Wall Charger can Hack Wireless Keyboard

Friday, January 16, 2015 @ 01:01 PM gHale

A wall charger modified to intercept, decrypt and store all keystrokes from a Microsoft keyboard nearby, regardless of the operating system, can also send the purloined information over the web to a remote machine.

The device, which workers use anywhere, ends up packed with different hardware pieces that help it sniff and deliver the data captured from the target device.

Tool Automates Phishing Attacks
Mobile Spy Program Target: Oil Industry
Surveillance Malware Hides as Legit Software
Details Emerge on Espionage Campaign

Computer hacker and security researcher Samy Kamkar developed a device featuring an Arduino Pro Mini micro-controller he called KeySweeper, which integrates an nRF24L01+ RF chip that can communicate over the same frequency as the keyboard.

Determining the communication frequency of the Microsoft device was the easy part, as searching for the product’s Federal Communications Commission (FCC) ID reveals this information.

Making it capture the data delivered by the keyboard via a proprietary signal (2.4 in this case) was more difficult, not just because of the required technical knowledge, but also because it needed components that would fit inside the spying wall charger.

Kamkar found Travis Goodspeed, who created the GoodFET project, had already discovered a way to sniff the packets it sent.

One of the first steps Kamkar did was to port GoodFET to C in order to load it on a micro-controller. Then is was able to refine the frequency scan by setting a smaller range; another consisted in specifying details about the MAC addresses that should come into play.

With all changes, Kamkar succeeded in reducing the scan speed from about 85 minutes to only 40 seconds for a full sweep.

Decrypting the keystrokes was one thing, as XOR cipher ended up used in ECB mode, which is one of the simplest ways of encryption.

Kamkar extended the capabilities of his KeySweeper to sending the data over the Internet using a FONA board that supports 2G SIM cards with SMS support, and also fitted an SPI Serial Flash Chip to store the information locally in order to extract it at a later time.

Apart from these boards, the hacker kept the original charger circuit board and also found room for a rechargeable battery, whose purpose is to keep the device running if someone decides to unplug it from the wall socket.

The LED light signaling the charger’s connection to a power source will turn off when unplugged, and the battery will kick in automatically.

The simplest setup involves an Arduino micro-controller and the nRF24L01+ RF chip, but Kamkar’s full version is self-sufficient, and the attacker does not even have to be in the same room as the victim.

It is possible for the FONA board to send short text messages when specific trigger words end up intercepted, so a sequence of characters automatically sends to the operator of KeySweeper when the defined string types out on the target keyboard.

Leave a Reply

You must be logged in to post a comment.