Private industry players have been warned by the FBI through its Private Industry Notification to keep an eye on those keystroke loggers that have been disguised as USB device chargers. This notification is dated April 29.
FBI officials wrote (Pdf) in their notification that: “If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”
Keystroke Loggers are software that can store passwords and all kinds of keystrokes that are typed into wireless keyboards by the users.
It must be noted that this notification from the FBI comes exactly 15 months after Samy Kamkar, white hat hacker, launched a proof-of-concept attack platform dubbed as KeySweeper. This software could discreetly log and decrypt keystrokes from wireless keyboard manufactured by Microsoft.
The data was transferred through cellular networks and the developer designed it in a way that it resembled everyday use Universal Serial Bus (USB) device chargers so as to evade detection.
KeySweeper contains hardware that can log keystrokes from wireless keyboards and if these are strategically placed inside workplaces or board rooms and several other important locations where people use wireless devices, it could be of great use for malicious actors.
If this happens, threat actors can harvest personally identifiable information, trade secrets, intellectual property such as ideas of upcoming marketing campaigns, passwords, and similar sensitive data. The data can be intercepted before it reaches the CPU, due to which security experts cannot identify that sensitive information is being stolen.
This 3 inches long, Arduino-based device that comes in the shape of a USB phone charger can detect and decrypt radio frequency signals from Microsoft wireless keyboards only because these keyboards transmit these signals to the linked dongle that is plugged into the computer.
It also contains a Subscriber Identity Module or SIM card, which utilizes a cellular connection to transmit data to a linked Web server and allows the device to send out text messages to any connected mobile device.
In a nutshell, KeySweeper is pretty intelligent and quite damning. However, what is driving us crazy is the confusion that why the FBI waited for such a long time to inform and alert private industry partners of the KeySweeper threat.
As per the Microsoft, only those wireless devices that don’t utilize strong and reliable cryptography are vulnerable to such sniffer software like KeySweeper. It is so because cryptography is responsible for data encryption and its safe transmission between a keyboard and the computer with which it is connected to.
However, anyone using the wireless keyboard must make sure that it uses strong cryptography to prevent devices from eavesdropping or storing keystrokes. Moreover, this device can be used to steal keystrokes from other wireless devices apart from keyboards and now it isn’t entirely restricted to Microsoft-branded keyboards. Nonetheless, keyboards using AES encryption or Bluetooth are somewhat safe from this device.
[src src=”Source” url=”https://www.americanbar.org/content/dam/aba/administrative/cyberalert/keysweeper.authcheckdam.pdf”]American Bar/FBI (Pdf)[/src]