Hackers can pick off, inject wireless keyboard keystrokes from 8 vendors, maybe more
The problem is that the keyboards transmit to their associated PCs without encryption, and it’s just a matter of reverse engineering the signals to figure out how to read what keys are being hit, say Bastille researchers. An attacker could inject keystrokes while the keyboard is idle and the machine is logged in, they say, using a dongle that can be fashioned for less than $100.
The keyboards involved were chosen because they were readily available to the researchers, and the problem may exist with other brands, says Marc Newlin, a Bastille research-team member. Those in which Bastille found the vulnerability contained transceivers that didn’t encrypt the wireless signals and don’t support firmware updates that could correct the problem.
The keyboards examined are made by Hewlett-Packard, Anker, Kensington, RadioShack, Insignia, Toshiba, GE/Jasco and EagleTec. They use transceivers from MOSART Semiconductor except for Toshiba, which uses one from Signia Technologies, and GE/Jasco, which uses an unknown transceiver. Jasco licenses the GE brand name for the keyboards it makes. The exact models exploited by Bastille are listed here.
All the transceivers operate in the 2.4GHz ISM radio band, which lacks standards for how to secure traffic being transmitted, so each vendor comes up with its own scheme or not, Bastille says. This problem could exist in other keyboards, but Bastille Research only checked out a dozen.
To take advantage of the weakness, the researchers created a wireless dongle that fit in the attacker’s laptop. It was made by writing new firmware and software for an existing dongle called Crazyradio that is used to control an inexpensive toy quadcopter drone called Crazyflie.
Because the keyboards send out packets on a regular basis whether anyone is typing or not, attackers can scan and lock in on the keyboards and be ready to start capturing keystrokes when someone starts using them. That means attackers could capture passwords, credit card information and other sensitive data. They could also generate their own keystrokes to install malware, the researchers say.
While this attack works at 250 feet line-of-sight it does work at greater distances, but they cite 250 feet because at that distance it works with 100% accuracy all the time, Newlin says.
The researchers recommend customers with these devices switch to Bluetooth or wired keyboards.
A Jasco spokesperson said in an email that customers with the affected keyboards can call 1-800-654-8483 for help. Vendors of the other keyboards did not respond to emails.
KeySniffer is similar to a weakness and exploit Bastille discovered earlier in wireless keyboards and mice that it called MouseJack. Those attacks could be made from greater distances and through walls and glass windows.