Keysweeper: creepy keystroke logger camouflaged as USB charger

[Permalink]

2 Likes

Wired keyboards are still where itā€™s at, folks.

4 Likes

How long until Van Eck is small enough to fit in something like that?

2 Likes

I use a Kinesis, so Iā€™m like ā€œwhatevaā€, right? Microsoft is for n00bs, innit?

ā€¦ Iā€™M JOKING, Iā€™M JOKING.

'Tis the future of computing, folks. Sensors and loggers so small and so pervasive, you probably wonā€™t even know that youā€™re being recorded and pwned by the brand new coffee machine you bought last week.

3 Likes

Your coffee machine will be too busy mining bitcoins. You will be pwned by a keyfob in your pocket, that you didnā€™t even know has a processor/radio in it.

7 Likes

Get some SoC chip that can run linux fast enough. Strip the RTL2832U chip from a TV dongle, together with its companion tuner chip (or use the entire dongle as a bare board, for some added space penalty). And voila, youā€™re there. Possibly could be made even from off-the-shelf modules without having to handle SMD chips.

Iā€™d suggest using something like a mains power strip there, though. You have more space there, and you can use a longer antenna.

1 Like

For small-sized pen testing devices, I think Iā€™ve fallen in love with the latest Pwnie Express

2 Likes

Are all wireless keyboards vulnerable? I use an Apple keyboard with my Mac, and I thought it said something during the Bluetooth pairing process about it being secure, but I donā€™t really recall. Thatā€™s an absurdly huge security hole, if so. Forget using FireSheep in a cafe, every other person I see is using an iPad with a Bluetooth keyboard.

What advantages does it have in comparison with Raspberry Pi, Banana Pi, BeagleBone Black, or similar board, with USB peripherals for the wireless, and running the appropriate pentesting distro, to justify the $1000 cost?

Well thatā€™sā€¦ evil.

1 Like

Microsoftā€™s mistake is they attempt to roll their own encryption, which is a huge mistake. The far majority of their keyboards (except newer, specific ones) do not use Bluetooth or support bluetooth because Windows has historically had such piss-poor bluetooth support BT was almost unusable. There are multiple Bluetooth stacks in Windows and the Microsoft developed one doesnā€™t support many features and didnā€™t even support secure pairing until Windows 7.

Bluetooth itself is much, much, much more secure when implemented properly.

2 Likes

Duh. The name.

What sounds better on the evening newsā€¦

ā€œā€¦and the network security was circumvented using a tiny computer marketed to hackersā€¦ā€

ā€œā€¦the network security was eviscerated by rogue hackers using a device known as ā€˜The Pwnie Expressā€™, for more discussion, letā€™s turn to our panelā€¦ā€

I rest my case.

2 Likes

Unfortunately, wired is a mixed blessing:

The developers of wireless peripherals have done a shamefully poor job in securing them(in the really cheap seats, you canā€™t always be assured that multiple units from the same vendor wonā€™t start scribbling over one another, I ran into this one personally); but consumer wired standards are developed and implemented with effectively zero consideration for Tempest attacks(aside from the bare minimum that FCC compliance forces them to do, or at least pretend to do when authorities are watching).

Given the state of the market, I suspect that wireless is worse, since itā€™s explicitly designed to be easy and cheap to receive, and security is a pitiful afterthought; but wired gives zero thought to security, and every wire with a moderately high speed digital signal is an antenna just lacking formal recognition. Best case, ā€˜wirelessā€™ at least causes people to think about security, wile ā€˜wiredā€™ just makes them think ā€œOh, intrinsicially secure unless somebody gets a vampire tap or an MiTM there!ā€, which isnā€™t actually true.

Give me the future where my Model M has to be securely keyfilled and initiate an encrypted channel after mutual asymmetric key challenge/response! Also, get those damn kids off my lawn.

1 Like

Probably -5 years, at least, if you are one of the cool kids who gets to shop out of the NSA TAO catalogā€¦

I donā€™t even have WiFi in my house:all of the computers in my house are hardwired just 'cuz Iā€™m a little paranoid.
And I donā€™t do any commerce or visit sites that need passwords when Iā€™m using my laptop away from home. :unlock:

2 Likes

That would make sense. Because for the difference cost you could get a small 3d printer or a cheap laser cutter to make a posh case, so the case alone couldnā€™t be The Difference too.

The form factor is also somewhat unsuitable for covert infiltration. Bare boards, small, in a set connected with short cables that allow flexibility in arrangement to facilitate easier concealment in existing enclosures (e.g. a power strip, a bigger power supply, a stereo, any object that does not stand out in the target environment and if possible is power-connected), would make more sense for actual field deployment.

The advent of cheap, affordable thermal imagers (FLIR One, for example) will make discovery of such toys easier. When active, they heat up even if slightly, and shine in the 8-12 micrometer band.

We are so used to economies of scale today. Even really smart people forget that not everything has R&D costs spread over millions of units.

Good comment. However this can be addressed mostly by replacing the cable with a high-quality shielded one, or with a length of optical fiber. The more painful problem here is the large antenna array known as the keyboard scanning matrix. Shielding that out will be a pain. (Though, for the keyboards with matrix made from three layers of foil (spacer between silkscreened silver-ink matrix), you could sandwich the foil stack with aluminium or copper foil. But these are crap touch-wise.)

Edit: What we need is a suite of cheap TEMPEST testing tools. We can take advantage of having full control of the target, so we can compensate for low sensitivity of the receivers with injecting known signals and making the wires inside intentionally noisy and sweep through the frequencies in a way synced with the receiver (which is tuned to the fundamental or a harmonic of the test frequency sweep). Use a way-worse-than-worst-case signal to test the shielding.

Depends on how much R&D went into this one. Looks to me, and the cellphone too, like pretty much a bog-standard Kali Linux or other pentesting distro on a stock hardware. I may be wrong, though, so I am asking if I am.

Thatā€™s far outside my expertise, but I have worked in places where these things are concerns (or at least, I assume that was the motivation requiring 1 m separation between certain types of data cables and allowing only right angle cable crossings). Obviously we used only wired keyboards, but they were only regular off the shelf keyboards. Are tempest attacks on modern hardware a realistic concern?

That said, there were other security measures in place.

Iā€™ve not had to consider the matter in detail; but people who have tried say that it is doable. (Plus fingerprinting of individual target keyboards, and nontrivial rangeā€¦)

1 Like