Researchers at Bastille have discovered wireless keyboard vulnerabilities that can be exploited to inject keystrokes into targeted PCs, but worse still, armed with a $12 radio device hackers could record the keystrokes from wireless keyboards. Furthermore, close proximity to the keyboard is not necessary. Attackers could conceivably pick up keystrokes or inject them from as far away as 250 feet.
Previously the same researchers uncovered serious vulnerabilities with the dongles used to receive signals from wireless mice and keyboards. The attack methods they developed have now been applied to hundreds more devices.
The researchers published their findings of their study of wireless keyboard vulnerabilities this Tuesday. They will be presenting their research at the upcoming Defcon hacker conference in Las Vegas in two weeks.
Wireless Keyboard Vulnerabilities Found in a Wide Range of Popular Products
According to Bastille’s chief research officer Ivan O’Sullivan the problem stems from the fact that wireless keyboard manufacturers do not use encryption to protect the data that is sent from the keyboard to the computer. This came as a surprise to the researchers. Hackers are using increasingly sophisticated methods to obtain login credentials and gain access to corporate networks, yet this technique is as simple as it gets.
Since data can be intercepted, credit card numbers, bank account information, network logins and passwords, Social Security numbers, dates of birth, and security questions could be obtained. Confidential company data could be stolen and the contents of typed email messages could easily be read.
The exploit they used, named keysniffer, is detailed on a new website of the same name. The researchers are trying to raise awareness of the vulnerability which could pose a significant security risk to businesses.
The researchers have tested a number of wireless keyboard and have discovered wireless keyboard vulnerabilities in products from 8 different manufacturers. They include many big names and highly popular wireless keyboards.
Exploitable wireless keyboard vulnerabilities were found in the following products:
|Anker||Anker Ultra Slim 2.4GHz Wireless Compact Keyboard
Anker USB dongle (USB ID 062a:4101)
|EagleTec||EagleTec K104 / KS04 2.4 GHz Wireless Combo keyboard
EagleTec USB dongle (USB ID 062a:4101)
|General Electric||GE 98614 wireless keyboard
GE 98614 USB dongle (USB ID 05b8:3245)
|Hewlett-Packard||HP Wireless Classic Desktop wireless keyboard
HP Wireless Classic USB dongle (USB ID 3938:1032)
|Insignia||Wireless Keyboard NS-PNC5011
USB dongle (USB ID 3938:1032)
|Kensington||Kensington ProFit Wireless Keyboard
Kensington USB dongle (USB ID 062a:4101)
|Radio Shack||RadioShack Slim 2.4GHz Wireless Keyboard
RadioShack USB dongle (USB ID 062a:4101)
|Toshiba||Toshiba PA3871U-1ETB wireless keyboard
Toshiba PA3844D USB dongle (USB ID 0458:00ce)
The researchers point out that this list is far from exhaustive. It just contains the specific products that have been tested and found to be hackable using keysniffer. The researchers tested 12 keyboards and two thirds were susceptible to a keysniffer attack. The problem affects keyboards that communicate using radio communication protocols rather than Bluetooth.
Marc Newlin, a researcher at Bastille that was involved in the project, said he was able to recognize and reproduce any keystroke sent by the affected keyboards based only on their radio signals.
Earlier this year researchers used the same techniques to conduct Mousejack attacks, exploiting vulnerabilities in wireless mice and dongles. Those vulnerabilities could allow key press packets to computers via USB dongles.