Big-name wireless keyboards vulnerable to keystroke 'sniffing'

Manufacturers producing vulnerable devices seven years after first research highlighting security flaws

Wireless keyboards and mice from big-name manufacturers remain insecure almost a decade after research uncovered glaring security vulnerabilities.

According to new research from security company Bastille, the wireless input devices are either transmitting keystrokes and mouse movements unencrypted or poorly encrypted, enabling them to be sniffed from distances of up to 100 metres away.

Tens of millions of wireless keyboards and mice are in use worldwide, but a hacking tool called KeySniffer can 'sniff' the keystrokes of wireless keyboards from at least eight companies. The security flaws could enable a determined attacker to sniff passwords and other sensitive information from the devices.

The tool was used to test devices from 12 manufacturers, finding insecurities in products from eight of them. The affected brands include Anker, EagleTec, General Electric, HP Inc, Insignia, Kensington and Radio Shack. Significantly, devices from Logitech and Microsoft appear to be secure.

"Vulnerable keyboards are easy for hackers to detect as they are always transmitting, whether or not the user is typing. Consequently, a hacker can scan a room, building, or public area for vulnerable devices at any time," warned Bastille in an advisory.

Part of the problem, claimed the company, is that wireless keyboards typically transmit at 2.4GHz bands using proprietary tools and, unlike Bluetooth, there is no security standard that all manufacturers can adopt.

"In order to prevent eavesdropping, high-end keyboards encrypt the keystroke data before it is transmitted wirelessly to the USB dongle. The dongle knows the encryption key being used by the keyboard, so it is able to decrypt the data and see which key was pressed...

"[But] many of today's inexpensive wireless keyboards do not encrypt the keystroke data before it is transmitted wirelessly to the USB dongle. This makes it possible for an attacker to both eavesdrop on everything a victim types, as well as transmit their own malicious keystrokes, which allows them to type directly on the victim's computer."

Only two of the eight vendors have responded to the research. "We have taken all necessary measures to close any security gaps and ensure the privacy of users. Kensington has released a firmware update that includes AES encryption... Products with the new firmware will be updated with a new part number, K72324USA," claimed Kensington.

It's not the first time that wireless keyboards and mice have been the subject of hacking teams' attention. When the first research into the security of wireless devices was conducted back in 2009, scarcely any security was put in place - until the development of KeyKeriki. This device was designed to be small, so that it could be used surreptitiously in the target environment where it would log the key strokes for download and analysis later.

"Consider this scenario. You are in your home office and logging into your bank account using your computer that has a wireless keyboard. Someone is outside your window (or has dropped the device there) and is logging your credentials. Or you are making a purchase and typing in your credit card and CVV number. Someone is getting all this information," wrote security specialist Siva Ram at the time.

He continued: "Another scenario is if someone slips this device into their laptop bag and brings it to work. They can potentially log all the keystrokes from all the people in neighbouring cubicles."

Since then, a number of manufacturers have improved the security of their wireless keyboards and mice - most notably Logitech - but many manufacturers, including some big names, still don't appear to have caught up.

In 2010, the KeyKeriki team exposed weaknesses in the XOR encryption used in a number of wireless keyboards from Microsoft, while in 2015 an exploit called KeySweeper was developed to take advantage of the vulnerability.