U.S. Markets closed

Newly discovered ‘key sniffing’ hack could compromise keyboards from up to 250 feet away

Kevin Parrish
Security researcher Brian Krebs discovered that W-2 tax forms for 2016 are currently up for purchase on the dark web for $20 or less. The forms stem from a "potential hacking" of a firm that handles payrolls for other companies.

Just months after uncovering MouseJack, Atlanta-based cybersecurity company Bastille recently exposed vulnerabilities that could leave consumers open to attack when using a low-cost wireless keyboard. Hackers are reportedly utilizing a set of security vulnerabilities the company calls “KeySniffer,” which can enable them to remotely capture all keystrokes from up to 250 feet away. Affected wireless keyboard manufacturers include HP, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec (all models listed here).

“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Bastille Research Team member Marc Newlin, responsible for the KeySniffer discovery. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack.”

Related: Microsoft unleashes a MouseJack patch that may or may not actually work

The problem here is that attackers could potentially hack victims in numerous ways thanks to what their prey actually types. That includes credit card numbers and their CVV codes, usernames and passwords to bank accounts, passwords to networks, answers to security questions, company trade secrets, machine login credentials, and so much more.

But the hack doesn’t stop there. Attackers can inject their own malicious keystroke commands too, enabling them to install malware, grab sensitive data, or perform other malicious acts as if they had actual physical access to the desktop or laptop.

The problem resides with wireless keyboards that operate in the 2.4GHz ISM band using GFSK modulation (generally, in the form of a USB dongle), and not models relying on Bluetooth. These units are using unencrypted radio communication protocols to transmit keystrokes to the paired USB dongle plugged into a desktop or laptop. In turn, these keystrokes can be accessed using equipment and software costing less than $100.

In a video demonstration here, Newlin is able to scan the office for a vulnerable keyboard, and grab everything his associate enters when booking a hotel reservation.

“Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard,” the firm said in a list of technical details. “The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building, or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing.”

As the product list linked above points out, not all wireless keyboards suffer the KeySniffer vulnerabilities. Many high-end units encrypt keystroke data before sending the information to the USB dongle. In turn, that dongle has the encryption key, securing the user’s keystrokes as they pass from the peripheral to the computing device. Hackers can’t get that information unless they obtain the encryption key.

In light of the KeySniffer exposure, General Electric supplied a response, saying that Jasco Products Company actually builds the keyboards suffering the KeySniffer problem, and merely slaps on the GE logo. The company is aware of the problem and will work directly with customers. Meanwhile, Kensington supplied a response as well, reporting that it released a firmware update that includes AES encryption to close any security holes.