A new security report shows wireless keyboards from several major vendors use no encryption when sending wireless communication data to their USB dongles.
This could allow hackers to intercept and collect the data, stealing information like passwords. It could even allow hackers to send their own data to the wireless keyboard dongle, sending command lines to take over a targeted computer.
The attack method is called KeySniffer. It was discovered by researchers at PC security company Bastille (who actually look at security issues for all different types of Internet of Things devices).
Bastille analyzed non-Bluetooth wireless keyboards from 12 manufacturers and determined 8 of those keyboards were vulnerable to KeySniffer attacks.
Bastille went on to explain that the affected products were inexpensive wireless keyboards sold by HP, Toshiba, General Electric, Anker, EagleTec, Kensington, Insignia, and Radio Shack. Since only 12 manufacturers’ keyboards were tested, it’s possible other company’s keyboards are also vulnerable to KeySniffer attacks.
You can view the list of affected devices here, including the specific model numbers tested.
How Do KeySniffer Attacks Work?
KeySniffer attacks take advantage of a vulnerability where some keyboard manufacturers communicate with their wireless USB dongles through unencrypted radio communications protocols.
In testing, attackers have been able to perform KeySniffer attacks from up to 250 feet away using basic electronics equipment available for less than $100 from general electronics retailers.
The keyboards made by the manufacturers listed above send data in clear text. That means attackers can use a long-range USB radio dongle (something widely available in stores) to intercept your communications.
Making things worse is that attackers can easily scan a building or open space for potential targets. Your wireless keyboard is constantly sending data packets to the computer – even when you’re not typing. So all an attacker has to do is find an unprotected keyboard then sit back and wait for you to enter a password, payment card information, or other sensitive data.
KeySniffer Can Be Used to Inject An Attacker’s Own Keystrokes
Spying on someone’s passwords and payment information is one problem. But KeySniffer can also be used to inject an attacker’s own keystrokes into the computer.
This could allow them to run command prompts that install malware, for example, or perform any other activity on a target device.
Wireless Keyboards Don’t Support Firmware Updates
The scariest part of this vulnerability is that it won’t be fixed anytime soon. Bastille alerted the above wireless keyboard manufacturers about the problem, but they’re unlikely to do anything. Wireless keyboards don’t typically support firmware updates, which means you’re stuck with this vulnerability for as long as you own the wireless keyboard.
This isn’t the first time Bastille has pointed out vulnerabilities in wireless technology. Earlier in 2016, the company warned the internet that popular wireless mice and keyboards were vulnerable to “MouseJack” attacks, which involved attackers sending malicious data to wireless USB receivers.
Update: Kensington was the first keyboard manufacturer to respond to the KeySniffer vulnerability. They have since released a firmware update that includes AES encryption.