Keyloggers Posing as Chargers Steal Wireless Data
Wireless keyboards and mice are the new way in to your data for hackers and scammers. A few months ago, researchers found that more than one billion mice and keyboards were vulnerable to hacking through their wireless transmitters. And, the latest trend: devices designed look like USB phone chargers that sniff passwords and text that you type into wireless keyboards.
Last month, the FBI sent out a warning to businesses about the vulnerability of wireless devices in offices. The culprit is a harmless-looking device known as the KeySweeper, a $10 device that masquerades as a USB phone charger but actually logs and decrypts keystrokes from older wireless Microsoft keyboards and devices.
Imagine if a device like the KeySweeper were plugged into an outlet in Starbucks or smuggled into your office and plugged in near the workstations. Anyone using a wireless device would be wide open for data harvesting — passwords, personally identifiable information, trade secrets, intellectual property, sensitive information or anything typed into a wireless keyboard. Because the theft happens over the air long before your keystrokes reach your computer, “security managers may not have insight into how sensitive information is being stolen,” warned the FBI advisory.
The KeySweeper can intercept radio frequency signals from some Microsoft wireless keyboards made before 2011. Many of these are still available in stores. Microsoft maintains that KeySweeper can’t attack its Bluetooth-enabled keyboards. And its 2.4-gigahertz wireless keyboards released after 2011 are immune because they use Advanced Encryption Standard (AES) encryption technology.
Hiding behind hardware from another company might not be the safety net you'd hoped. The FBI advisory suggests that similar devices could be programmed to exploit non-Microsoft wireless keyboards and devices.
The KeySweeper uses a Subscriber Identity Module (SIM) to send harvested data to web servers over a cellular connection. It can forward text containing flagged keywords such as URLs to a mobile device via SMS. The device even includes a flash memory module to store data in case SMS functionality is unavailable and a rechargeable battery for backup power.
The best way to avoid this hardware vulnerability is to avoid using wireless input devices in offices and other places accessible by many people. Instead, use wired devices, or use newer devices with AES encryption or Bluetooth with encryption and a strong PIN. The FBI recommends restricting the use of mobile chargers that look like the KeySweeper in offices.
Replace your old keyboard and mouse
When you're using a wireless keyboard and mouse on the go, you'll want the best combination of usability and portability. Here are our picks to replace your data-leaking devices.
For a keyboard, we like the Logitech K480 Multi-Device Bluetooth Keyboard Not only does it works with Windows tablets (and Macs), it also can pair with your Android and iOS devices, Apple TV (2nd and 3rd generation) and any other device that supports Bluetooth keyboards. And it can be paired with up to three devices at a time. When you move between devices, just turn the device dial to switch. The K480 is a full-size keyboard and has nicely spaced chicklet-style keys for easy typing. It comes in black or white and features a handy slot to hold your tablet.
If you're looking for new mouse, we like the Logitech MX Anywhere 2 mouse ($59.99 on Amazon). In addition to Bluetooth, the MX Anywhere 2 comes with a tiny RF receiver that you can plug into your PC or Mac laptop. The mouse can pair with up to three devices and switching between them is a simple matter of touching a button. The mouse uses Logitech's Dark Field Laser sensor, which offers great tracking on any surface, even high gloss surfaces. The mouse's rechargeable battery lasts up to two months between charges
[Image credit: FBI Cyber Division, Logitech]