USB devices resembling phone chargers might actually be keystroke loggers stealing data. Learn more about this threat and how to protect against it.
The risk of malware from infected USB flash drives is nothing new; this threat has loomed over users since at least the early 2000's. Coincidentally (or not), this was when these USB devices came into mainstream use, showing that malware continuously evolves with the times.
Unfortunately, this evolution keeps marching steadily along, and the latest news on the USB malware front is
that the FBI is warning that "highly stealthy keystroke loggers" are disguising themselves as USB phone chargers to log and decrypt keystrokes typed into wireless keyboards then transmit the data to the bad guys over cellular networks. While the warning referenced Microsoft keyboards, the threat can occur with keyboards built by other manufacturers.
This isn't a theoretical "someone might build this" warning, either - a device called Keysweeper can actually pull it off. While the link referenced doesn't provide the option to buy the device, it does provide information on how it can be built, at a cost between $10 and $80. It is specifically designed to look nearly the same as a typical USB phone charger to help prevent detection.
"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
In addition, "Microsoft officials have pointed out that sniffing attacks work against any wireless device that doesn't use strong cryptography to encrypt the data transmitted between a keyboard and the computer it's connected to. The officials have said that company-branded keyboards manufactured after 2011 are protected because they use the Advanced Encryption Standard. Bluetooth-enabled wireless keyboards are also protected. Anyone using a wireless keyboard from Microsoft or any other maker should ensure it's using strong cryptography to prevent nearby devices from eavesdropping on the radio signal and logging keystrokes."
According to Lane Thames, security research and software development engineer for cyber security firm Tripwire:
"The Internet of Things (IoT) is exploding with many types of devices. Unfortunately, we don't always know what a particular device is capable of doing. In this regard, physical security will need to evolve. Organizations that work with sensitive information should consider implementing a physical security policy. This policy will need to consider how to both vet and monitor devices that enter proximities where sensitive information is interacted with. There are a countless number of ways for miniature computing devices to enter our digital work zones along with a fast array of techniques these embedded systems can use to exfiltrate data within its sensory proximity. Looking for wireless signals is obviously a first choice, but other techniques that make use of other sources, such as thermal and acoustic signals, exist too. As this portion of the industry evolves, industry standards for good physical security practices within the world of IoT will likely become common for even the smallest of organizations."
I spoke further with Thames regarding this threat to get his input on the concrete details behind it.
SM: "Where have these threats been seen/occurred?"
LT: "I am not aware of any reports of this occurring in malicious content. Pentesters and Red Teams have definitely added this to their tool boxes. At this point in time, it is highly unlikely that any malicious use of a KeySweeper type of device would have been caught as it is a very stealthy tool."
SM: "Microsoft says 'anyone using a wireless keyboard from Microsoft or any other maker should ensure it's using strong cryptography to prevent nearby devices from eavesdropping on the radio signal and logging keystrokes.' How best to do that?"
LT: "This would be a function of the wireless keyboard system. Generally speaking for the most common keyboards, the encryption will take place using special chips inside the keyboard (and receiver). The user will have to research the product to ensure that the keyboard is manufactured with encryption support."
SM: "Do you recommend a policy to disable all unknown USB devices to help mitigate this?"
LT: "Organizations should build security policies based on factors, such as risk and cost. General practices can be followed for various things, but a policy such as this, is not general and requires careful analysis by administrators. Disabling all USB devices via hardware or software configurations can be very costly for large organizations because a policy such as this would require significant IT support. For example, anytime an employee needs to insert a USB device, he or she would need to open a support ticket. However, an organization might have devices that need such a policy because it is involved with highly critical operations or data. I actually worked for a company in the past that had such a policy—it was very hard to get work done efficiently, but at the same time, I was dealing with highly sensitive data."
SM: "What else should users/admins be on the lookout for?"
LT: "With the explosion of IoT devices, any electronic gadget is a potential risk to organizations. This could be because the device contains vulnerabilities or because the device was built for malicious purposes. Organizations should create policies that clearly indicate the types of devices that are allowed to be brought into the workplace. The latest, greatest, and most innocuous little WiFi-based gadget could provide an adjacent avenue for attackers to break into your networks. The level of paranoia used to monitor for gadgets in the workplace should be related to the organization's risk tolerance."
SM: "Any insight into how the keylogger manages to transmit data via cellular networks?"
LT: "Thanks to advances in computing technology, we have many inexpensive tools and platforms available to create and develop all types of interesting gadgets. Nowadays, it inexpensive and only requires a small bit of technical skill to connect an embedded computing device (such as the keylogger) to a cellular network. The KeySweeper proof of concept uses the Adafruit FONA to connect to 2G GSM networks. The FONA only needs a pre-purchased SIM card (from a provider that supports 2G like T-Mobile) and a few minor pieces of supporting hardware in order to send or receive calls, SMS, or GPRS data."
SM: "Is Keysweeper truly a "proof of concept" being used to demonstrate how the bad guys can pull this kind of thing off, or is it actually being used by said bad guys?"
LT: "KeySweeper is indeed a proof of concept. Its creator, Samy Kamkar, is a very smart guy who creates all types of interesting and clever things using computers, software, electronics, and many types of hardware. We are fortunate to have people like Samy who have the ability to conceive of these types of technologies such as KeySweeper. Studying the foundations of such technologies and then releasing the ideas, code, and designs actually helps the industry. Bad guys don't release the details of their evil schemes to the world; they use them for nefarious purposes."
Obviously the best tip I can offer is to routinely inspect your system(s) for any unknown USB devices - particularly desktops in an isolated area such as underneath a desk. Advise your users to do the same as well. It's especially important to keep critical production systems under lock and key, but that's part of data center best practices and should already be a habit.
The age-old song and dance of discovering, publicizing and defending against threats is never-ending, of course, and there will surely be reports of data breaches caused by Keysweeper or a knock-off clone. Now that you know what to look for, however, hopefully you and the systems/users you support won't be on the casualty list.