Radio-based wireless keyboards and mice that use a special USB dongle to communicate with your PC can expose all your secrets – your passwords, credit card numbers and everything you type.
Back in February, researchers from the Internet of things security firm Bastille Networks demonstrated how they could take control of wireless keyboards and mice from several top vendors using so-called MouseJack attacks.
The latest findings by the same security firm are even worse.
Researchers have discovered a new hacking technique that can allow hackers to take over your wireless keyboard and secretly record every key you press on it.
Dubbed KeySniffer, the hack is death for millions of wireless, radio-based keyboards.
The Cause: Lack of Encryption and Security Updates
The KeySniffer vulnerability affects wireless keyboards from eight different hardware manufacturers that use cheap transceiver chips (non-Bluetooth chips) – a less secure, radio-based communication protocol.
The issue with these chips is that they don’t receive Bluetooth’s frequent security updates.
Moreover, the affected keyboards use unencrypted radio transmission.
This means anyone within 100 meters range of your computer and around $15-$30 long-range radio dongle can intercept the communications between affected wireless keyboards and your computer.
Eventually, this allows the attacker to collect secretly everything you type, including your passwords, credit card numbers, personal messages and even weird porn searches.
The keyboards from a surprising range of vendors, including Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack, and Toshiba, are vulnerable to KeySniffer.
This isn’t the first time researchers have targeted wireless keyboards. In 2015, a white hat hacker developed a cheap Arduino-based device, dubbed KeySweeper, which covertly logs, decrypts and reports back all keystrokes from Microsoft wireless keyboards.
Although KeySweeper was due to the weak encryption used by Microsoft, the KeySniffer discovery is different as in this case; manufacturers are actually making and selling wireless keyboards with no encryption at all.
One of the affected hardware makers, Kensington responded to this matter, saying that only a single version of its keyboards was affected by KeySniffer flaw and that a firmware update with AES encryption has been released.
Since there are millions of people who do use one of the wireless keyboards identified by Bastille Networks, it has been advised to you to either go back to the wires or at least switch to Bluetooth.
The radio-based wireless keyboards and mice are a good target for hackers. Two months back, the FBI also issued warning for private industry partners to look out for highly stealthy keyloggers that quietly sniff passwords and other input data from wireless keyboards.