Wireless Keyboards – a Privacy Risk

This post is also available in: עברית (Hebrew)

Bastille cybersecurity company unveiled a massive vulnerability affecting the vast majority of low-cost wireless keyboards.

Using a new attack that Bastille has named “KeySniffer,” hackers can remotely “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 250 feet away. When conducting such attack, hackers can eavesdrop and capture every keystroke a victim types in 100% clear text and then search for credit card numbers, expiration date, CVV code; they can capture bank account usernames and passwords, answers to security questions, network access passwords, and any other business or personal info typed into a document or email.

Bastille, an Internet of Things (IoT) security company, announced that it had tested keyboards from 12 manufacturers and found that eight manufacturers were susceptible to the KeySniffer hack.

The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

Vulnerable keyboards are easy for hackers to detect as they are always transmitting, whether or not the user is typing. Consequently, a hacker can scan a room, building, or public area for vulnerable devices at any time.

The discovery reveals that manufacturers are actually producing and selling wireless keyboards with no encryption at all. Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not susceptible to KeySniffer.

Bastille notified affected vendors to provide them the opportunity to address the KeySniffer vulnerability. Most, if not all, existing keyboards impacted by KeySniffer cannot be upgraded and will need to be replaced. To be safe, Bastille advises the use of a wired or Bluetooth keyboard.