Sunday, June 12, 2016

Be On The Lookout For Keystroke-logging USB Chargers

USB devices resembling phone chargers might actually be keystroke loggers stealing data. Learn more about this threat and how to protect against it.

By Scott Matteson | June 8, 2016, 9:08 AM PS


Image: iStock/Olivier Le Moal, Getty Image

The risk of malware from infected USB flash drives is nothing new; this threat has loomed over users since at least the early 2000's. Coincidentally (or not), this was when these USB devices came into mainstream use, showing that malware continuously evolves with the times.

Unfortunately, this evolution keeps marching steadily along, and the latest news on the USB malware front is

More about Mobility
Google's mobile web report card: Free tool tells if you fail the test
Major improvements to mobility-centric headphones
Internet of Things: Five truths you need to know to succeed
Subscribe to our newsletter, The Mobile Revolutionthat the FBI is warning that "highly stealthy keystroke loggers" are disguising themselves as USB phone chargers to log and decrypt keystrokes typed into wireless keyboards then transmit the data to the bad guys over cellular networks. While the warning referenced Microsoft keyboards, the threat can occur with keyboards built by other manufacturers.

This isn't a theoretical "someone might build this" warning, either - a device calledKeysweeper can actually pull it off. While the link referenced doesn't provide the option to buy the device, it does provide information on how it can be built, at a cost between $10 and $80. It is specifically designed to look nearly the same as a typical USB phone charger to help prevent detection.

"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."

In addition, "Microsoft officials have pointed out that sniffing attacks work against any wireless device that doesn't use strong cryptography to encrypt the data transmitted between a keyboard and the computer it's connected to. The officials have said that company-branded keyboards manufactured after 2011 are protected because they use the Advanced Encryption Standard. Bluetooth-enabled wireless keyboards are also protected. Anyone using a wireless keyboard from Microsoft or any other maker should ensure it's using strong cryptography to prevent nearby devices from eavesdropping on the radio signal and logging keystrokes."

According to Lane Thames, security research and software development engineer for cyber security firm Tripwire:

"The Internet of Things (IoT) is exploding with many types of devices. Unfortunately, we don't always know what a particular device is capable of doing.