Wireless Keyboard Security May Be a Mirage

Marc Newlin of security firm Bastille Research has sounded the alarm regarding what he has dubbed KeySniffer.

Newlin described this episode of wireless keyboard security gone bad as “a set of security vulnerabilities affecting non-Bluetooth wireless keyboards from eight vendors.” Those eight manufacturers are Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack and Toshiba.

No Such Thing as Wireless Keyboard Security

The root problem is that all of these wireless keyboards and devices use unencrypted radio communication. An attacker can access a victim’s keyboarded communications by simply using a USB dongle similar to that used with the keyboard.

Bastille said this can be done “from several hundred feet away.” The firm did not address whether this is an open, straight distance or if it can be done through barriers such as walls.

The dongle needed to implement the attack, called a Crazyradio Dongle, costs less than $100 — well within most cybercriminals’ budgets.

Mysterious Hardware

Newlin told Threatpost that the actual hardware used in the keyboards was a bit of a mystery and had not been previously documented. Keyboards manufactured by Hewlett-Packard, Anker, Kensington, RadioShack, Insignia and EagleTec, he said, use transceivers from MOSART Semiconductor, while keyboards manufactured by Toshiba use Signia Technologies transceivers. The keyboard from General Electric used an “entirely unknown” transceiver.

The keyboards affected by this KeySniffer vulnerability operate in the 2.4 GHz ISM band using GFSK modulation, which resembles the modulation scheme used by Bluetooth and other wireless keyboards, according to Bastille.

No Mitigation

In an ideal world, these keyboards would use another kind of file transmission system since the actual transceivers already do pretty standard GFSK modulation. Unfortunately they can’t, and there is no way to upgrade the chips.

According to Bastille, there is no mitigation for this issue. The affected transceivers are inherently insecure because they lack encryption. Users should use Bluetooth or wired keyboards instead to prevent keystroke sniffing and injection attacks.

Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other...