KeySniffer: Hackers can snag wireless keyboard keystrokes from 250 feet away

From hundreds of feet away, attackers can see everything that is being typed as well as type directly on a PC due to flawed wireless keyboards from at least eight vendors.

backlit keyboard

You might want to check if your wireless keyboard is on a list of vulnerable devices, since researchers warned that hackers can read your keystrokes from at least 250 feet away. In other words, a hacker could snag your passwords, credit card numbers and any other private information in clear text.

The Bastille Research Team discovered that flawed and inexpensive keyboards do not use any encryption when wirelessly sending keystrokes to the USB dongle. Researcher Marc Newlin warned, “This makes it possible for an attacker to both eavesdrop on everything a victim types, as well as transmit their own malicious keystrokes, which allows them to type directly on the victim’s computer.”

Some keyboard manufacturers opted to save money by skipping over Bluetooth and instead have their wireless keyboards connect to computers using generic and undocumented transceiver alternatives. Those cheap transceivers wirelessly transmit keystrokes to the USB dongle without any encryption.

Bastille’s chief research officer Ivan O’Sullivan told Wired, “We were stunned. We had no expectation that in 2016 these companies would be selling keyboards with no encryption.”

Bastille is the same security firm that previously warned people about the MouseJack vulnerability which could allow attackers to inject keystrokes in millions of wireless mice and keyboards models from a distance up to 328 feet. But the newest KeySniffer attack goes beyond MouseJack since victims would not know they were being hacked; users wouldn’t even have to be using their computer as attackers could inject keystrokes while the keyboard is idle.

Newlin explained:

The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing.

In addition to eavesdropping on the victim’s keystrokes, an attacker can inject their own malicious keystroke commands into the victim’s computer. This can be used to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer.

Newlin previously presented (pdf) the techniques he used to reverse engineer the shoddy transceivers at the Hack in the Box security conference in Amsterdam. An attacker could do the same with equipment that costs less than $100.

The KeySniffer attack works from “several hundred” feet away, the researchers say; Network World reported, “While this attack works at 250 feet line-of-sight it does work at greater distances, but they cite 250 feet because at that distance it works with 100% accuracy all the time.”

Wireless keyboards vulnerable to KeySniffer

The list of KeySniffer affected devices only include the keyboard models the research team tested, meaning there could be more. For now, the researchers are sure that keyboards manufactured by the following eight vendors are vulnerable: HP, Toshiba, Kensington, Insignia, General Electric, EagleTec, Radio Shack and Anker.

There is no way for the firmware to be updated in order to patch the vulnerability. If you own one of the flawed devices, then researchers advised tossing it out and going with a wired keyboard. If you use a Bluetooth keyboard, then don’t sweat it. If you want to stay wireless, then Bluetooth is the way to go.


Copyright © 2016 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon