Security researcher Samy Kamkar has recently taken the wraps off KeySweeper, a wireless keyboard sniffer that is disguised as a standard USB wall charger, and it’s already gotten quite a bit of attention in the media. Not that making headlines on tech sites is a new feat to Kamkar, who readers may remember from his autonomous hacking drone project SkyJack. While the media has a tendency to exaggerate things a bit, KeySweeper is perhaps the exception to the rule.
We’ve talked about rogue devices hiding in everyday objects before, but there haven’t been many verifiable real-world examples. Only a month ago we covered a story in which many people doubted the very existence of the device in question. KeySweeper presents a rare opportunity to get inside one of these devices and see just what’s possible in such a small package.
Theory of Operation
The development of KeySweeper started by cracking open a wireless keyboard made by Microsoft to see what sort of wireless technology it used. Determining that the keyboard used hardware by Nordic Semiconductor, Kamkar was able to find a compatible radio module for less than $1 on eBay. But looking through the Nordic chip’s datasheet showed that it didn’t appear to have any official sniffing functionality, which would seem to rule out the ability to use it for anything but its intended function.
A bit of research showed that Travis Goodspeed had already done some work in sniffing Microsoft keyboards using the Nordic chipset, coming up with a way of tricking the chip into receiving data in promiscuous mode. Goodspeed’s method was exactly what Kamkar was looking for, but it required a computer and additional hardware. Kamkar ported over some of Goodspeed’s original Python code to C so it could run on a microcontroller, and made some improvements to speed up scanning.
Once Kamkar had a small device capable of receiving packets from Microsoft keyboards, he still needed to decrypt them. As it turns out, researchers Thorsten Schröder and Max Moser had already done a lot of the decryption work in their KeyKeriki project. Some additional discoveries and work by Kamkar got the entire decryption routine down to just a couple of lines of C, suitable for running on even the most basic of processors:
void decrypt(uint8_t* pkt)
for (int i = 4; i < 15; i++)
pkt[i] ^= mac >> (((i - 4) % 5) * 8) & 0xFF;
Inside the KeySweeper
With the software worked out, the next step was getting the hardware as cheaply and small as possible.
In its most basic configuration, the KeySweeper is made up of an Arduino Pro Mini and NRF24L01+ radio, which can both be had for just a few dollars. With these two devices alone it’s possible to capture and decode wireless keyboards, but a few other optional components make the KeySweeper even more powerful. An SPI flash chip can be used to store large numbers of keystrokes, and a GSM module can send the keystrokes out over the Internet or via SMS messages. There’s even a rechargable battery which can be used to provide the KeySweeper with power.
While this sounds like a lot of hardware, it can all be made to fit inside the casing of a standard USB wall charger, even with the charger electronics inside. The KeySweeper really is perfectly disguised, short of weighing a bit more than the victim may expect, there is nothing that would tip them off to their USB charger actually being a sophisticated espionage tool.
Room for Improvement
Critics will say that the KeySweeper is too focused on one target (Microsoft keyboards using the NRF24L01 radio) to really be a threat, and of course that’s true. As it is now, the KeySweeper is just a proof of concept. What’s really interesting is how future devices will take this concept to the next level.
The proprietary NRF24L01 module could easily be swapped out for similarly sized Bluetooth or WiFi modules for only a few dollars more. This year saw the release of the ESP8266 chip, a $5 module that can be connected up to a microcontroller and offer a full TCP/IP stack and WiFi connectivity. A KeySweeper-derived device with a ESP8266 chip onboard could potentially map a victim’s entire network and send it to a central server, while still being cheap enough that it would be disposable.
Tiny development boards like the Arduino don’t have nearly the processing power required to crack serious encryption or manipulate live data on the network…yet. As embedded computers become smaller and more powerful, it won’t be long before low cost boards the size of the Arduino have as much power as our smartphones do now.
The KeySweeper is undeniably impressive, but what may be making its reveal an even bigger story is the fact that Kamkar has documented the entire build process (even providing links to where he purchased the individual components) and released all of the source code for both the KeySweeper itself and the server side data collection tools on GitHub.
Instead of trying to sell this product as a kit, or attempting to crowdsource it as a finished product, Kamkar has cracked his project wide open for anyone who doubted that these kind of devices could be out in the wild. While some will still question if the USB charger you got with your knock-off MP3 player is something you need to be suspicious of, there is no longer any question that not only is the hardware to build such a device readily available, nearly anyone can buy it and put one together.
Anyone who looks at the KeySweeper and doesn’t think that the security industry is changing forever is kidding themselves. Devices like this will go from being a newsworthy oddity to a day-to-day threat, and the best way to protect yourself is to understand them as much as possible. With luck, the release of the Samy Kamkar’s KeySweeper will serve more to inform people on how to best protect themselves from devices like this in the future than it will give blueprints to those who would build one for their own nefarious purposes.
It could go either way, it just depends who’s listening harder.