Be on the lookout for keystroke-logging USB chargers – TechRepublic
USB devices resembling phone chargers might actually be keystroke loggers stealing data.
This isn’t a theoretical “someone might build this” warning, either – a device called Keysweeper can actually pull it off. While the link referenced doesn’t provide the option to buy the device, it does provide information on how it can be built, at a cost between $10 and $80. It is specifically designed to look nearly the same as a typical USB phone charger to help prevent detection.
“If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information,” FBI officials wrote in last month’s advisory. “Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”
In addition, “Microsoft officials have pointed out that sniffing attacks work against any wireless device that doesn’t use strong cryptography to encrypt the data transmitted between a keyboard and the computer it’s connected to. The officials have said that company-branded keyboards manufactured after 2011 are protected because they use the Advanced Encryption Standard. Bluetooth-enabled wireless keyboards are also protected. Anyone using a wireless keyboard from Microsoft or any other maker should ensure it’s using strong cryptography to prevent nearby devices from eavesdropping on the radio signal and logging keystrokes.”
According to Lane Thames, security research and software development engineer for cyber security firm Tripwire:
“The Internet of Things (IoT) is exploding with many types of devices. Unfortunately, we don’t always know what a particular device is capable of doing. In this regard, physical security will need to evolve. Organizations that work with sensitive information should consider implementing a physical security policy. This policy will need to consider how to both vet and monitor devices that enter proximities where sensitive information is interacted with. There are a countless number of ways for miniature computing devices to enter our digital work zones along with a fast array of techniques these embedded systems can use to exfiltrate data within its sensory proximity. Looking for wireless signals is obviously a first choice, but other techniques that make use of other sources, such as thermal and acoustic signals, exist too. As this portion of the industry evolves, industry standards for good physical security practices within the world of IoT will likely become common for even the smallest of organizations.”