The Channel logo

News

By | John Leyden 26th July 2016 15:58

It's 2016 and your passwords can still be sniffed from wireless keyboards

KeySniffer – does what it says on the tin

Millions of low-cost wireless keyboards are susceptible to a vulnerability that reveals private data to hackers in clear text.

The vulnerability – dubbed KeySniffer – creates a means for hackers to remotely “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 100 metres away.

“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Bastille Research Team member Marc Newlin, responsible for the KeySniffer discovery. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two thirds) were susceptible to the KeySniffer hack.”

The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec. Vulnerable keyboards are always transmitting, whether or not the user is typing. Consequently, a hacker can scan for vulnerable devices at any time. A complete list of affected devices can be found here.

Wireless keyboards have been the focus of security concerns before. In 2010, the KeyKeriki team exposed weak XOR encryption in certain Microsoft wireless keyboards. Last year Samy Kamkar’s KeySweeper exploited Microsoft’s vulnerabilities. Both of those took advantage of shortcomings in Microsoft’s encryption.

The KeySniffer discovery is different in that it reveals that manufacturers are actually producing and selling wireless keyboards with no encryption at all. Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not susceptible to KeySniffer.

Bastille notified affected vendors to provide them the opportunity to address the KeySniffer vulnerability prior to going public on Tuesday. Most, if not all, existing keyboards impacted by KeySniffer cannot be upgraded and will need to be replaced, it warns.

Bastille’s discovery of KeySniffer follows month after its discovery of MouseJack, a vulnerability affecting millions of wireless mice. ®

comment icon Read 31 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'