Wireless keyboards from eight manufacturers do not encrypt their communications, allowing attackers to easily snoop passwords, credit-card numbers and other valuable information, according to a report published July 26 by security firm Bastille Networks.
The attack, which Bastille called KeySniffer, only affects keyboards whose manufacturers used non-standard communications technology to create the wireless pair between the devices and a USB dongle. Keyboards that use Bluetooth are unaffected.
Bastille researcher Marc Newlin discovered the issue after reverse-engineering popular wireless keyboards that did not use the Bluetooth communications protocol. He originally analyzed 12 keyboards and found eight that failed to encrypt their data.
“These eight keyboards were transmitting the keystrokes completely in clear text, so no encryption whatsoever,” he said. “And at that point, it became apparent that the attacker could sniff keystrokes from these devices and inject keystrokes into the communications stream because it’s unencrypted.”
In an increasingly popular move among security companies, Bastille branded the vulnerability, complete with a cool name and a bespoke website. Affected wireless keyboards include those from HP, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric and EagleTec, Bastille said.
Remote keysniffing attacks have a long history. In 2005, researchers at the University of California at Berkeley found that a $10 microphone could discern 90 percent of the words typed during a 10-minute recording. Five years later, another group of researchers released a device that could snoop on the connection between peripherals using Nordic Semiconductor’s wireless chips.
In the last half decade, researchers have focused more on the connections between a keyboard and a computer. In 2010, a team of researchers known as the KeyKeriki group found that certain Microsoft keyboards used a weak XOR encryption scheme to obfuscate the content of traffic between the keyboard and a connected device. Last year, Samy Kamkar—perhaps best known for creating the “Samy” Facebook worm—created another attack, known as KeySweeper, which exploited Microsoft’s vulnerability.
This is Bastille’s second major find. The company found another issue, dubbed MouseJack, that could allow an attacker to hijack the connection between wireless keyboards or mice and the device with which they are paired.
Reverse-engineering the keyboards was the most difficult part of the process. Hacking the peripherals is quite easy, and only requires a transceiver and an antenna—$80 online—and some custom software, Newlin said. In addition, the way the USB dongles keep the connection with a keyboard alive makes it easy to detect a vulnerable device, he said.
“A kind of interesting point on this is that the dongles on these keyboards are constantly transmitting packets to make it easy for the keyboard to find the dongle,” Newlin said. “And that means an attacker can very, very quickly survey an environment for all the keyboards vulnerable to the type of attack.”
Bastille notified the keyboard vendors of the issues, but most are not able to be firmware-upgraded and so cannot be patched, the company said. The firm recommended that users upgrade to a wired keyboard or a Bluetooth device.