Keysweeper: creepy keystroke logger camouflaged as USB charger

Not a keyboard, but we’ve had Apple trackpads pair to the wrong computer by mistake at work.

@shaddack is too dangerous to be allowed to live.

If we hire a hit via Craigslist, do we fund it with Kickstarter or GoFundMe?

3 Likes

This problematics is already researched. The article is short but there is more material in its sources.

2 Likes

$5 on January 23rd.

3 Likes

300 Quatloos that the object of the bet will prove to be un-locatable during the critical time-span.

4 Likes

No worries, we arfid-chipped him last week.

3 Likes

Seems like a incorrect BlueTooth pairing isn’t nearly as dangerous as this, because (if I understand correctly) the security involved will ensure it’s only connected to one single computer. It’s fine even for a keyboard to be mistakenly connected to the wrong computer, so long as it isn’t also connected to your own – you’re not going to be browsing the web and typing in passwords if your keyboard isn’t responding at all.

If you’re saying that the mouse was paired with both computers, then I’m mistaken about the BlueTooth pairing.

(Note: I’m sure you could carefully engineer a situation where someone is about to type in a password in the shell (where no characters show up when you’re typing in passwords) and then you switch pairings (perhaps while they’re conveniently called away from their computer), and then they’ll type in their password and you can log it. This would obviously require a lot more targeted planning.)

Okay, some [prior mistakes to avoid] (Trial of accused Silk Road mastermind Ross Ulbricht begins. Here's why you should care).

1 Like

See, this is exactly why I’ve gone with a French press.

I think I could design a rudimentary Peltier-powered bug…

I agree that wired are better. But feds and other spies also install keyloggers in those as well. Wireless only makes it easier.

1 Like

Wireless makes it WAY WAY easier, usually.
Then there is the poorly wired, which can be counted as sort-of wireless (aka TEMPEST).
Then there is the possibility of physical compromise, whether inserting a keylogger or, more insidious and deniable, e.g. compromising the shielding or other intentional increase of unintentional emanations.
And let’s not discount the chance of remote compromise of the software, which is typically way less risky than physical entry and tampering. Especially in the age of poorly written software that has more holes than an average colander.

2 Likes

I suspect that some implementations are bulletproof; but the thing that makes me nervous as hell about bluetooth is that there are six different types of pairing defined in the standards, plus an option for unencrypted channels and an option for ‘out of band’ pairing(eg. with NFC) that depends on the security of the out-of-band mechanism chosen for its strength. Bluetooth Low Energy has at least one pairing mode of its own, as well.

I have no reason to believe that all of those mechanisms are screwed, and I suspect that Apple is more likely to, say, just break all the ‘legacy’ pairing modes and tell you to buy new hardware or cry about it; but the situation makes it comparatively difficult to say anything useful about ‘a bluetooth keyboard’ in use with ‘my phone’ without a bit of digging(possibly with a protocol analyser right on the RF, the UI quite likely won’t tell you).

At least with wifi, while there are know-dreadful implementations(WEP, WPS), basically all hardware that uses wifi allows you to determine what you are getting yourself into. Bluetooth, thanks to being about fifty-zillion ‘profiles’ long, and designed so that it doesn’t exclude devices with nearly no user interface at all, can be any number of things and isn’t always helpful about telling you which ones it is at a given time.

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.