Gajus - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

KeySniffer vulnerability enables eavesdropping on wireless keyboards

The KeySniffer wireless vulnerability goes beyond the similar MouseJack flaw in exposing users of inexpensive wireless keyboards to sniffing, injection attacks.

Inexpensive wireless keyboards that don't encrypt keystrokes can be vulnerable to the new KeySniffer flaw, which allows an attacker to sniff keystrokes or carry out keystroke injection attacks, according to Bastille Networks.

The cybersecurity firm discovered that transmissions from eight of 12 wireless keyboards it tested were unencrypted and could be intercepted by an eavesdropper. The keyboards tested by researchers use proprietary protocols to communicate on the 2.4 Ghz radio band, similar to mice and keyboards that Bastille reported earlier this year were vulnerable to the MouseJack branded vulnerability. Bluetooth devices are not subject to the flaw.

"Each of the vulnerable keyboards is susceptible to both keystroke sniffing and keystroke injection attacks. Keystroke sniffing enables an attacker to eavesdrop on every keystroke a victim types on their computer from several hundred feet away," wrote Marc Newlin, the Bastille research team member responsible for both the KeySniffer and MouseJack discoveries. "In addition to eavesdropping on the victim's keystrokes, an attacker can inject their own malicious keystroke commands into the victim's computer."

At first glance, KeySniffer and MouseJack seem similar. Both depend on an attacker taking advantage of an unencrypted stream of data between the wireless device and the USB dongle through which the devices communicate with the victim's computer. However, there are differences, according to experts.

"MouseJack is about injecting keystrokes into wireless mice, whereas KeySniffer is about sniffing keystrokes such as credit card numbers, social security numbers, passwords and security challenge answers," said Alexander Polyakov, CTO and co-founder at SAP security firm ERPScan. "Sniffing is usually easier than injecting."

The bigger difference may be that devices vulnerable to KeySniffer are easier to identify by an attacker.

"The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim's presence," Newlin wrote. "This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing."

For anyone attending Black Hat or Def Con this year who plans to bring their wireless mouse or keyboard: be concerned. Better yet, don't do it.
Lane Thamessecurity researcher, Tripwire Vulnerability and Exposures Research Team (VERT)

MouseJack, the subject of a CERT vulnerability note earlier this year, received a Common Vulnerability Scoring System (CVSS) base rating of 2.9, making it relatively low-impact.

"I expect [KeySniffer] to get a higher base CVSS score than MouseJack just because being able to type remotely is way more devastating than being able to move a mouse remotely," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC, in Augusta, Ga. "How much do you really care if someone intercepts your mouse clicks without other context? It probably wouldn't impact you much if they did. But your keystrokes contain usernames, passwords and other sensitive data that should not be eavesdropped on."

"I would be more worried about capturing wireless keyboard strokes because that would potentially give you passwords or sensitive information, like credit card numbers," said John Bambenek, threat systems manager at Fidelis Cybersecurity. "That said, barring range extending technology, the attacker would have to be fairly close. In the general attack scenario -- a coffee shop -- it is rare for a user to bring out a wireless keyboard while they are sipping their latte; it is more likely they'd have a mouse. In the real world, it is hard to see how a large scale weaponization of this vulnerability would even be feasible."

Concern over KeySniffer "is a function of our own risk aversion," said Lane Thames, security researcher at the Tripwire Vulnerability and Exposures Research Team (VERT). "Those who are concerned should go out and purchase a new keyboard and mouse -- but do the research and buy a qualified device. There are much bigger risks that consumers take on a daily basis: How often does one connect to an open Wi-Fi hotspot? Open Wi-Fi has no encryption, but users from all walks of life readily connect to open Wi-Fi when they need to."

"Whether or not it's an important vulnerability depends primarily upon who you talk to," Williams said. "If you are using these devices in your network, it's an important vulnerability. If you don't use the impacted devices you probably don't care. It's worth noting that impacted devices are generally low-end and therefore probably less likely to be used in enterprise environments."

"For anyone attending Black Hat or Def Con this year who plans to bring their wireless mouse or keyboard: be concerned," Thames said. "Better yet, don't do it."

Next Steps

Read about best practices for enterprise wireless security

Learn more about the benefits of using a vulnerability scoring system

Find out more about concerns over the accuracy of CVSS scores

Dig Deeper on Emerging cyberattacks and threats

Join the conversation

7 comments

Send me notifications when other members comment.

Please create a username to comment.

Does naming and promoting vulnerabilities like KeySniffer or MouseJack affect the way you respond to them? Why, or why not?
Cancel
I have heard stories like this before. The only thing I have not seen is what is the max range in order for this to work? I know my wi-fi barely goes from one end of my house to the other without signal loss.
Cancel
Wireless sniffing in one form or another has been an issue for a long time; here are slides from a talk, "Practical Exploitation of Modern Wireless Devices," about KeyKeriki, a method for exploiting wireless devices (like mice and keyboards, among others) which came out in 2010.

So, any time your system emits a wireless signal, there is the potential for others to listen in.

The MouseJack/KeySniffer folks stated that the max range is 100 meters/"several hundred feet" (100 meters = 328 feet, so, about the same).

Cancel
100 meters?? Wow amazing stat. I would never have guessed that range. Guess I have to be careful anywhere I go nowadays. Free public wi-fi could be a great spot for those using this method on their victims.

Cancel
The operative words on the range are "up to", I believe. I imagine that the max depends on having direct, unimpeded access; in a city, it might be considerably less due to all the structures/steel that would be in the way.
Cancel
Even on the low end say 30 meters/100 ft that is still a scary though in public places. Wireless key loggers. It might be funny to see someones reaction if you took control of their mouse. Just thinking makes me want to carry my corded mouse/keyboard in my backpack.
Cancel
Other than turning off every bit of wireless whatever, what's the solution? We've knows that our wireless connections were highly vulnerable for a very long time. So what's being done about it? I'm sure there's someone working on something somewhere, but I haven't found it. And I probably need it, too.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close