[.ronin] built an all-in-one WiFi and Bluetooth sniffer. He used a Nerf rifle as a base and added two Pringles cantennas, a tablet PC, and other various bits to tie it all together. Now he wanders the streets, explaining the device to bewildered passersby. After showing the device at CarolinaCon 2010 (here’s a PDF of his presentation) he stopped by the mall nibbled about 250 Bluetooth devices using SpoofTooph. The software is running on a Fujitsu u810 tablet and he’s making good use of Backtrack 4 during his wireless adventures.
Remote-Exploit.org is releasing Keykeriki, a wireless keyboard sniffer. The project is both open source hardware and software. you can download the files on their site. Right now you can’t get a pre made board, but they plan on releasing one soon. The system can be upgraded with “backpacks” or add on modules. One of these is going to be an LCD that displays the keystrokes of the keyboard you are sniffing. Another is supposed to serve as an interface to your iPhone. Right now it has the ability to decode Microsoft wireless keyboards, but the Logitech pieces should be added soon.
Researchers from Inverse Path showed a couple interesting techniques for sniffing keystrokes at CanSecWest. For their first experiments they used a laser pointed at the shiny back of a laptop. The keystrokes would cause the laptop to vibrate which they could detect just like they would with any laser listening device. They’ve done it successfully from anywhere between 50 to 100 feet away. They used techniques similar to those in speech recognition to determine what sentences were being typed.
In a different attack, they sniffed characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. They haven’t yet been able to collect more than just single strokes, but expect to get full words and sentences soon. This leakage via power line is discussed in the 1972 Tempest document we posted about earlier. The team said it wasn’t possible with USB or laptop keyboards.
[Robert] sent in this tutorial on how to set up USB sniffing in linux. Useful for seeing exactly what is being communicated to and from your USB devices, this ability is built into linux. [Bert], the author, shows us the steps involved and how to filter it to get the data we desire. You can specify exactly which device to capture data from. His example, shown above, is a session with an Arduino.
[Travis Goodspeed] posted a preview of what he’s working on for this Summer’s conferences. Last weekend he gave a quick demo of sniffing AES128 keys on Zigbee hardware at SOURCE Boston. The CC2420 radio module is used in many Zigbee/802.15.4 sensor networks and the keys have to be transferred over an SPI bus to the module. [Travis] used two syringe probes to monitor the clock line and the data on a TelosB mote, which uses the CC2420. Now that he has the capture, he’s planning on creating a script to automate finding the key.
[Martin Beck] and [Erik Tews] have just released a paper covering an improved attack against WEP and a brand new attack against WPA(PDF). For the WEP half, they offer a nice overview of attacks up to this point and the optimizations they made to reduce the number of packets needed to approximately 25K. The only serious threat to WPA so far has been the coWPAtty dictionary attack. This new attack lets you decrypt the last 12 bytes of a WPA packet’s plaintext and then generate arbitrary packets to send to the client. While it doesn’t recover the WPA key, the attacker is still able to send packets directly to the machine they’re attacking and could potentially read back the response via an outbound connection to the internet.
Every time you press a key on your keyboard, a small burst of electromagnetic radiation is let out. This radiation can be captured and decoded. Though it only affects some models, this is pretty serious. They tested 11 different keyboards and they were all vulnerable to at least one of the four methods of attack. Tests have shown that the data can be read through walls and up to 65 feet away. That is pretty scary stuff. Someone could be setting up in the apartment or office right next to yours to listen to every keystroke you type. Check out the second video after the break.
Continue reading “Eavesdrop on keyboards wirelessly”