[Cryptography] $10 USB charger steals MS keyboard strokes

Henry Baker hbaker1 at pipeline.com
Tue Jan 13 23:34:16 EST 2015

FYI -- Of course, given a keylogger, you get all sorts of other passwords...

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes

Always-on sniffer remotely uploads all input typed into Microsoft Wireless keyboards.


The weakness that makes exploits like KeySweeper possible is encryption routines built into Microsoft wireless keyboards that can fairly be described as lackadaisical.  Keystrokes are encoded with the XOR algorithm using the keyboard MAC address as the key.  Since the nRF24L01+ chip can read the MAC address, the measure provides little security against moderately determined hackers.  To make things even easier on attackers, all Microsoft keyboards begin with 0xCD as the MAC.  As a result, even if an attacker doesn't know the MAC address, we can decrypt a keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC (see the section subtitled "Decrypting Keystrokes" for more on this).


Thorsten Schröder and Max Moser presented a great device, the KeyKeriki, capable of sniffing Microsoft keyboards and have fully reverse engineered the decryption process and produced a device for doing so.  However Travis points out that their device requires two radios and a high-end microcontroller to capture and parse packets at the 2Mbps speed the keyboards communicate at.  Travis' project is great as well, however requires a host computer and will be too large for our covert implementation.  We improve upon these designs in this scenario by requiring only an inexpensive radio and microcontroller, both low power and very small, no computer or fancy radios required.

Thorsten and Max discovered the keystrokes are simply encrypted (xor'd) with the MAC address in ECB mode, which we are able to sniff after using Travis' method of abusing the nRF24L01+ to both sniff and reveal MAC addresses.  This "encryption" is the equivalent of taking a deck of cards, cutting it once, and calling it shuffled.

After further investigation, I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD).  This means even if we do not know the MAC address, we can decrypt the keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.

An additional discovery is that since the length of the encryption portion of the packet is 11 bytes, the MAC is 5 bytes, and the CRC is each byte xor'd with another (before encryption), something interesting happens.  Since the MAC is xor'd twice, we can also calculate the checksum without knowing the MAC address.  This is because the MAC address is in there in full twice, and xoring any number by itself (or xor the MAC with the MAC) cancels itself out.  The 11th byte is the first byte of the MAC again, which we always know is 0xCD.  This allows us to perform other attacks, such as altering the keystroke and CRC, again without knowing the MAC address.  I will present this and some other fun demonstrations in a future project.

More information about the cryptography mailing list