Many of us are so much in love with
USB chargers. It has become the mobile industry standard chargers for virtually
all smartphones.
But what you are about to read might
break your heart. However, do not be afraid but take precaution.
Hackers now have innovated ways of
adding what is called a KeySweeper into the charging heads of USB chargers.
According to Hacker New, the device included a web-based tool for live
keystroke monitoring and was capable of sending SMS alerts for typed
keystrokes, usernames, or URLs, and work even after the nasty device is
unplugged because of its built-in rechargeable battery.
The gimmick was unveiled last year,
a white hat hacker developed a cheap Arduino-based device that looked and
functioned just like a generic USB mobile charger, but covertly logged,
decrypted and reported back all keystrokes from Microsoft wireless keyboards.
KeySweepers can be use to steal or
hijack:
- Intellectual property
- Trade secrets
- Personally identifiable information
- Passwords
- Other sensitive information
The US Federal Bureau of
Investigation has issued detailed warningsby providing what should be done by
individuals and organisations to prevent been hacked by a KeySweeper disguised
as a USB charger. FBI advised that:
The primary method of defense is for
corporations to restrict the use of wireless keyboards. Since the KeySweeper
requires over-the-air transmission, a wired keyboard will be safe from this
type of attack.
However, if the use of a wireless
keyboard cannot be prevented, then ensuring a strong encryption on the keyboard
is vital.
A keyboard using AES encryption
makes it more difficult to read keystrokes as there are currently no known
practical attacks to read AES encrypted data.
Keyboards using Bluetooth are also
safe from KeySweeper as it listens on a different channel than that which
Bluetooth transmits. However, Bluetooth keyboards must have encryption turned
on and a strong pairing PIN to protect it from a similar type of data-harvesting
attack. Additional best practices to prevent a compromise could include but are
not limited to office policies that address mobile device chargers:
- Limiting which outlets are available for device charging
- Knowing whose chargers are currently being used
- Immediate removal of an unknown charger from the office facility (although the optional backup battery can allow data theft even when unplugged)
The best precaution is to use
ordinary USB cables or ensure you use original USB chargers from the maker of
your phones.