There are vulnerabilities in low-cost wireless keyboards where an attacker could gather passwords, security questions, sensitive personal, bank account and payment card information.
At issue is the vulnerable keyboards don’t encrypt keystroke data before they transmit it wirelessly to the USB dongle, and that’s because their manufacturers opted to use unencrypted radio communication protocols, said Bastille Networks Researcher Marc Newlin, who discovered the flaws.
The keyboards susceptible to the KeySniffer vulnerabilities used undocumented transceivers, which forced the Bastille Research Team to reverse engineer the physical layer and radio frequency packet formats before the data could be examined.
“Wireless keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme,” Newlin said in a paper.
Aside from eavesdropping on the victim’s keystrokes, an attacker can also inject malicious keystroke commands into the computer, allowing him to perform actions like installing malware or exfiltrating data.
To perform the KeySniffer attack, an attacker can be several hundred feet away from the targeted device using equipment that costs less than $100.
“The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence,” Newlin said. “This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing.”
Keyboards and associated USB dongles vulnerable to KeySniffer attacks are:
• Anker Ultra Slim 2.4GHz Wireless Compact Keyboard
• EagleTec K104 / KS04 2.4 GHz Wireless Combo keyboard
• General Electric’s GE 98614 wireless keyboard
• Hewlett-Packard’s HP Wireless Classic Desktop wireless keyboard
• Insignia’s Wireless Keyboard NS-PNC5011
• Kensington ProFit Wireless Keyboard
• RadioShack Slim 2.4GHz Wireless Keyboard
• Toshiba PA3871U-1ETB wireless keyboard
Other keyboards may also be vulnerable to the attack, but have not undergone testing. Bluetooth keyboards and higher-end wireless keyboards from Logitech, Dell, and Lenovo are not susceptible to KeySniffer.
Newlin advises users to switch to Bluetooth or wired keyboards in order to protect themselves from keystroke sniffing and injection attacks. Higher-end wireless keyboards are also an option.