The wireless keyboard on your desk might look harmless, but looks can be deceiving. It could potentially lead to your personal information being stolen or your computer being infected with malware, according to cybersecurity researchers at Bastille Networks.
The researchers discovered that some wireless keyboards do not encrypt keystroke data before transmitting it to the computer. To demonstrate this security vulnerability, which they dubbed KeySniffer, the researchers built a device that enabled them to see everything that a wireless keyboard user typed — including passwords, credit card numbers, and other personal information — in plain text. The researchers were also able to inject commands into the user’s computer with the device.
Even though there are no known cases of cybercriminals exploiting the KeySniffer vulnerability in the real world, it still poses a threat. Now that information about this security vulnerability has been released to the public, professional and wannabe hackers will likely try to build their own device to exploit it. The device is simple and relatively inexpensive (less than $100) to create using components that are readily available in stores.
Once built, hackers can use the device to quickly determine whether your wireless keyboard is vulnerable since all wireless keyboards constantly transmit data, even when they are sitting idle. Once they identify you as a target, they just need to eavesdrop. They do not even have to be close to you — they can be up to 250 feet away. Worse yet, the device can sniff through walls and windows, so you will not even know that you are under attack.
The KeySniffer vulnerability is found in some wireless keyboards but not all. Bluetooth keyboards and higher-end wireless keyboards from vendors such as Logitech, Dell, and Lenovo are not susceptible, according to the Bastille researchers. The keyboards in which the vulnerability has been discovered include lower-end models from HP, Toshiba, RadioShack, Anker, Kensington, and other vendors. The KeySniffer Affected Devices web page lists the specific keyboards in which the researchers have found the security vulnerability.
The KeySniffer Affected Devices web page also includes vendors’ responses to the problem. For example, Anker is offering to replace the affected keyboard with another model that encrypts keystrokes, while Kensington has released a firmware update that adds Advanced Encryption Standard (AES) encryption capabilities to its wireless keyboard.
If your wireless keyboard is on the list but there is not a vendor response, you should check with the company to see how it is handling the problem. In the meantime, you might want to swap your wireless keyboard with a wired one. If you do not have an old one packed away in a storage area, you can purchase one cheap.