Earlier this year, security researchers at Bastille Networks found a MouseJack security vulnerability that allows hackers to inject keystrokes into your computer through cheap wireless keyboards and mice from hundreds of feet away. Now, the research team has found a new vulnerability affecting most wireless keyboards that allows malicious actors to read your keystrokes and secretly record exactly what you are typing as well.
This dangerous vulnerability opens up a user to a wide range of potential attacks based on the information they type out, including user names, passwords, credit card numbers, CVV codes, bank account information, network passwords and trade secrets.
Using a technique dubbed the KeySniffer attack, hackers can remotely snoop on the keystrokes of vulnerable wireless keyboards from eight different manufacturers from up to 250 feet away, researchers found. Some of the manufacturers listed include Toshiba, HP, Kensington, Radio Shack, General Electric, Insignia, Anker and EagleTec.
However, the team does note that this is not an exhaustive list of all vulnerable keyboards.
"When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product," Marc Newlin, one of the Bastille research team members, said in a statement. "Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack."
According to researchers, the KeySniffer vulnerability affects wireless keyboards that use unencrypted radio communication protocols to transfer data sent from the keyboard to your computer. However, through this less secure connection, a hacker can easily eavesdrop on every keystroke a victim types out from hundreds of feet away using equipment and software that costs less than $100.
"Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard," the firm writes. "The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building, or public space for vulnerable devices regardless of the victim's presence."
"This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing."
However, the firm does note that not all wireless keyboards are susceptible to the newly discovered attack.
Since Bluetooth transmissions are encrypted, a wireless keyboard that connects via Bluetooth is not susceptible to the KeySniffer attack. The firm also found that higher-end wireless keyboards from manufacturers such as Logitech, Lenovo and Dell are not susceptible either.
The team adds that they have notified vendors as well so that they can address the issue. However, most of the vulnerable keyboards cannot be upgraded and will need to be swapped out altogether for a more secure option.
To protect your digital privacy and information, researchers recommend your swap out your keyboard for a more secure one with Bluetooth or "just get a wired keyboard".