Vulnerabilities in unencrypted wireless keyboards lets hackers see keystrokes, inject malware

midian182

Posts: 9,633   +120
Staff member

Wireless keyboards are quite popular in offices and with those who operate their living room PC from the couch, but researchers at cybersecurity company Bastille have discovered a vulnerability they call “Keysniffer” that allows an attacker to record keystrokes from 250 feet away.

The issue is with those wireless keyboards that transmit to a PC using an unencrypted, radio-based communications protocol rather than a Bluetooth connection. These cheaper transceiver chips (and other non-Bluetooth chips), which operate in the 2.4GHz ISM radio band, don't recieve Bluetooth's security updates that could fix the problem.

The unencrypted transmissions mean that anyone within a 250-foot line-of-sight radius could grab your passwords, credit card details, and any other personal information you type using a cheap dongle bought online. Researchers say attackers could also inject their own keystrokes to install malware or perform other malicious acts on a victim’s PC.

Bastille tested budget wireless keyboards from twelve different manufacturers and found eight of them sold products vulnerable to Keysniffer, including ones from Hewlett-Packard, Toshiba, and General Electric/Jasco. You can see the list of affected models here. The security firm noted that it only tested keyboards it had at hand, and other brands/models were likely to be vulnerable.

There is no way add security features that would plug the vulnerabilities found in these keyboards. Bastille recommends that anyone who owns an affected device switch to a Bluetooth or wired keyboard.

A Jasco spokesperson said it “will work directly with its customers of this product to address any issues or concerns.” Other manufacturers have yet to comment.

Image credit: Billion Photos / Shutterstock

Permalink to story.

 
It would be awesome if they did some more testing with other type of keyboards, I'm guessing this is not widely being used though but still, great information and will pass it on to those who could be affected.
 
Any word for Logitech wireless keyboards?
They work on exactly the same principle and use exactly the same frequency as all other makes. I doubt the Logitech name makes them bulletproof but don't worry about it, the chances of you getting zapped is about as good as me winning the national lottery when the payout reaches $100 mil. it's only tech geeks like us that read these kinds of articles and makes us press the panic button.
If you're still paranoid, switch to bluetooth then, but I'm sure there'll vulnerabilities there too which we don't know about yet.
 
They work on exactly the same principle and use exactly the same frequency as all other makes. I doubt the Logitech name makes them bulletproof but don't worry about it, the chances of you getting zapped is about as good as me winning the national lottery when the payout reaches $100 mil. it's only tech geeks like us that read these kinds of articles and makes us press the panic button.
If you're still paranoid, switch to bluetooth then, but I'm sure there'll vulnerabilities there too which we don't know about yet.

Well, if you work in a well respected company, all of the things that go inside are trade secrets and you have all the right to be paranoid. If someone could hack a managers or director or VP or CFO CEO keyboard, that means bad bad bad news. Yeah if you are worried that your house keyboard might get hacked, trust me they won't go there, unless you are the CEO or VP or a high position in an important company then yes, you should be worried because of this.
 
Any word for Logitech wireless keyboards?
I believe that at least on Windows, all Logitech's wireless keyboards are encrypted. Here is a whitepaper from 2008 that states that it is part of the pairing process - and yes, even when it is not Bluetooth, you do have to go through a pairing process. http://www.logitech.com/images/pdf/roem/Logitech_Adv_24_Ghz_Whitepaper_BPG2009.pdf

A long time ago, you used to have to specifically enable an encrypted connection, however, I think that an encrypted connection is now the default.
 
Well, if you work in a well respected company, all of the things that go inside are trade secrets and you have all the right to be paranoid. If someone could hack a managers or director or VP or CFO CEO keyboard, that means bad bad bad news. Yeah if you are worried that your house keyboard might get hacked, trust me they won't go there, unless you are the CEO or VP or a high position in an important company then yes, you should be worried because of this.
Then use a wired keyboard. There was a time when there were no such things as wireless peripherals and I don't remember people complaining about it. If you could use them then, why can't you use them now? Sure, I fully agree wireless peripherals does add convenience but if you're more concerned about security...
If the mechanized vehicle had never be envisaged I'm sure we'd all still be comfortable using horse drawn transport because we wouldn't have known any better. Do you know of or have heard of anyone from the distant pass complaining that the car hadn't been invented yet?
 
Back