A vulnerability in inexpensive wireless keyboards lets hackers steal private data, Bastille reported this week.
The vulnerability lets hackers use a new attack the firm dubbed “KeySniffer” to eavesdrop on and capture every keystroke typed from up to 250 feet away.
The stolen data is rendered in clear text. It lets hackers search for victims’ credit card information, bank account usernames and passwords, answers to security questions, network access passwords, and any data typed into a document or email.
“Almost all access credentials have value to hackers,” noted Tom Clare, vice president of marketing at Gurucul.
“Hijacked or compromised access credentials to the corporate cloud “are the keys to the kingdom,” he said.
“KeySniffer demonstrates that as many as two thirds of the lower-cost wireless keyboards currently on the market implement no encryption whatsoever, leaving them vulnerable to passive keystroke sniffing and injection,” observed Bastille’s Marc Newlin.
Affected keyboards are made by eight companies: HP, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric and EagleTec.
The vulnerable keyboards are detected easily, as the USB dongles they use are always transmitting synchronization packets to let the keyboard find them, whether or not they’re in use. That lets a hacker home in on them quickly.
The sync packets contain the unique identifier for the keyboard or dongle.
Once a vulnerable keyboard is identified, the hacker uses the identifier to filter wireless transmissions for the keystrokes sent by the target keyboard.
Hackers not only can steal data, but also can inject keystrokes to type remotely on a vulnerable computer, installing malware or stealing data, Newlin said.
Wireless keyboard sniffers are not new. Researchers at Remote Exploit in 2009 developed KeyKeriki, an open source hardware/software project that let users decode Microsoft wireless keyboards.
Hacker Samy Kamkar two years ago developed KeySweeper, a proof-of-concept hardware/software keystroke logger disguised as a USB wall charger, which attacked any nearby Microsoft wireless keyboard.
The FBI this spring issued a warning about KeySweeper-like devices.
Keyboards vulnerable to the KeyKeriki and KeySweeper attacks exclusively use Nordic Semiconductor nRF 241 transceivers, which employ a well-documented physical layer protocol. They transmit radio packets only when in use.
The keyboards vulnerable to KeySniffer “use three distinct transceivers not made by Nordic Semiconductor,” Newlin pointed out.
Higher-end keyboards aren’t vulnerable because they “frequently use transceivers from Nordic Semiconductor which have built-in support for 128-bit AES encryption,” Newlin remarked. “Whether or not the encryption is used is up to each vendor, but in general, [it is].”
Bluetooth keyboards aren’t susceptible because Bluetooth encrypts all data transmitted over the air, Newlin noted.
“If security is a concern, make sure the keyboard you buy uses an encrypted connection,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
For most applications, however, “cheap will work,” he said, but care must be taken as to where the keyboard is placed. “In front of a major thoroughfare-facing window might not be good.”
“To the best of our knowledge, none of the affected keyboards can be patched, and the safest option is to switch out to a Bluetooth keyboard — or better yet, a wired keyboard,” Newlin said.
“First, don’t use the same password on multiple accounts,” Gurucul’s Clare advised. “Second, enable multifactor authentication, such as a passcode to your smartphone, or extra questions with answers only you would know. Third, look for reporting or account profile information that shows your access and activity so you can review it for anomalous events.”
1,447 total views, 1 views today