KeySniffer: Hackers can snag wireless keyboard keystrokes from 250 feet away
Some keyboard manufacturers opted to save money by skipping over Bluetooth and instead have their wireless keyboards connect to computers using generic and undocumented transceiver alternatives. Those cheap transceivers wirelessly transmit keystrokes to the USB dongle without any encryption.
Bastille’s chief research officer Ivan O’Sullivan told Wired, “We were stunned. We had no expectation that in 2016 these companies would be selling keyboards with no encryption.”
Bastille is the same security firm that previously warned people about theMouseJack vulnerability which could allow attackers to inject keystrokes in millions of wireless mice and keyboards models from a distance up to 328 feet. But the newest KeySniffer attack goes beyond MouseJack since victims would not know they were being hacked; users wouldn’t even have to be using their computer as attackers could inject keystrokes while the keyboard is idle.
The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing.
In addition to eavesdropping on the victim’s keystrokes, an attacker can inject their own malicious keystroke commands into the victim’s computer. This can be used to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer.
Newlin previously presented (pdf) the techniques he used to reverse engineer the shoddy transceivers at the Hack in the Box security conference in Amsterdam. An attacker could do the same with equipment that costs less than $100.
The KeySniffer attack works from “several hundred” feet away, the researchers say; Network World reported, “While this attack works at 250 feet line-of-sight it does work at greater distances, but they cite 250 feet because at that distance it works with 100% accuracy all the time.”
Wireless keyboards vulnerable to KeySniffer
The list of KeySniffer affected devices only include the keyboard models the research team tested, meaning there could be more. For now, the researchers are sure that keyboards manufactured by the following eight vendors are vulnerable: HP, Toshiba, Kensington, Insignia, General Electric, EagleTec, Radio Shack and Anker.
There is no way for the firmware to be updated in order to patch the vulnerability. If you own one of the flawed devices, then researchers advised tossing it out and going with a wired keyboard. If you use a Bluetooth keyboard, then don’t sweat it. If you want to stay wireless, then Bluetooth is the way to go.