And it also sends them over the Internet to a remote machine

Jan 13, 2015 14:30 GMT  ·  By

A regular wall charger has been modified to intercept, decrypt and store all keystrokes from a Microsoft keyboard nearby, regardless of the OS it is connected to, as well as to send the information over the web to a remote machine.

The device looks inconspicuous, especially since it is a common thing to be seen in offices, but crammed inside are different hardware pieces that help it sniff and deliver the data captured from the target device.

FCC website proves to be helpful

Computer hacker and security researcher Samy Kamkar developed a gadget featuring an Arduino Pro Mini micro-controller he called KeySweeper, which integrates an nRF24L01+ RF chip that can communicate over the same frequency as the keyboard.

Determining the communication frequency of the Microsoft device was the easy part, as searching for the product’s Federal Communications Commission (FCC) ID reveals this information.

Making it capture the data delivered by the keyboard via a proprietary signal (2.4 in this case) was a bit trickier, not just because technical knowledge is required, and hardware and software components are not easy to find, but also because it needed to be done with components that would fit inside the spying wall charger.

Huge improvement of previous method

However, Kamkar discovered that Travis Goodspeed, the creator of GoodFET project, had already dabbled with the RF chip and discovered a way to sniff the packets it sent.

The best part for Kamkar’s project was that Goodspeed also used the chip to intercept data from a similar keyboard, so he had some footsteps he could follow.

From this, the hacker started to make some improvements regarding scan speed and portability. As such, he ported GoodFET to C in order to load it on a micro-controller.

One of the steps he took was to refine the frequency scan by setting a smaller range; another consisted in specifying details about the MAC addresses that should be considered.

With all improvements applied, Kamkar succeeded in reducing the scan speed from about 85 minutes to only 40 seconds for a full sweep.

Keystroke interception can be sent over the web

Decrypting the keystrokes was probably the easiest task, as XOR cipher was used in ECB mode, which is one of the simplest ways of encryption. This was one of the final nails to the coffin.

However, Kamkar extended the capabilities of his KeySweeper to sending the data over the Internet using a FONA board that supports 2G SIM cards with SMS support, and also fitted an SPI Serial Flash Chip to store the information locally in order to extract it at a later time.

Apart from these boards, the hacker kept the original charger circuit board and also found room for a rechargeable battery, whose purpose is to keep the device running if someone decides to unplug it from the wall socket.

The beautiful part is that the LED light signaling that the charger is connected to power will turn off when unplugged, and the battery will kick in automatically.

The full-options version is impressive

Basically, the simplest setup involves an Arduino micro-controller and the nRF24L01+ RF chip; but Kamkar’s full version is self-sufficient, and the attacker does not even have to be in the same room as the victim.

More than this, the FONA board can be programmed to send short text messages when specific trigger words are intercepted, so a sequence of characters is automatically sent to the operator of KeySweeper when the defined string is typed on the target keyboard.

The researcher explained every step of his project in the video below:

KeeSweeper keyboard sniffer (6 Images)

KeySweeper components
KeySweeper sends data over the webKeySweeper looks like a regular USB wall charger
+3more