RISK ASSESSMENT RATING: 3.33
How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.
The KeyGrabber can be considered “popular” in the sense that people are talking about it, but real world attacks at this point in its development are unlikely and currently unreported.
The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.
While the KeySweeper has impressive documentation, it is meant to be built from scratch and is still not a project for a beginner.
The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.
Like the KeyGrabber, the impact of the KeySweeper is dependent upon what is typed. Though much of the information would most likely be trivial, a long enough period of data (or certain login information) is of immense value to an attacker.
Unveiled in January 2015 by security researcher Samy Kamkar, KeySweeper is an open source sniffer for Microsoft wireless keyboards. Built into the case of a standard USB wall charger, the KeySweeper can easily be deployed and hidden without arousing suspicion. Depending on the optional hardware, an individual can construct their own KeySweeper for as little as $10 by following the detailed instructions on Kamkar’s site.
While all of the hardware to construct the KeySweeper is readily available, the skills required to assemble one are far from trivial. In addition, the fact that it targets only a single type of wireless keyboard gives it a rather narrow scope. Still, if taken as a proof of concept for what’s possible with hobby-grade electronics, the KeySweeper is a sobering wake up call.
- CPU: Arduino or Teensy Microcontroller
- I/O: NRF24L01+ 2.4GHz
- Radio: Quad-Band GSM
- Storage: 1 MB SPI Flash (Optional)
- OS: Open Source, written in Wiring
The KeySweeper is undeniably one of the best-disguised rogue devices ever conceived, to the point that it’s essentially undetectable short of the victim opening it up to see what’s inside. It’s important to note that not only does the KeySweeper hardware fit inside of the USB charger case perfectly, the charger still works after the modification. While the KeySweeper device would be slightly heavier than a standard USB charger given the added hardware, the chances that a potential victim would notice this and become suspicious of the device are very slim.
Considerable thought was put into the KeySweeper’s design, including a number of optional contingency features. Kamkar details additional hardware such as an internal battery to power the electronics while the device is unplugged, and onboard storage to retain data in the event it cannot be retrieved wirelessly. These optional hardware and software features show just how much flexibility is possible with these types of devices and gives a glimpse at what’s possible with more development.
While it was technically designed to only target Microsoft keyboards utilizing a specific wireless chipset, Kamkar mentions that other keyboards are likely using similar technology. With open source code and fully documented hardware, it’s possible the KeySweeper, or a device very much like it, will be updated in the future to support keyboards from more manufacturers.
Given its exceptionally narrow scope and very public unveiling, it’s best to consider the KeySweeper a proof of concept. Even if it was ready to be used as a practical rogue device, the skills required to construct one are not trivial, and Kamkar’s documentation isn’t quite detailed enough to allow a beginner to build one unaided.
While the KeySweeper itself may not be a practical threat for most organizations, the technology it demonstrates certainly is. The framework laid out in Kamkar’s documentation and code can be adapted to many other tasks which could benefit from the same covert properties that make the KeySweeper so impressive.