Are Wireless Keyboards Leaking Your Data?
Wireless keyboards transmit every keystroke to your computer, via a low-power radio signal. Is it possible for a hacker to intercept that signal, to steal your passwords and other sensitive data? In some cases, yes. Should you panic? Maybe. Here's what you need to know... |
Is Your Keyboard Secure?
Tech news is pretty slow during the dog days of summer, so it’s a perfect time to grab headlines by beating dead horses. That’s what happened at the end of July, when the tech media suddenly exploded with headlines like these:
“Flaws in wireless keyboards let hackers snoop on everything you type" … “Radio Hack Steals Keystrokes from Millions of Wireless Keyboards" … “It's Shockingly Easy to Hack Some Wireless Keyboards" … and “Hackers can pick off, inject wireless keyboard keystrokes from 8 vendors, maybe more”.
I suppose they needed to write about something besides the July 29 end of free Windows 10 upgrades, if only for a day.
The brief uproar originated from Atlanta-based Bastille Networks. Bastille specializes in “software and sensor technologies to detect and mitigate threats affecting the Internet of Things,” particularly wireless things such as keyboards, mice, security cameras, etc. Founded in March, 2014, Bastille is a startup struggling for name recognition. It found some in the flurry of FUD (fear, uncertainty, and doubt) that its latest report unleashed.
The gist of that report is that wireless keyboards from at least eight manufacturers either lack encryption entirely or implement it so badly that it does not stop hackers from injecting keystrokes into a user’s computer. Bad guys can take over your machine from a distance of up to 250 feet, Bastille claims, or record your login credentials and other sensitive information as you type it.
Nothing New Under the Sun
The thing is, this vulnerability of wireless input devices has been known for years; here is an article on the subject from 2007. Yet I have not seen a single example of any user who has been hacked via a wireless keyboard or mouse.
The eight manufacturers whose keyboards and/or mice Bastille tested include Hewlett-Packard, Anker, Kensington, RadioShack, Insignia, Toshiba, GE/Jasco and EagleTec. The exact models in which Bastille found vulnerabilities are listed here.
Only three vendors - Anker, GE, and Kensington - have responded to Bastille’s alarm about their products. All of them are dutifully grateful to Bastille for bringing this matter to their attention. Anker and Kensington also state that they have received no complaints involving the issue. Anker has withdrawn its vulnerable product from the market, and will exchange existing products for another (presumably secure) one -- if the original product is still under warranty.
Only Kensington states that it has released a new product with AES encryption, the Pro-Fit Wireless Desktop Set. http://goo.gl/rY0tS7 with a $29.95 list price. That’s not bad at all for a wireless keyboard and wireless mouse combo. I have seen rip-offs on Amazon that want $249 for similar encrypted wireless keyboards alone.
In the end, Bastille has done the world a service by forcing at least one major manufacturer to implement encryption on its wireless input devices. The vulnerability will probably continue to be ignored by most other vendors, and by users who value low price over high security.
Should You Replace Your Keyboard?
There is no evidence that hackers have been exploiting this vulnerability, despite it being well known for over ten years. But then again, identity theft is rampant, and the cause cannot always be determined with certainty. I was checking into a hotel last week, and I noticed that the desk clerk was using a wireless keyboard. Hopefully it was a secure model that didn't broadcast my home address, driver's license and credit card number to that sketchy guy hanging out in the lobby with a laptop.
If you're a home user with a wireless keyboard on the naughty list mentioned above, the chances that you'll be targetted by hackers within a 250-foot radius seem pretty slim to me. But if you work in a business where you deal with sensitive customer data, you should consider swapping out your vulnerable wireless keyboards for a wired model, or get one that implements the wireless feature securely.
Do you use a wireless keybard? Your thoughts on this topic are welcome. Post your comment or question below...
|
|
This article was posted by Bob Rankin on 8 Aug 2016
For Fun: Buy Bob a Snickers. |
Prev Article: Verizon + Yahoo = Trouble For Consumers? |
The Top Twenty |
Next Article: [WHOA...] Is That Picture Real? |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Are Wireless Keyboards Leaking Your Data? (Posted: 8 Aug 2016)
Source: https://askbobrankin.com/are_wireless_keyboards_leaking_your_data.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Are Wireless Keyboards Leaking Your Data?"
Posted by:
NB
08 Aug 2016
Thanks for the timely posting. I am looking to replace my Logitech wireless keyboard with one that uses mechanical switches, and those keyboards all use wired connections. Now I can rationalize the high price tag!
Don't think I am at too much risk though, since the Logitech keyboard's "low power" design routinely drops its connection from only 4 feet away!
Posted by:
Mike Rehmus
08 Aug 2016
The issue goes far beyond radio keyboards. That is why the military and the government have 'Tempest' qualified computers and frequently only use them in shielded rooms. This is because the entire computer is radiating information that the properly equipped person can tap and at quite a distance.
Posted by:
mike wax
08 Aug 2016
THANK GOD Bob for your integrity. it would be all too easy to be a typical journalist and pluck up new subscribers by playing chicken little and giving a hungry public one more red herring to be paranoid about. your work is INVALUABLE!
Posted by:
AM
08 Aug 2016
In the late 1980's TEMPEST certification was a hot topic. The solution was a case for the computer. Think of a 6 foot table with a metal enclosure overtop of it. The door was lockable for added physical security. The problem was that using this shielded metal box was a severe lack of airflow. After multiple computer crashes it was determined the computers needed air to keep them cooled. The boxes went away and new computers were moved from outside walls and room dividers were placed around the areas.
Posted by:
Richard Hanspire
08 Aug 2016
As a retired Signals Intelligence(SIGINT)from the 70s and the 80s, I would be more interested at seeing the range at which these keyboards were intercepted. If the range is very short such as that of a Bluetooth signal, then I would not be overly concerned. If it is greater, say up to a mile or so, then it could be a problem. As the one comment above says, simply moving it away from the outside wall helped immensely.
Posted by:
O. Lamoree
08 Aug 2016
MORE batteries and worse, what if you want to press a key on start-up to change your boot order? Wireless kb's don't seem to do it. So the last time I unplugged the wireless and plugged in the USB keyboard to change boot order... I just left it that way... about 10 years ago.
Posted by:
Eli Marcus
08 Aug 2016
How about a fake phone charger that is recording your wireless keystrokes???
This recent article tells all
http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguised-as-usb-phone-chargers-fbi-warns/
and here are instructions on how to build it yourself -
http://samy.pl/keysweeper/
Posted by:
Robert A.
08 Aug 2016
Lucky for most of us, these brands are less popular than, say, the ubiquitous Microsoft or Logitech wireless keyboards, which aren't on the list. Perhaps the manufacturer(s) of these brands could just engineer a new encryptable dongle that plugs into the computer, that would cost the consumer around $10.00, or less. But, I guess, we shouldn't hold our breath, waiting for that to happen.
Posted by:
Narada
09 Aug 2016
There is not a word on the Kensington Pro-Fit Wireless Desktop Set pages, either in features or specifications, indicating encryption capabilities.
Posted by:
Enes ABDULKADİROGLU
09 Aug 2016
2002 yıl itibari ile Satılık Araba, Türkiye’de online Alışveriş'in en güçlü isimlerinden biri. Emlak ile kurduğumuz hayaller ve ulaştığımız hedeflerle araba segmentinde bugünlere kadar geldik. Satılık Araç ile internetten güvenilir alışverişi geliştirdik, Hizmet anlayışımızla fark yarattık. Satılık araba sektöründe hem çok büyüdük hem çok sevildik! Ne istersen 1.250 kategoride 90.000 adet ürün çeşitiyle e-ticareti Türk insanına sevdirmekle kalmadık, vazgeçilmeze dönüştürdük.
Web Sitemiz; http://www.neistersen.com.tr/
Posted by:
Enes ABDULKADİROGLU
09 Aug 2016
2002 yıl itibari ile Satılık Araba, Türkiye’de online Alışveriş'in en güçlü isimlerinden biri. Emlak ile kurduğumuz hayaller ve ulaştığımız hedeflerle araba segmentinde bugünlere kadar geldik. Satılık Araç ile internetten güvenilir alışverişi geliştirdik, Hizmet anlayışımızla fark yarattık. Satılık araba sektöründe hem çok büyüdük hem çok sevildik! Ne istersen 1.250 kategoride 90.000 adet ürün çeşitiyle e-ticareti Türk insanına sevdirmekle kalmadık, vazgeçilmeze dönüştürdük.
Web Sitemiz; http://www.neistersen.com.tr/
Posted by:
Granville Alley
09 Aug 2016
Actually Bob, this entire concept is much older than that. I am a venture capitalist who represented a California Hi-Tech company, Dynamic Sciences back in the 1980's. They were a company made up of brilliant computer and radio scientists but with not enough business management.
Although they did many other things, their main business was building radios that defined the Tempest Standard. This was the Federal Government Security Standard that defined how much radio wave leakage a device could have and be sold to various government agencies. A substantial percentage of their revenue came from selling radios packed in briefcases or small suitcases which were extremely sensitive and tuneable to 3 letter agencies for cash.
I actually helped them complete a round of venture funding at a large California Bank based VC fund by going into a meeting with the VC Fund executives and demonstrating to them why the Tempest Standard should be important to businesses like banks and not just the government. It was actually one of the shortest and most successful fund raising pitches I ever made.
To make a much longer story very short, the executive asked me why anyone but the government would care about Tempest and I demonstrated why by handing him a slip of paper that had that day's Wire Transfer Code for the bank, which we had read from the street through the radio emissions from a wired (not wireless) keyboard from their wire room that we had been able to isolate from the street outside the bank high-rise using the Dynamic Science Radios.
The VC Executive called BS and said he did not even know the days's wire code. So i told him if he was so certain call in someone from the wire room who had the code and ask them. After some badgering, he called in the wire room manager and handed her the piece of paper I had handed him. This lady turned completely ashen, screamed at the VC Manager that he was not authorized to have that and asked him where he got it. I explained we got it from the street outside the Bank Building and explained to the VC manager that we had chosen not to self-fund as with that code you can virtually empty a bank. We walked out that day with a check for $20MM. And remember this is the early 80's when that was a lot of money.
So leakage of radio signals is very old info and wireless keyboards without encryption or with weak encryption just make it easier, but wired keyboards are no protection as they leak radio signals as well and even today few computers are built to even 30 years ago's Tempest Standard much less to beat today's radio technology.
Posted by:
Former wireless user
20 Aug 2016
Since learning of "mousejacking" & "keyjacking", I've been scouring electronics stores for WIRED devices. They're hard to find -- and I've yet to see a non-Mac keyboard with connected wired mouse (saving a USB port) made by a big manufacturer.
I did observe something odd with my wired Insignia (Best Buy) mouse. It seems to import the drivers of all the USB devices connected to a PC, and bring them to the next machine that I connect the mouse to. As I have a couple of brand-new PCs, it's easy to see (in Device Manager) the drivers installed on PC B for flash & hard drives that never touched PC B -- but WERE used on PC A -- and vice-versa. (I've stopped using this rogue mouse altogether & deleted the roguely-imported drivers from both PCs; I also now have a brand-new MS wired mouse on each machine -- no more mouse-transferring).
Posted by:
PeteFior
20 Aug 2016
I have always used wired keyboards and mice - they're inexpensive and reliable. Problem solved!