close

Security news

Teenager linked to Xbox Live and PlayStation DDoS arrested in Liverpool, Member of Lizard Squad?

Teenager linked to Xbox Live and PlayStation DDoS arrested in Liverpool, Member of Lizard Squad?

Member of Lizard Squad Arrested? 18 year old linked to Xbox Live and PlayStation Christmas outage arrested in Liverpool

A Southport teenager has been arrested in a joint British and FBI-led operation following cyber attacks on Sony PlayStation and Xbox systems last year.

The South East Regional Organised Crime Unit (SEROCU) which led the arrest party said that a 18-year-old man was held today on suspicion of un-authorised access to computer material. He was also detained for alleged un-authorised access with intent to commit further offences and threats to kill.

SEROCU is the nodal authority, alongwith the National Cyber Crime Unit (NCCU) and Federal Bureau of Investigation (FBI), working on the operation which is focused on the Distributed Denial of Service (DDoS) attack which crippled the networks of Sony Playstation and Microsoft Xbox Live on the Christmas day throughout the world.  SEROCU is also looking into ‘swatting’ which involves individuals providing false information online to law enforcement agencies in the US.

SEROCU said that it had seized many electronic and digital devices from the house of this unnamed teenager who was arrested in Boundary Street.

Deputy Chief Constable Peter Goodman, the national policing lead for cyber security at the Association of Chief Police Officers (Acpo), said it was a “significant” arrest.

He said: “This arrest demonstrates that we will pursue those who commit crime with the false perception they are protected within their own homes or hiding behind anonymous online personas.

“As we continue to build capability and develop skills across wider policing, we still need industry, communities and individuals to protect themselves by implementing basic security measures whilst taking full advantage and enjoyment of the opportunities the world wide web provides.”

Member of Lizard Squad?

Though there are no indications linking the arrested teenage to the Lizard Squad by the authorities, the Sony PlayStation Network and Microsoft Xbox Live was claimed to be brought down by them.  So it is possible that this individual may be a member of the Lizard Squad.

Lizard Squad’s official Twitter account is silent on the issue.

Lizard Squad had threatened to take down both the gaming servers over Christmas holidays in the first week of December 2014 and had somehow succeeded in crippling both Sony and Microsoft gaming networks for over 3 days into the Christmas holidays.  The infamous band of hackers had apparently used this DDoS attack as a marketing strategy for their DDoS reat-a-tool called Lizard Stresser.

Source : SEROCU Statement.

read more

EZTV ditches .IT for .CH domain, faces problems

EZTV ditches .IT for .CH domain, faces problems

Top TV Torrent Website Has Ditched Italian .IT Domain for Swiss .CH Domain But Still Facing Problems

The top TV shows torrents provider, EZTV has switched domains after facing heat from the Italian authorities over copy right infringements.

Founded in 2005, the TV-torrent site EZTV has served torrents for nearly a decade. It has jumped to become one of the most popular torrents website in its niche on the Internet today.

EZTV was earlier blocked by the British courts and has been under pressure from copyright violations since the untimely demise of the Pirate Bay domain on Dec 9th, 2014.  However it had managed to remain online despite tremendous pressure from the authorities. However it recently ran into trouble with the Italian domain registrars, NIC.IT over some paperwork and was facing possible seizure of the EZTV.IT domain name.  The EZTV admin used this opportunity to move over to a fresh Swiss domain called EZTV.CH.

“NIC.it hasn’t been very cooperative in trying to find a solution. While they haven’t admitted it on the record, it wouldn’t surprise me if they were pressured by copyright holders,” EZTV’s NovaKing told TorrentFreak.

However the switch doesnt seem to been clean enough as the new EZTV.CH domain is giving ‘No Response’ error since today morning.

Top TV Torrent Website Has Ditched Italian .IT Domain for Swiss .CH Domain But Still Facing Problems

read more

Comcast in a class action Lawsuit over conducting an unauthorized credit checks

Comcast in a class action suit over conducting an unauthorized credit checks

A new class-action lawsuit, filed Tuesday in U.S. District Court in Northern Illinois, by Keith Santangelo of Chicago asserts that Comcast Corp. performed an unauthorized credit pull without authorization, even after Mr. Santangelo specifically paid the cable giant a $50 deposit to waive the inquiry.

The event happened, when Mr. Santangelo set up new Internet service with Comcast late last year. During a chat session with a Comcast representative, Santangelo was told the company would have to issue a credit inquiry to establish new service. When Mr. Santangelo opted to pay the $50 deposit and expressly refusing to authorize Comcast to pull the report.

Santangelo is not alone with these transgressions. The class-action lawsuit suggests that Comcast routinely performs unauthorized credit checks, and cites “numerous reports of customers experiencing a credit inquiry from Comcast after deposit to avoid said inquiry.” The federal Fair Credit Reporting Act expressly prohibits companies from obtaining consumer reports without authorization.

The legal complaint itself contains links of several Comcast customer forums in which users complain of having their credit reports pulled even after they paid a deposit. Customers accused Comcast of initiating “hard credit pulls”, which can downgrade credit scores and remain on a person’s score for two years.

The suit also claims Comcast benefits from the practice by skimming customer deposits.

Since the lawsuit was filed as a class action, other similarly situated Comcast customers could potentially join it.

 

read more

A Verizon Zombie Cookie That You may have is taking a Turn for the worst

An online ad company called Turn is using tracking cookies that come back to life by using a hidden undeletable number that Verizon uses to monitor customers’ habits on their serviced devices. The company called Turn utilizes this number to respawn tracking cookies even after they are deleted by Verizon users.

Max Ochoa, Turn’s chief privacy officer admitted “We are trying to use the most persistent identifier that we can in order to do what we do.”

This controversy has been noted before as a new form of tracking by the telecom industry and has been deployed to shadow mobile phone and tablet users. Both Verizon and AT&T users noticed their carriers were inserting these tracking numbers into all their Web traffic that transmits from their users’ phones. Irregardless if they attempt to opt out or not.

After Verizon’s and AT&T’s users complained that the tracking number could be used by any website they visited from their phone to track their behavior serendipitously (what sites they went to, what apps they used.)

Only AT&T discontinued the practice in November. However Verizon continued to do so, assuring users that “it is unlikely that sites and ad entities will attempt to build customer profiles” when using their numbers as identifiers.

Turn’s actions were originally identified by Stanford researcher Jonathan Mayer.

Turn and Verizon are now known to have a separate marketing partnership which allows Verizon to share anonymized information about its mobile customers. Turn, is also known to have a huge back-end processor of ads on websites.

The mechanics of this cookie mechanism works like this:

When a user visits a website that contains Turn tracking code, the company holds an auction within milliseconds for advertisers to target that user.

The highest bidder’s ad instantly appears on the user’s screen as the web page loads. Turn says it receives 2 million requests for online advertising placements per second.

For its auctions to work, Turn needs to identify web users by cookies, which are small text files that are stored on their computers. The cookies allow Turn to identify a user’s web browsing habits, such as an interest in sports or shopping, which it uses to lure advertisers to the auction.

Turn executives claim the only way users can opt out is to install a Turn opt-out cookie on their machine. The cookie will not prevent Turn from collecting data about a user, only to prevent Turn from showing targeted ads to that user. In other words they still collect the user’s data.

To make matters worse even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie as well.

Users can independently test to see if Turn’s claims are what they say they are. I would not trust any thing Turn’s cheif privacy officer says if these test don’t compare to your results.

No fix Turn has done addresses the respawning of cookies that have been deleted as Turn says it does not consider that an expression of user intent.

read more

Google AdSense Used for Malvertising Campaign Using Fakes Of Reputable Website

Google AdSense Used for Malvertising Campaign Using Fakes Of Reputable Website

Google Adsense Ads redirecting users to scam websites impersonating reputable magazines and blogs that sell shady health products

Researchers have discovered that at least two AdWords campaigns which seem to have been hijacked by cybercriminals.  These cyber criminals had modified the legitimate ads to redirect visitors to websites which are selling shady health products.

Denis Sinegubko of Sucuri stated that at least two AdWords campaigns have been hijacked by scammers who modified legitimate ads to automatically redirect visitors to scam sites once they get displayed (no clicks required).

The malicious redirect worked even in the Ad Review Center of the Google AdSense dashboard on google.com site where webmasters may view ads that Google displays on their sites. This problem existed for about a month since the second half of December 2014, but became really widespread last Friday (Jan 9th 2015). He added that Google had stopped the two AdWords campaigns by weekend.

Top websites cloned

https://blog.sucuri.net/wp-content/uploads/2015/01/fake-sites-small.jpg
(Image Credits: Sucuri)

 

The scammers used domain and subdomains of lemode-mgz .com site to spoof top reputed websites like Forbes, Good Housekeeping and Fit Mom Daily. In some cases another domain used was consumernews247.com .  Researchers noted that in all cases the symptoms were the same. Some users were randomly redirected when they clicked on links or loaded new pages. They all reported that the new page would show up for a second or two and then it would redirect them to those magazine websites.

Sucuri blog notes, “The redirects were platform and browser-agnostic – Windows, Mac, Linux, mobile browsers – they all got redirected. However, while some visitors regularly saw those redirects and even complained that the websites were barely usable because of them, other visitors have never been redirected.”

Almost all spoofed pages showed fake articles which promoted skin care and anti-aging merchandise, IQ and brain enhancers, as well as weight-loss products.

In all, Sucuri noticed following domains used for this particular malvertising campaign

  • lemode-mgz .com — Created on 2014-12-14
  • securevoluum .com — Created on 2014-12-15
  • wan-tracker .com — Created on 2014-12-14
  • consumernews247 .com — Created on 2013-09-02 Updated on 2014-12-24 (there are no references before December 2014)
  • track .securevoluum .com is an alias for hfrov .voluumtrk .com and voluumtrk.com was created on 2014-08-06.

Sucuri stated that the ads looked like the products were endorsed by celebrities and and click bait headlines about scientific researches. The fake article also had lot of fake comments about how those products really helped someone.

As per the timeline provided by Sucuri Blog, the entire malvertising campaign lasted for about a month. The ad account from which the AdWords campaign originated belonged to an anonymous advertiser and Blackburn ART with ads pointing to rgeoffreyblackburn .com site.

read more

Open Source Gitrob tool scans GitHub Repository for sensitive information

Open Source Gitrob tool scans GitHub Repository for sensitive information

Open source tool called Gitrob trawls the Github repositories for sensitive data

Security researcher and member of SoundCloud security team, Michael Henriksen has developed a open source command line tool that can crawl the GitHub repositories and reveal sensitive information back to him.

Henriksen was tasked by SoundCloud to come up with creating a system that will constantly check the company’s GitHub organizations (i.e. repositories) for unintentionally leaked sensitive information. Henrikson did just that.

He has developed an open source, command line tool that can be used for occasional checks of the same nature both by companies’ security personnel and by professional penetration testers looking for an easy way into a target organizations’ networks.

Developers generally like to share their code with many of them do so by open sourcing it on GitHub, a social code hosting and collaboration service. Many companies also use GitHub as a convenient place to host both private and public code repositories by creating GitHub organizations where employees can be joined.

Sometimes employees might publish things that should not be publicly available.  They may publish sensitive information such as credentials, private keys, secret tokens, and so on,  Such things can be harvested by cyber criminals and in turn they can directly compromise the system of the company that owns that particular repository. This can happen by accident or because the employee does not know the sensitivity of the information.

Henriksen’s tool Gitrob makes it easy to search all the public repositories of a company’s GitHub organization, as well as all the public repositories of the organization’s members (the company’s employees).

How it works

Gitrob first starts collecting all public repositories of the organization itself. It then goes on to collect all the organization members and their public repositories, in order to compile a list of repositories that might be related or have relevance to the organization.

When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files. This step might take a while if the organization is big or if the members have a lot of public repositories.

All of the members, repositories and files will be saved to a PostgreSQL database. When everything has been sifted through, it will start a Sinatra web server locally on the machine, which will serve a simple web application to present the collected data for analysis.

Henriksen tested the tool against a number of GitHub organizations belonging big and small firms and found surprising results. “The tool found several interesting things ranging from low-level, to bad and all the way to company-destroying kind of information disclosure,” he noted, adding that he notified the companies in question of this so that they can remove the information in question.

Gitrob can be downloaded from here along with information about how to install and use it.

read more

Microsoft ends free support for ageing yet popular Windows 7 operating system

Microsoft ends free support for ageing yet popular Windows 7 operating system

Microsoft will no longer offer free help and support for the ageing but still popular Windows 7

If you were unhappy with the tiles type UI offered by Windows 8.1 and decided to stick with your all time favourite Windows 7 operating system for your desktop, this is going to be sad for you.  Microsoft has officially ended the free help and support for Windows 7.

This means that, if you are using Windows 7, Microsoft will no longer provide free help for the problems faced by you.  It will also not release any new features for Windows 7.

Windows 7, which was introduced in 2009 quickly gained popularity due to its comfortable UI and user friendly options.   It sold over 100 million copies in six months  after release and still remains hugely popular. Windows 7 was more stable than predecessor Windows Vista and added rich features for users which surged its popularity as well as usage.  Microsoft introduced its successor, Windows 8 and subsequent updates with a radical change in the user interface.  Because of the radical changes in the graphic interface, Windows 8 has not found the widespread acceptability of Windows 7 and it is estimated half of the world’s PCs run on Windows 7 as of today.

As Microsoft looks to push through the new avatar of its operating system, the Windows 10, it will henceforth charge you for the help or extended support it provides.  The extended support which is chargeable ends on 14th Jan, 2020.

Microsoft ends free support for ageing yet popular Windows 7 operating system

However Microsoft will continue issuing security fixes and patches for vulnerabilities and flaws discovered by security researchers.  However over the years it is found that once Microsoft withdraws support for its product, the cyber criminal community slowly and progressively avoid that particular product. Only in rare cases, you will find cyber criminals exploiting Windows XP or Windows 98 vulnerabilities today.

It is not known why Microsoft chose not to name its successor to Windows 8 as Windows 9 but directly went to 10.  The Technical Preview Edition of Windows 10 was released to programmers, security researchers, tech geeks and hobbyists in November 2014 and the final version will be available in second half of this year.

Microsoft is set to make a mega announcement about Windows 10 on January 21 2014 and it is hoped that Microsoft will stick to the old style Windows 7 UI instead of radical Windows 8 one.

Windows 8 free help and extended support will end on 9th January, 2018 and it will be totally ditched on January 10, 2023.

You can read more about Windows lifecycle here.

read more

KL-Remote ‘virtual mugging’ bank fraud toolkit bypasses 2-Factor Authentication and Device Identification

KL-Remote 'virtual mugging' bank fraud toolkit bypasses 2-Factor Authentication and Device Identification

Criminal friendly KL-Remote ‘virtual mugging’ tool with attractive UI and ‘Start Phishing’ button now available

Brazilian cyber criminals have got a very user friendly tool to mug and commit phishing on innocent victims. Called KL-Remote, this ‘virtual mugging’ application has a (cyber-criminal) user-friendly interface that includes a “start phishing” button.

The added advantage for the criminals is that it effectively circumvents both two-factor authentication and device identification protections.

IBM Security Trusteer who called it ‘virtual mugging’ tool, analysed it and has released a report detailing it.  The report says that unlike banking Trojans, KL-Remote is less automated and requires some manual intervention from the criminal during various stages of the fraud event.

KL-Remote is distributed by embedding it with other malware and comes preloaded with a list of targeted banking URLs.

When the infected victim visits one of those sites, the malware operator gets an alert and can then decide whether or not to proceed with an attack.

KL-Remote 'virtual mugging' bank fraud toolkit bypasses 2-Factor Authentication and Device Identification

As can be seen by the interface in the image above, it provides with a direct approach phishing buttons.

To engage the victims, KL-Remote takes a snapshot of the original website the victim was viewing and presents it as an image on the screen of the infected computer. Once the victim is presented with this infected screen, the victim is dealing with the cyber criminal instead of the legitimate banking website.

By pushing the “Start phishing” button, the criminal causes a message to appear on the victim’s screen. The tool contains separate messages for each of the targeted banks. Each message is customized to the bank’s website login/authentication process and copies its look and feel.

toolkit takes a snapshot of the original website the victim was viewing and presents it as an image on the screen of the infected computer. From that point on, the victim cannot interact with the legitimate banking website (such as closing it or trying to proceed with a standard login).  By pushing the “Start phishing” button, the criminal causes a message to appear on the victim’s screen. The tool contains separate messages for each of the targeted banks. Each message is customized to the bank’s website login/authentication process and copies its look and feel.

Believing it to be the original banking website if the victim clicks on the ‘update’ button he/she is presented with a new screen asking for the banking pin details:

toolkit takes a snapshot of the original website the victim was viewing and presents it as an image on the screen of the infected computer. From that point on, the victim cannot interact with the legitimate banking website (such as closing it or trying to proceed with a standard login).  By pushing the “Start phishing” button, the criminal causes a message to appear on the victim’s screen. The tool contains separate messages for each of the targeted banks. Each message is customized to the bank’s website login/authentication process and copies its look and feel.

Once the victim inputs the 6/4 digit pin number, he/she is locked out of the website and the cyber criminal is in total control of the victims banking website.

The KL-Remote toolkit’s approach of directly performing the attack from the victim’s computer is able to bypass traditional protection methods. IBM Trusteer’s analysis has shown that the toolkit is able to circumvent or compromise the following security measures:

  • Username/Password: The toolkit lets the criminal present the victim with a pop-up requesting his or her username and password.
  • Two-Factor Authentication: The toolkit lets the criminal present the victim with a pop-up asking for two-factor authentication (2FA), such as tokens or one-time passwords received out-of-band. Some types of 2FA require a physical element such as a USB authentication key. Since the attack is carried out from the victim’s computer while the victim is browsing the legitimate banking website, the victim is likely to have the USB key plugged in at the time of the attack.
  • Device Identification: Due to the attack being conducted directly from the victim’s PC, any type of detection method based on the assumption that a known device is a safe device will be circumvented.

Though at present the KL-Remote is being used exclusively by cyber criminals based in Brazil and primarily targeting the Brazilian users with Portuguese language interface, IBM Security Trusteer analysis shows that it can be adapted to other languages, territories and industries.

IBM recommends users and financial institutions take the following steps to protect themselves:

  • Avoid opening phishing emails. Never open attachments or click on links from suspicious emails or emails from unknown sources.
  • Protect computers with dedicated financial malware endpoint protections such as IBM Trusteer Rapport.
  • Deploy server-side protections that can detect evidence of malware infections and remote-controlled access of banking websites.
read more

Cloned BBC Website Questioning the Authenticity of Charlie Hebdo Footage

Cloned BBC Website Questioning the Authenticity of Charlie Hebdo Footage

Fake BBC site with a bogus story on Charlie Hebdo terrorist attack alleging US and Israeli plot

The website which cloned the top British news website BBC and incidentally had a similar domain name was discovered to be serving a bogus story about the Chalie Hebdo incident.  The website which was hosted on bbc-news[.]co[.]uk looked the exact replica of BBC website and ran a story questioning the authenticity of the footage of the fatal shooting of a Muslim police officer shortly after the alleged ISIS backed terrorists had killed 12 people at Charlie Hebdo office in Paris.

The site which was analysed by OpenDNS because of the unusual spike in visitors was found to be serving a bogus story which apparently questioned the authenticity of the video footage.

Ahmed Merabet

40 year old Ahmed Merabet was one of two police officers killed in the Jan. 7 terrorist attack on the satirical magazine Charlie Hebdo. Merabet spotted suspected attackers Said and Cherif Kouachi fleeing the scene and pursued them. He was taken down by gunfire and then shot point blank on the street. Officer Franck Brinsolaro had already been killed inside the magazine’s office.

Conspiracy Theory

The fake site carried a bogus news story which questioned the authenticity of footage of the fatal shooting of a Muslim police officer.  The story makes out that the recording of Merabet was recorded in two takes and it was a plot by U.S. or Israeli intelligence agencies to incite hatred against Islam.

The website was taken offline on Monday afternoon after it had been live since around Dec. 28, said Andrew Hay, senior security research lead and evangelist for OpenDNS.  At present the url redirects users to a YouTube video uploaded by 108morris108 who is seen apologizing for misleading viewers about some hoax video. It is not known whether 108morris108 is speaking about the same footage.

Hay adds that the site creators had earlier made two attempts to pull in traffic to their site, both apparently false.

First was about a ‘U.K. YouTuber’ who had been arrested in the Middle East on terror charges and the second one one promised readers new clues for the Internet cryptographic challenge called Cicada 3301.

Cloned BBC Website With Fake Charlie Hebdo Terrorist Attack Report

But the real glory for the website came from the conspiracy theory story.  It gained as many as 3,600 views an hour after it posted an article on Jan. 12 questioning aspects of the Charlie Hebdo attacks, Hay said. He added that the cloned BBC website didnt host any malware or redirects to malware website.

The website owner may have been getting lot of visitors from Reddit where he/his accomplice had posted a thread questioning the authenticity of the Charlie Hebdo footage.

Cloned BBC Website With Fake Charlie Hebdo Terrorist Attack Report

The webcache version of the cloned website can be seen here.

read more

KeySweeper a $10 spy tool disguised as Wall Charger which can read data from any wireless Microsoft Keyboard

KeySweeper a $10 spy tool disguised as Wall Charger which can read data from any wireless Microsoft Keyboard

Researcher builds $10 USB wall charger which can read data from any Microsoft wireless keyboard

A security researcher has developed a USB wall charger which he claims can read data from any wireless keyboard manufactured by Microsoft. He has named the device as KeySweeper and has also released a do it yourself tutorial on GitHub.

Bugs Exploited

The device,  masquerades as a working USB wall charger. However, it secretly monitors any Microsoft wireless keyboards within range and “passively sniffs, decrypts, logs and reports back” everything typed on them, its creator claims. It can be used to log every input a user keys in, onto his machine.

“KeySweeper is a stealthy Ardunio-based device camouflaged as a wall charger that wirelessly sniffs, decrypts, logs and reports-back all keystrokes from any Microsoft wireless keyboard in the vicinity,” Kamkar said.

The apparent flaw in the Microsoft’s wireless keyboard transmitters has been exploited by the KeySweeper’s creator Samy Kamkar.  Samy is a security researcher and entrepreneur who has previously flagged up issues with Parrot drones, illicit smartphone tracking and the PHP programming language. The KeySweeper uses GSM protocol to report back to the handlers thus making it very difficult to locate.

All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.

KeySweeper a $10 spy tool disguised as Wall Charger which can read data from any wireless Microsoft Keyboard

According to Samy, KeySweeper can be constructed by investing as little as $10  with optional features including sending SMS alerts when keywords are entered, and an internal rechargeable battery – meaning the device can keep logging keystrokes even when unplugged. Microsoft keyboards are known to use encrytpion mechanisms before transmitting data.

Samy alleges to have found multiple bugs in the encryption which allowed him to decrypt the data being transfered. Keysweeper stores the captured keystrokes both online and locally, and then send it back to the KeySweeper operator over the Internet via an optional GSM chip.

“Even if we do not know the MAC address, we can decrypt the keystroke. Using a few-dollar Arduino and a US$1 Nordic RF chip we can decrypt these packets and see any keystroke of any keyboard in the vicinity that’s using the Microsoft wireless keyboard protocol and it doesn’t matter what OS is used.”

The breakdown of cost for building this spy tool is given below :
  • $3 – $30: An Arduino or Teensy microcontroller can be used.
  • $1: nRF24L01+ 2.4GHz RF Chip which communicates using GFSK over 2.4GHz.
  • $6: AC USB Charger for converting AC power to 5v DC.
  • $2 (Optional): An optional SPI Serial Flash chip can be used to store keystrokes on.
  • $45 (Optional): Adafruit has created a board called the FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
  • $3 (Optional if using FONA): The FONA requires a mini-SIM card (not a micro-SIM).
  • $5 (Optional, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.

KeySweeper a $10 spy tool disguised as Wall Charger which can read data from any wireless Microsoft Keyboard

A Microsoft spokesperson told VentureBeat that they “are aware of reports about a ‘KeySweeper’ device and are investigating.”

The exploit

The weakness of the encryption algorithm used by Microsoft lies in the fact that it uses a simple XOR operation with the computers MAC address as the key value. Since the nRF24L01+ chip can read the MAC address, the measure provides little security against moderately determined hackers. To make things even easier on attackers, all Microsoft keyboards begin with 0xCD as the MAC. As a result, even if an attacker doesn’t know the MAC address, we can decrypt a keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.

This flaw isn’t a newly discovered one, many white hats like  Travis Goodspeed, Thorsten Schröder, and Max Moser having brought this flaw to the surface multiple times. However, those attacks needed much larger & powerful computer systems to work. In comparison, a device like KeySweeper is revolutionary.  The keyboard Kamkar tested for his research was a brand new model purchased two weeks ago from a Best Buy store, so there’s ample evidence the attack works against at least some Microsoft keyboards. That said, an Ars reader has pointed this this 2011 article reporting the release of a Microsoft keyboard with 128-bit AES encryption. Microsoft’s website lists only a single model of keyboard that offers that protection.

Microsoft has released an official statement regarding this successful hack and it is as follows:

” Keyboards from multiple manufacturers are affected by this device. Where Microsoft keyboards are concerned, customers using our Bluetooth-enabled keyboards are protected from this type of attack. In addition, users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advance Encryption Standard (AES) technology.”

read more