Attack Can Steal Keystrokes From Hundreds of Feet Away

Wireless keyboards from several top manufacturers, including HP, Kensington, and Toshiba, are susceptible to an attack that allows anyone within range to eavesdrop and record every keystroke made on the devices.

The vulnerability is a result of the manufacturers failing to implement encryption between the keyboard and the computer, and it allows an attacker to intercept the signal between the devices and get access to any information the user types. Researchers at Bastille, who discovered the problem, say an attacker also could send his own keystrokes to the victim’s computer, impersonating the wireless keyboard and allowing him to take malicious actions on the machine. The attacker would need only a laptop and a USB dongle with an antenna to run the attack.

Wireless keyboards use radio signals to communicate with a nearby computer, which typically has a USB receiver. High-end keyboards usually employ encryption to secure that signal, making it useless for an attacker to intercept the communication. But the lower-end keyboards Bastille tested don’t use encryption, so all of the keystrokes users type are sent in the clear to the computer, making it simple for an attacker to intercept and read the keystrokes.

And an attacker doesn’t need to be very close to a victim to execute this attack, which the researchers refer to as KeySniffer.

“Each of the vulnerable keyboards is susceptible to both keystroke sniffing and keystroke injection attacks. Keystroke sniffing enables an attacker to eavesdrop on every keystroke a victim types on their computer from several hundred feet away. The attacker can recover email addresses, usernames, passwords, credit card information, mailing addresses, and other sensitive information,” the researchers said in their report, released Tuesday.

“The attacker can recover email addresses, usernames, passwords, credit card information.”

Bastille found that keyboards from Anker, EagleTec, General Electric, HP, Insignia, Kensington, Radio Shack, and Toshiba are vulnerable to the attack. There is no mechanism for updating the firmware on the keyboards, so guarding against the KeySniffer attack would require replacing the device. Bluetooth keyboards aren’t vulnerable to this attack. Another factor that amplifies the problem is that the vulnerable keyboards broadcast their signals continuously, even if the user isn’t typing, which allows an attacker to identify vulnerable devices quite easily.

“Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard. The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing,” the researchers said.

Security researchers have known for some time that wireless keyboards and mice can be susceptible to eavesdropping, but the use of encryption typically prevents compromise of the information being sent. However, there have been some previous successful attacks on wireless keyboards, namely Microsoft’s, which used weak encryption. Researcher Samy Kamkar last year released a device called KeySweeper that looked like a USB wall charger but scanned a room for Microsoft wireless keyboards and then recorded all of their keystrokes.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated