This is a beautifully done hack.<p>Using a legitimate USB charger.
The GSM radio for 2G internet broadcast.
The built in battery for short term unplugged continued sniffing.
Trigger word SMS messages.
Live streaming web portal.<p>That is very, very cool. This is the kind of stealth monitoring device people just would never think to check and could easily be replaced without the user being any the wiser.<p>This is a beautiful example of a real hack superbly executed. Bravo.<p>Edit: Just realised this is the guy (or team?) behind EverCookie.
Looking at the list of projects also done (by going to root of url) is quite impressive.
<a href="http://samy.pl/" rel="nofollow">http://samy.pl/</a>
Does this apply to all bluetooth keyboards?<p>Sounds like some public-key crypto could make it safe:
embed some unique keys at manufacturing time and use some small crypto library (like tweetnacl) to communicate and have mutual authentication. For the paranoid there could be a way to update the keys so that not even the vendor can sniff the keystrokes.
Isn't there a RFC for something similar?
Off topic, but this is a great talk that Samy gave at blackhat in 2010: How I met your girlfriend: <a href="https://www.youtube.com/watch?v=O5xRRF5GfQs" rel="nofollow">https://www.youtube.com/watch?v=O5xRRF5GfQs</a>
The added electronics just rest against the adapter's boards: <a href="http://samy.pl/keysweeper/testingsize.jpg" rel="nofollow">http://samy.pl/keysweeper/testingsize.jpg</a>. This looks quite unsafe because of reduced clearances. It has a chance of either exposing HV on the LV (USB power) side or shorting the various boards, potentially starting a fire.<p>It's a pretty cool proof-of-concept, but I wouldn't connect anything to the USB port. These issues could be solved for deployment by potting or by using a custom smaller PCB integrating the various boards.
I'm assuming it was intentional, but I love how the page is structured somewhat like a page from the NSA ANT catalog[0][1]. The device itself seems like it would fit right in to that list.<p>0. <a href="https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa_ant_catalog.pdf" rel="nofollow">https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa_...</a><p>1. <a href="https://en.wikipedia.org/wiki/NSA_ANT_catalog" rel="nofollow">https://en.wikipedia.org/wiki/NSA_ANT_catalog</a>
Are there any good resources for learning more about wireless communication? Its something I have been wanting to learn for a while but compared to resources for programming, resources for learning about wireless communication are scarce. I am especially referring to embedded wireless, I would love to know how the nRF24 works.
So since the protocol contains basically no authentication other than the MAC address of the keyboard which the attacker can easily figure out, why isn't there already a key injection portion of this exploit ala wireless USBdriveby? I can totally see this being extended to wireless keyboard and mouse combos which would give you a great way to know if the user was at the computer and when it would be safe to compromise it without someone noticing.
The most frustrating thing when reading about keyboard vendors implementing such insecure protocols is knowing that the nRF24LE1 chip Microsoft uses has all it needs for security: <i>hardware accelerated support for AES</i>, as well as a <i>hardware random number generator</i> [1]. Some comments here suggest using public/private crypto as a fix, but it would not even be necessary. During manufacturing they could simply generate a unique secret AES key for each keyboard/dongle pair, store it in the 1536-byte non-volatile area of the chips, have the hardware RNG on the keyboard generate the IV when a wireless session begins, and use AES in CTR mode. Heck you could even afford to reserve a few bytes in each packet to store the counter in plaintext for automatic resynchronization when packets are lost, since the nRF24 radios support big enough packets (32 bytes). There are absolutely zero technical reasons not to implement security. It does <i>not</i> significantly increase power consumption. It does <i>not</i> bloat the code that much.<p>(I know all this because I have done a lot of work with the nRF24LE1. It is cheap: $4 for a fully assembled module on eBay [2]. It "supports" Bluetooth by bit-banging it [3]. And code for the builtin 8051 core can be compiled by the open source compiler sdcc. These are reasons why I selected this chip for my DIY home automation system.)<p>In fact the nRF24 radios are so popular that the vast majority of non-Bluetooth wireless keyboards use them. And I guarantee you that even though they use different protocols, they are almost certainly just as insecure as these Microsoft keyboards. The only reason vendors do not implement secure protocols is because customers do not know or care about security. The very few vendors who do such as [4] sell keyboards for hundreds of dollars... there is again zero reasons why it would cost that much given that it could be done with a standard nRF24LE1 :-(<p>[1] <a href="http://www.keil.com/dd/docs/datashts/nordic/nrf24le1_ds_v1_1.pdf" rel="nofollow">http://www.keil.com/dd/docs/datashts/nordic/nrf24le1_ds_v1_1...</a><p>[2] The $1 chip Sammy is talking about is another variant: the nRF24L01 which is just the bare radio without the 8051 core<p>[3] <a href="http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetooth%20LE%20fakery" rel="nofollow">http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetoot...</a><p>[4] <a href="http://matias.ca/securepro/pc/" rel="nofollow">http://matias.ca/securepro/pc/</a> ($170!)<p>Edit #1: a colleague of mine opened up the Matias Secure Pro keyboard and confirmed it uses an nRF24LE1.<p>Edit #2: @cortesoft: The way I would support this "one dongle many devices" feature is by doing the key generation during pairing (sometimes done by pressing a small switch under the keyboard) instead of during manufacturing. The only window of attack would be if an active attacker was present during pairing and pretended to be the dongle. It would still be significantly more secure than current keyboard protocols.
Sammy mentioned, he would tell us how to prevent this but he never did. I am guessing since Microsft keyboard emits the CD at all time and is prone to this attack, for now I should stop using it.
perhaps the team managing the centcom twitter account[1] should be checking their offices? :)<p>[1] <a href="http://therightscoop.com/breaking-centcom-twitter-youtube-accounts-hacked-by-isis-group/" rel="nofollow">http://therightscoop.com/breaking-centcom-twitter-youtube-ac...</a>