Wireless keyboards are quite popular in offices and with those who operate their living room PC from the couch, but researchers at cybersecurity company Bastille have discovered a vulnerability they call “Keysniffer” that allows an attacker to record keystrokes from 250 feet away.
The issue is with those wireless keyboards that transmit to a PC using an unencrypted, radio-based communications protocol rather than a Bluetooth connection. These cheaper transceiver chips (and other non-Bluetooth chips), which operate in the 2.4GHz ISM radio band, don't recieve Bluetooth's security updates that could fix the problem.
The unencrypted transmissions mean that anyone within a 250-foot line-of-sight radius could grab your passwords, credit card details, and any other personal information you type using a cheap dongle bought online. Researchers say attackers could also inject their own keystrokes to install malware or perform other malicious acts on a victim’s PC.
Bastille tested budget wireless keyboards from twelve different manufacturers and found eight of them sold products vulnerable to Keysniffer, including ones from Hewlett-Packard, Toshiba, and General Electric/Jasco. You can see the list of affected models here. The security firm noted that it only tested keyboards it had at hand, and other brands/models were likely to be vulnerable.
There is no way add security features that would plug the vulnerabilities found in these keyboards. Bastille recommends that anyone who owns an affected device switch to a Bluetooth or wired keyboard.
A Jasco spokesperson said it “will work directly with its customers of this product to address any issues or concerns.” Other manufacturers have yet to comment.