UPDATED 23:47 EDT / JULY 26 2016

NEWS

Not good: Many wireless keyboards found to lack encryption, vulnerable to attack

Wireless keyboards have become popular in recent years as prices drop and battery life has improved, but what if those same keyboards pose a serious security threat?

According to research from security firm Bastille Networks, Inc., many popular makes of wireless keyboards do pose a serious security threat, due to them using unencrypted radio communication protocols that could allow an attacker to eavesdrop on keystrokes typed, and more.

The vulnerability has been dubbed KeySniffer, and has so far been found to affect wireless keyboards from vendors including Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack, and Toshiba.

KeySniffer works with wireless keyboards the operate on the 2.4GHz ISM band which, unlike Bluetooth, does not have an industry security standard. These keyboards work by transmitting frequency packets from the keyboard to a USB dongle plugged into a computer, but if they are not encrypted they can be intercepted using equipment that costs under $100 and is effective at a range of 250 yards, meaning a hacker would not even need to be in a building to intercept the data, which could include anything and everything including passwords and credit card data.

In addition to being susceptible to keystroke sniffing, the vulnerability also opens the door to keystroke injection as well, allowing an attacker inject their own malicious keystroke commands into the victim’s computer. This includes the ability to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer.

“We’re in the business of scanning the enterprise airspace to look for vulnerabilities in IoT, mobile, and other wireless devices,” Bastille Network’s Chief Research Officer Ivan O’Sullivan told CRO. “We look at all the wireless devices that we see broadcasting on many different protocols and look for data security vulnerabilities for our enterprise customers. So we buy all the toys and devices and hack them to find out if they’re secure.”

No fix

Whereas most vulnerabilities can be patched, the same is not true with KeySniffer, as wireless keyboards are inherently insecure due to a lack of encryption and do not support firmware updates.

Bastille Networks recommends that users of vulnerable keyboards should simply throw out their keyboards and replace them with cordless Bluetooth keyboards, which are encrypted as standard, or the ultimate solution: purchase a wired keyboard to protect themselves from keystroke sniffing and injection attacks.

Image credit: Pexels/Public Domain CC0

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU