Gajus - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

KeySniffer vulnerability enables eavesdropping on wireless keyboards

The KeySniffer wireless vulnerability goes beyond the similar MouseJack flaw in exposing users of inexpensive wireless keyboards to sniffing, injection attacks.

Inexpensive wireless keyboards that don't encrypt keystrokes can be vulnerable to the new KeySniffer flaw, which allows an attacker to sniff keystrokes or carry out keystroke injection attacks, according to Bastille Networks.

The cybersecurity firm discovered that transmissions from eight of 12 wireless keyboards it tested were unencrypted and could be intercepted by an eavesdropper. The keyboards tested by researchers use proprietary protocols to communicate on the 2.4 Ghz radio band, similar to mice and keyboards that Bastille reported earlier this year were vulnerable to the MouseJack branded vulnerability. Bluetooth devices are not subject to the flaw.

"Each of the vulnerable keyboards is susceptible to both keystroke sniffing and keystroke injection attacks. Keystroke sniffing enables an attacker to eavesdrop on every keystroke a victim types on their computer from several hundred feet away," wrote Marc Newlin, the Bastille research team member responsible for both the KeySniffer and MouseJack discoveries. "In addition to eavesdropping on the victim's keystrokes, an attacker can inject their own malicious keystroke commands into the victim's computer."

At first glance, KeySniffer and MouseJack seem similar. Both depend on an attacker taking advantage of an unencrypted stream of data between the wireless device and the USB dongle through which the devices communicate with the victim's computer. However, there are differences, according to experts.

"MouseJack is about injecting keystrokes into wireless mice, whereas KeySniffer is about sniffing keystrokes such as credit card numbers, social security numbers, passwords and security challenge answers," said Alexander Polyakov, CTO and co-founder at SAP security firm ERPScan. "Sniffing is usually easier than injecting."

The bigger difference may be that devices vulnerable to KeySniffer are easier to identify by an attacker.

"The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim's presence," Newlin wrote. "This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing."

For anyone attending Black Hat or Def Con this year who plans to bring their wireless mouse or keyboard: be concerned. Better yet, don't do it.
Lane Thamessecurity researcher, Tripwire Vulnerability and Exposures Research Team (VERT)

MouseJack, the subject of a CERT vulnerability note earlier this year, received a Common Vulnerability Scoring System (CVSS) base rating of 2.9, making it relatively low-impact.

"I expect [KeySniffer] to get a higher base CVSS score than MouseJack just because being able to type remotely is way more devastating than being able to move a mouse remotely," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC, in Augusta, Ga. "How much do you really care if someone intercepts your mouse clicks without other context? It probably wouldn't impact you much if they did. But your keystrokes contain usernames, passwords and other sensitive data that should not be eavesdropped on."

"I would be more worried about capturing wireless keyboard strokes because that would potentially give you passwords or sensitive information, like credit card numbers," said John Bambenek, threat systems manager at Fidelis Cybersecurity. "That said, barring range extending technology, the attacker would have to be fairly close. In the general attack scenario -- a coffee shop -- it is rare for a user to bring out a wireless keyboard while they are sipping their latte; it is more likely they'd have a mouse. In the real world, it is hard to see how a large scale weaponization of this vulnerability would even be feasible."

Concern over KeySniffer "is a function of our own risk aversion," said Lane Thames, security researcher at the Tripwire Vulnerability and Exposures Research Team (VERT). "Those who are concerned should go out and purchase a new keyboard and mouse -- but do the research and buy a qualified device. There are much bigger risks that consumers take on a daily basis: How often does one connect to an open Wi-Fi hotspot? Open Wi-Fi has no encryption, but users from all walks of life readily connect to open Wi-Fi when they need to."

"Whether or not it's an important vulnerability depends primarily upon who you talk to," Williams said. "If you are using these devices in your network, it's an important vulnerability. If you don't use the impacted devices you probably don't care. It's worth noting that impacted devices are generally low-end and therefore probably less likely to be used in enterprise environments."

"For anyone attending Black Hat or Def Con this year who plans to bring their wireless mouse or keyboard: be concerned," Thames said. "Better yet, don't do it."

Next Steps

Read about best practices for enterprise wireless security

Learn more about the benefits of using a vulnerability scoring system

Find out more about concerns over the accuracy of CVSS scores

Dig Deeper on Emerging cyberattacks and threats