The author of the FBI advisory contacted Ars to say the point he wanted to convey is that threat stems not from KeySweeper itself, but from similar types of devices that could easily contain additional functionality. “Arduino being modular and programmable, a cyber actor could swap out parts or alter coding and change what is (frankly) a negligible threat into something actually problematic (e.g., swapping the nRF chip out for some form of Wi-fi sniffer),” the author wrote “It’s the fact this thing looks completely harmless, but can hide something capable of stealing data over the air.”
FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.
The FBI’s Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.
“If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information,” FBI officials wrote in last month’s advisory. “Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”
It’s not clear why the FBI waited so long to warn private industry players of the KeySweeper threat. The notification, which says the information was obtained through an undescribed “investigation,” makes no mention of malicious sniffers being found in the wild. Kamkar told Ars that he hasn’t heard of any reports of real attacks using devices similar to KeySweeper but that he couldn’t rule out the possibility, either.
Microsoft officials have pointed out that sniffing attacks work against any wireless device that doesn’t use strong cryptography to encrypt the data transmitted between a keyboard and the computer it’s connected to. The officials have said that company-branded keyboards manufactured after 2011 are protected because they use the Advanced Encryption Standard. Bluetooth-enabled wireless keyboards are also protected. Anyone using a wireless keyboard from Microsoft or any other maker should ensure it’s using strong cryptography to prevent nearby devices from eavesdropping on the radio signal and logging keystrokes.