Keystrokes from millions of wireless keyboards stolen by radio hack
Millions of low-priced wireless keyboards are susceptible to a vulnerability that can let hackers take over your keyboard and secretly record what you type. In other words, the problem is that the keyboards communicated to their linked PCs without encryption, and it’s just a matter of reverse engineering the signals to find out how to read what keys are being hit.
“Quite simply, it was a shock to find that unencrypted wireless keyboards are still being sold in 2016”, Bastille Research Team Member Marc Newlin told SCMagazine.com via email. Or alternatively, “just get a wired keyboard”.
“We’re in the business of scanning the enterprise airspace to look for vulnerabilities in IoT, mobile, and other wireless devices”, said Ivan O’Sullivan, CRO at Santa Cruz, Calif. -based Bastille Networks Inc.
It’s called KeySniffer, and it spells death for millions of wireless, radio-based keyboards. Attackers can inject their own rogue keystroke commands inside the data stream established between a vulnerable wireless keyboard and its dongle, enabling them to install malware, grab sensitive data, or perform other malicious acts as if they had actual physical access to the desktop or laptop.
“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product”, Marc Newlin, the Bastille researcher who discovered the vulnerability, said in a news release. This means someone within a several hundred yard radius and a $30 to $40 radio dongle could secretly see everything you type, including passwords, credit card numbers, and much more.
The technique which the Bastille researchers are planning to show at the Defcon hacker conference in two weeks, allows any hacker with a $12 radio device to interrupt the connection between any of eight wireless keyboards and a computer from 250 feet away. Further, it also gives the hacker the ability to both type keystrokes on the victim’s machine and silently record the target’s typing.
The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.
The KeySniffer discovery is different in that it discloses that manufacturers are essentially producing and selling wireless keyboards with no encryption at all. In 2010, the KeyKeriki team exposed weak XOR encryption in certain Microsoft wireless keyboards. Last year, Samy Kamkar’s KeySweeper that looked like a USB wall charger but scanned a room for Microsoft wireless keyboards and then recorded all of their keystrokes.
Many of the operating systems are made to offer keyboard-based controls in case the mouse physically fails. Therefore, having control over a user’s keyboard is like having control over their entire computer.
The attacker doesn’t even have to be physically within the targeted building, O’Sullivan said.
The research on wireless keyboards complements work Bastille did earlier in 2016 on wireless mice. Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not vulnerable to KeySniffer. Most of the companies didn’t respond to WIRED’s request for comment.
However, Bastille says that since the wireless devices don’t have a tool to push out a patch, there’s no simple fix for the vulnerabilities it has found. Bastille suggested that connecting keyboards using Bluetooth to a computer, rather than radio could solve the problem.
According to Bastille, the problem does not affect Bluetooth keyboards because they are subject to industry standards that need stronger security measures. “They’re demonstrating that a lot more suppliers are not doing this ideal, and this is the most critical input device we have on a computer,” Kamkar says. “If they can sniff and inject, it’s recreation above.”