now imagine that problem with numbers hundreds of bits long, and you can see how secure this makes your system.

This USB memory stick has a keypad to unlock it. You can store all your passwords or love letters on it and no one can get in without the code.

So it’s great to have services like 1Password, which is a browser extension combined with a remote server that generates and stores different passwords for all your needs. If, however, you need to use two computers, and who doesn’t, now you get to involve Dropbox so that you can store the master password there so you can get your 1Password even if you are at a Kinkos computer. Thing is, I just feel better with hardware security. In this case, it would be using a USB stick with hardware keypad or fingerprint sensor. Those are great since you don’t need a program on the computer of Surface Pro tablet to run it. You swipe your finger or type in a code and the stick unlocks and you can cut-and paste passwords as you need to. Thing is, there I worry about Windows saving some temporary file. I looked into this a few years ago, and sure enough, even a text file seemed to get cloned somewhere once you opened it off a stick. So the real hardware security is two-factor authentication like you get with an RSA dongle or a YubiKey. Once again, the essential element is a real physical piece of hardware that makes the system secure. I love the YubiKey since it emulates a keyboard, so unless someone infected your computer with a keylogger, there is no record that you used it. And, like the RSA SecurID, even if they do keylog it, the same code never works twice. They are just like that Atmel security chip and just as uncrackable.

The YubiKey is a two-factor authentication system accepted by more and more sites for login. The Nano model is as small as the USB contact pins. Pressing a little button on the device makes it send the one-time log-on code as though it was a USB keyboard.