Bastille Networks is at it again, searching for wireless vulnerabilities, and this time it’s dubbed KeySniffer and found in low cost wireless keyboards. The company calls itself “the first cybersecurity company to detect and mitigate threats from the Internet of Things (IoT).” With KeySniffer, hackers can remotely sniff keystrokes on keyboards from eight different manufacturers from up to 250 feet away. Hackers can use KeySniffer to watch their target in real time and in clear text giving them access to everything being typed on the target’s computer. This can give an attacker the ability to search for private data on the victim’s computer including;
- Card numbers, expiration date, CVV code
- Bank account usernames and passwords
- Answers to security questions: name of your first pet, mother’s maiden name, etc.
- Network access passwords
- Any secrets: business or personal typed into a document or email
“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Bastille Research Team member Marc Newlin, responsible for the KeySniffer discovery. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack.”
The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec. Vulnerable keyboards are easy for hackers to detect as they are always transmitting, whether or not the user is typing. Consequently, a hacker can scan a room, building, or public area for vulnerable devices at any time.
As part of its disclosure policy, Bastille notified affected vendors to provide them the opportunity to address the KeySniffer vulnerability. Most, if not all, existing keyboards impacted by KeySniffer cannot be upgraded and will need to be replaced. To be safe, Bastille advises the use of a wired or Bluetooth keyboard.
This isn’t great news for many users as many of the affected manufactures are popular brands including Anker and Kensington. For a complete list of affected devices, go to Bastille’s website.
Last Updated on January 23, 2017.
