Wireless keyboards have become popular in recent years as prices drop and battery life has improved, but what if those same keyboards pose a serious security threat?

According to research from security firm Bastille Networks, Inc., many popular makes of wireless keyboards do pose a serious security threat, due to them using unencrypted radio communication protocols that could allow an attacker to eavesdrop on keystrokes typed, and more.

The vulnerability has been dubbed KeySniffer, and has so far been found to affect wireless keyboards from vendors including Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack, and Toshiba.

KeySniffer works with wireless keyboards the operate on the 2.4GHz ISM band which, unlike Bluetooth, does not have an industry security standard. These keyboards work by transmitting frequency packets from the keyboard to a USB dongle plugged into a computer, but if they are not encrypted they can be intercepted using equipment that costs under $100 and is effective at a range of 250 yards, meaning a hacker would not even need to be in a building to intercept the data, which could include anything and everything including passwords and credit card data.

In addition to being susceptible to keystroke sniffing, the vulnerability also opens the door to keystroke injection as well, allowing an attacker inject their own malicious keystroke commands into the victim’s computer. This includes the ability to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer.

“We’re in the business of scanning the enterprise airspace to look for vulnerabilities in IoT, mobile, and other wireless devices,” Bastille Network’s Chief Research Officer Ivan O’Sullivan told CRO. “We look at all the wireless devices that we see broadcasting on many different protocols and look for data security vulnerabilities for our enterprise customers. So we buy all the toys and devices and hack them to find out if they’re secure.”

No fix

Whereas most vulnerabilities can be patched, the same is not true with KeySniffer, as wireless keyboards are inherently insecure due to a lack of encryption and do not support firmware updates.

Bastille Networks recommends that users of vulnerable keyboards should simply throw out their keyboards and replace them with cordless Bluetooth keyboards, which are encrypted as standard, or the ultimate solution: purchase a wired keyboard to protect themselves from keystroke sniffing and injection attacks.

Image credit: Pexels/Public Domain CC0