Previously, the author introduced how a maker (Samy Kamkar) from abroad used the Teensy development board disguised as a USB flash drive to tamper with MacOS X’s DNS settings, allowing users to fall into phishing websites. Now Samy has brought a new “thing”; this time, Arduino is disguised inside a USB charger. This device can automatically record and transmit the data entered by users of Microsoft wireless keyboards, and it costs as little as $10!
Editor Note: This article only introduces the implementation method and experiments from a technical perspective, but does not recommend the application of this work. Illegal monitoring may bring unnecessary trouble.
Automatically Steal and Wirelessly Transmit Data
The “thing” brought by Samy is called KeySweeper, a keyboard side-recording device based on Arduino that can intercept all data input from nearby Microsoft wireless keyboards, including usernames and passwords entered by users.
Since KeySweeper is housed inside a USB charger and the USB charger retains its charging function, this disguise is indeed covert! Even more frightening, KeySweeper has a built-in rechargeable lithium battery. When the charger is plugged into a socket, it is actually charging the lithium battery; when the charger is unplugged, KeySweeper can continue to operate for a period of time using the lithium battery. KeySweeper also has a built-in 2.4GHz NRF24L01 wireless transceiver module to steal data; it can also use a mobile communication module to transmit intercepted data via SMS through a 2G network. If a malicious person gives KeySweeper to a victim, the victim will not suspect anything, thus putting their data security at great risk.
KeySweeper looks no different from a regular USB charger, it is indeed hidden too deeply.
KeySweeper can charge like a normal USB charger, allowing the victim to let their guard down.
KeySweeper comes with a rechargeable lithium battery and can operate continuously for a period of time.
Breaking Keyboard Encryption Mechanisms
The main function of KeySweeper is to capture the 2.4GHz RF signals from Microsoft wireless keyboards, decrypt them, and store the data, or send it to users in real-time via a mobile communication module. Samy has also prepared a browser interface for operational backend, which can display the input status of the intercepted keyboard in real-time.
To save SMS costs, KeySweeper can be set to send subsequent related information after detecting keywords. For example, after KeySweeper detects that the victim has entered “www.band.com”, it will send the following text, which is likely to be the online banking account and password.
During the design process of KeySweeper, the most important part was the decryption process of keyboard signals. Previously, developers Thorsten Schröder and Max Mose had developed a tool called KeyKeriki. KeyKeriki used reverse engineering to crack the encryption process of Microsoft wireless keyboards, but its size was too large to be suitable for KeySweeper. However, Samy utilized this achievement and improved the program to operate through cheap and lightweight microcontrollers, allowing KeySweeper’s size to shrink to fit inside a USB charger.
KeySweeper has a monitoring interface that can display the data input from intercepted wireless keyboards in real-time.
KeySweeper can also transmit intercepted data via SMS.
Hardware Costs
Samy also shared his production costs. Depending on the hardware selected, it costs as little as $10 and will not exceed $100.
-
Arduino / Teensy Microcontroller: $3-30
-
2.4GHz NRF24L01 Wireless Transceiver Module: $1
-
USB Charger: $6
If you want to upgrade KeySweeper, you can add the following hardware; the SPI interface and Adafruit FONA have similar functions, just choose one.
-
SPI Interface: $2
-
Adafruit FONA: $45
-
SIM Card (used with Adafruit FONA): $3
-
Rechargeable Lithium Battery (used with Adafruit FONA): $5
The core component of KeySweeper is the Arduino Pro Mini.
The 2.4GHz nRF24L01 is used to capture data from wireless keyboards.
Adafruit FONA is a communication module used to transmit collected data.
In order to fit everything into the USB charger, Samy replaced the original charging module with a small charger module.
The USB charger has a larger space and is fixed with screws, so it won’t be damaged during disassembly and installation, making it suitable for modification.
This way, everything can be easily fit inside.
PS: Click to read the original text, and check the complete code at the end.
Submission: [email protected]
