Comments

kronosJanuary 14, 2015 7:55 AM

As one of my friends who does lots of tech support says: "Bluetooth is of the devil!" You can use that same phrase for lots of technical things. Shocking to see such a device that can be used in many office settings that normal people would never give a second glance.

Clive RobinsonJanuary 14, 2015 8:12 AM

I very much doubt it can be built by individuals for the $10 El Reg indicates in it's title.

Whilst it would be possible in mass produced items in China and the like, are people going to pay for the required production run of around 100,000 units to get that pricing?

However we have seen some house hold white goods made in China having WiFi devices secreted in them. So yes it's possible that a State Level organisation could do something similar...

ThothJanuary 14, 2015 8:20 AM

Well, it definitely shows the weakness of RF devices when you could simply sniff and pick data up (especially keyboard and mouse over bluetooth).

Coyne TibbetsJanuary 14, 2015 9:03 AM

@ella

(Assuming a real clandestine sweeper.)

Break the charger open. If it has "too much" electronics in it, it's probably a sweeper.

Of course, if it turns out to be a real charger you probably can't put it back together to make it usable again. But that's the only way to be sure.

BrabenJanuary 14, 2015 10:01 AM

Precisely why I don't use wireless keyboards. Note, though, that Microsoft keyboards don't use Bluetooth, but a proprietary radio protocol. But that doesn't mean Bluetooth can't be decrypted as well.

Stewart McKennaJanuary 14, 2015 11:04 AM

Wasn't there a 'smart power strip' a few years ago that did the same thing?
anyone else remember this?

James BJanuary 14, 2015 3:16 PM

This seems like another ideal opportunity for covert infiltration. Just 'drop' one of these in the employee parking lot of your target and someone is bound to pick it up and take it into the building for you. The same tactic used to work for a thumbdrive with malware / keyloggers on it.

Dirk PraetJanuary 14, 2015 6:15 PM

Check out Samy Kamkar's other projects/experiments at samy.pl. Lots of neat stuff there. Definitely one of my favorite "security researchers".

CatMatJanuary 14, 2015 8:04 PM

Looking at the wireless keaboards implicated 2/17 advertise bluetooth and none the AES encryption that was supposed to take this vector out in 2011, XORing against a constant is not encryption.

FigureitoutJanuary 15, 2015 1:49 AM

Clive Robinson
it's possible that a State Level organization could do something similar...
--Lol, yeah I hope so, lest they be outdone by some random hackers on a fraction of a fraction of their budget...surely that's never happened before :p . This isn't even like that far out of the ballpark, it should be added to Michael Ossman's "NSA Playset", where he basically does a lot of the "sophisticated spygear" w/ normal pentesting tools available to most everyone. Still a great hack, w/ the features and getting it all in a nice form factor.

Stewart McKenna
--Yep: https://www.schneier.com/blog/archives/2012/07/hacking_tool_di.html

Wifi pineapple does most of that now anyway, $99. Every AP could have one now.

KneelB4ZodJanuary 15, 2015 2:34 AM

What fun we could have with this and a little mini-drone that hovers outside the office building.

NileJanuary 15, 2015 9:57 AM

The car-park trick might work, but access to the building is always better.

Leave the charger plugged in at a colleague's desk while he or she is on vacation, and some b**** is sure to nick it.

This trick would probably work at nearby coffee shops: 'forget' to unplug your charger often enough, and one of the devices will be taken into the target building.

I wonder what other commonplace devices could be 'in play'? I don't think that cheap headphones could host malware; but do, please, feel free to contradict me if you know more than I do.

The and mic-and-headphone hands-free Bluetooth headsets I see around me in the office are an obvious target, and I find it surprising that no-one's implemented a secure hardware ID and 'handshake' for these devices.

Random832January 16, 2015 8:24 AM

> This seems like another ideal opportunity for covert infiltration. Just 'drop' one of these in the employee parking lot of your target

Don't most hardware keyloggers have to be physically retrieved to get the data off them?

July2014January 21, 2015 4:24 AM

Random832: "Don't most hardware keyloggers have to be physically retrieved to get the data off them?"

Keysweeper, featured here by Bruce, has a SIM card slot, and texts back the data.

When unplugged, the LED goes off. But Keysweeper switches nonetheless to its internal battery.

@CatMat: "in 2011"

The targetted keyboard had "july 2014" in its serial number.

July2014January 21, 2015 4:27 AM

@ella: "How do you test a wall charger for the Key Sweeper?"

Xray it. At your next travel, look at the screen of the Xray machine.

SansJanuary 21, 2015 8:26 AM

Bruce, the third link of your post[1] decrypt some spaces into body scroll="no" onLoad="pwn()" oncontextmenu="return false", and the definition of pwn() (found in http://samy.pl/samy.js) contains the following peculiar comment:

//detectR('http://192.168.2.1/setup.cgi?next_file=wls_chan.html', "detected belkin router");

You might want to stop linking to that site.

[1]: at least the version served to my Lynx browser

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.