All Sections

The terrifying ‘phone charger’ that can steal your passwords

A hacker has created a rather terrifying smart box shaped just like a mobile phone charger, which can keep tabs on you and surreptitiously steal your data.

To many people, the word ‘hacker’ is synonymous with a lawless computer nerd who wishes to ruin someone’s day by stealing and causing harm. The good guys, who actually want to point out potential vulnerabilities in existing systems or create cool things, sadly seldom get a look in.

One guy who’s been on both sides of that particular divide is Samy Kamar, a man who describes himself as a ‘privacy and security researcher, computer hacker, whistleblower and entrepreneur’. Of course, he’s most likely to be described by others as ‘the bloke that created the Samy worm, which hit Myspace and pissed off loads of people back in 2006’.

Samy has been keeping himself busy the past nine years, and his most recent creation is a device which looks like a simple phone charger but is actually much more terrifying. The device, dubbed ‘The KeySweeper’, sits innocently in a plug socket or a desk drawer, intercepting keystrokes from wireless keyboards and feeding them back to whomever planted the device in the first place.

The KeySweeper will sniff-out keystrokes as they’re typed, as well as being able to home in on specific data – for instance, if you type in particular web addresses (such as Paypal.com), the KeySweeper knows that the next thing you type is likely to be a user name and password. The evil little bugger then earmarks the data for later analysis. The info can be stored on the KeySweeper itself and then extracted via USB, or even sent directly to the person spying via SMS.

Thankfully these devices aren’t capable of sniffing data from every wireless keyboard. The main types which are vulnerable are ones which still utilise 2.4GHz wireless rather than Bluetooth, such as Microsoft’s wireless keyboards.

While Microsoft claims that it hasn’t produced keyboards using this connection method since 2011, Kamar released a statement suggesting that people may still not be protected from potential surveillance.

He said: “Just wanted to mention — while Microsoft states it only affects keyboards before 2011, the vulnerable keyboards are *still* being manufactured and sold today, even from Microsoft’s own web site and major retailers like Best Buy. I purchased the vulnerable keyboard brand new from Best Buy just last month, and the date next to the serial number says ‘07/2014’.”

As a blessed relief, Kamar isn’t actually selling the nefarious sniffer devices, but he has released instructions online showing just how easily they can be made. The hope of course is that these blueprints will force Microsoft, and other manufacturers, to close what could be a potentially huge security hole.

Kamar also advises that people who don’t have a sound working knowledge of electrical gubbins to refrain from attempting to build their own KeySweeper, but we can’t see this being much of a deterrent to the criminal faction who’d happily steal data from random strangers.

For a full overview of the project, take a look here.

Comments