A number of popular manufacturers of wireless keyboards have been betraying their owners, broadcasting their keystrokes for savvy hackers to intercept from hundreds of meters away.
According to research published yesterday by Bastille, a cyber security firm, eight wireless keyboards manufactured by major electronics corporations transmit info in a manner that makes it possible for a hacker to snoop on each letter, password, sentence, credit card number, and secret typed on them.
Wireless keyboards generally shield their customers by encrypting the info that they send back to the computer systems they’re paired with. That way, even if data sniffers attempt to eavesdrop on the data stream, they will get nothing but an undecipherable mess. Sometimes, however, the encryption isn’t properly executed: Last year, a prolific security researcher found a flaw in the encryption utilized by certain Microsoft keyboards, and built a small gadget to intercept and decode what’s being typed on them.
That’s the type of vulnerability that Marc Newlin, a researcher at Bastille, was in search of when he set out to hack 12 popular models of wireless keyboards from manufacturers like Hewlett-Packard, Radio Shack, Toshiba, and General Electric. What he discovered, though, was much more surprising than a poorly secured data connection: Some keyboards weren’t encrypting the keystrokes being tapped out on them at all.
Newlin started out by reverse-engineering the transceivers—the little USB dongles that come with wi-fi keyboards—to try to determine how they communicate. “I thought this was going to be just the first part of the process,” Newlin stated. “It turned out after completing that step that, lo and behold, all of the keystroke data was simply being transmitted in cleartext, with no encryption whatsoever.”
That oversight makes it simple for a hacker to spy on every thing being typed on one of the vulnerable keyboards—from as far away as 250 feet (76 meters). Which means an attacker in the next hotel room or office suite may listen in on a keyboard for an extended time period, with out the keyboard’s user ever finding out about it. And if the hacker wished, she or he could send fake signals to the victim’s pc, tricking it into typing something that was never really tapped out on the keyboard itself. Bastille dubbed the hacking tool “KeySniffer.”
The hardware Newlin needed to mount the attack is inexpensive: He used a radio transponder meant for controlling drones, which is available on Amazon for $39, and a $50 antenna to boost the range to about 250 feet. With that setup, it is also straightforward for any hackers to find new keyboards to exploit. As long as a susceptible USB dongle is plugged into a pc that’s operating, Newlin said, it continuously transmits a signal that tips attackers off to its presence.
The keyboards vulnerable to KeySniffer are all low-end, cheap models. A list of them is available on Bastille’s website—however there may easily be more out there that haven’t been examined yet. Keyboards that connect via Bluetooth, a widely used technology for communicating wirelessly with close by gadgets, can’t be hacked with the KeySniffer methodology, because Bluetooth encrypts information streams in a way more secure manner. Wired keyboards are safe, too, because they don’t broadcast a signal at all. Or are they?
Bastille’s experts say there is no way to patch the security hole in the affected keyboards. In case you’ve bought one, the only recourse is to throw them out and replace it with a more secure Bluetooth or a wired keyboard.
Tuesday marks the 90th day since Bastille’s researchers informed the keyboard manufacturers about KeySniffer. The 3-month lag before publicly releasing the information is designed to allow the firms to fix the issue, in this case likely by recalling the affected hardware. However very little appears to have happened during that point in time. “Frankly, we were disappointed with the response we received from the manufacturers,” mentioned Ivan O’Sullivan, Bastille’s chief revenue officer. “Most of the response was no response.”
We reached out to the manufacturers of the eight keyboards found to be vulnerable, and heard back only from 3.
A spokesperson for Anker, a company that makes batteries, chargers, and small electronic gadgets, said Bastille’s e-mail got caught in a spam filter. The company will review the researchers’ claims, the spokesperson stated.
The problematic keyboard sold under the General Electric name is in fact manufactured by Jasco, a company that’s licensed to use the GE trademark. In a statement, a spokesperson for Jasco mentioned that the company is aware of the problems with its wi-fi keyboard, and that although it hasn’t been able to replicate the issue, it plans to notify consumers of the issue on its website. The spokesperson stated Jasco will “address any customer concerns” if they call into its tech-support.
A statement from Insignia, Best Buy’s in-house electronics brand, was less conciliatory. “Insignia Wi-fi Keyboard & Mouse products incorporate encrypted communication,” a spokesperson stated, adding that the corporation will take “immediate action if necessary.” (Newlin said that it’s possible that some of the firm’s merchandise use encryption, however that the specific model he examined doesn’t)
O’Sullivan noted that Microsoft, which manufactured the wi-fi keyboards that were hacked earlier , didn’t make the list of keyboards susceptible to KeySniffer this time. “Microsoft listened,” he said. “That is one of the things we are looking for here.”
Though Bastille is going public with its findings, it’s stopping short of releasing the KeySniffer code into the wild. But that doesn’t mean a similar software isn’t already in the market.
“Marc’s a super smart guy,” O’Sullivan said of the researcher who developed KeySniffer. “However is he the only guy who could have written this? No. Is it out there? We don’t know. When there’s been one smart man doing it, who knows who else has already done this?”