Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2016
09:31 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

'MouseJack' Researchers Uncover Major Wireless Keyboard Vulnerability

KeySniffer attack shows two-thirds of low-cost wireless keyboards prone to keystroke capture and malicious keystroke injection.

The same researchers who earlier this year uncovered glaring vulnerabilities in many wireless mice today announced a new major flaw in the majority of the market's low-cost wireless keyboards that puts users at risk of having attackers remotely sniff all of their keystrokes and even inject their own malicious keystroke commands from distances of up to 250 feet away.

Dubbed KeySniffer by the Bastille Research Team who found it, the vulnerability puts any password, credential, security secret, or intellectual property byproduct that is typed, at risk of eavesdropping and capture by attackers. The affected manufacturers' products do not encrypt data transmitting between their keyboards and the USB dongle that wirelessly connects it to a computer.

According to Marc Newlin, the member of Bastille Research Team who made the discovery, eight of the 12 manufacturers tested for KeySniffer were vulnerable, including Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

Whereas previous wireless keyboard attack discoveries such as 2010's KeyKeriki and 2015's KeySweeper exploited weaknesses in Microsoft's encryption for its keyboards, this one is different because it shows that the affected manufacturers didn't encrypt transmissions at all. Even worse, attackers can sniff out KeySniffer-prone victims without them actively typing at their workstation.

"Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard," Newlin says. "The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building, or public space, for vulnerable devices regardless of the victim’s presence."

As a result, it becomes all the easier for attackers to quickly find vulnerable devices and set up shop to capture information once the user does start to type. What's more, the flaw also makes it possible to inject malicious keystrokes into the victim's machine, opening up a whole other world of attacks for the bad guys, including easier installation of malware, exfiltration of data, or execution of malicious commands, without any user interaction required.

The KeySniffer attack is made possible by a common vulnerability in undocumented USB transceivers from MOSART Semiconductor, Signia Technologies, and one unknown manufacturer, all of which Bastille reverse-engineered in order to properly examine data it found through exploratory attacks. The packet capture itself was conducted using an amplified USB dongle called the Crazyradio PA[6], which is more commonly used on open-source drones and for which Bastille developed custom firmware and software to communicate with the keyboards vulnerable to KeySniffer.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to researchers, this vulnerability fortunately does not affect Bluetooth and higher-end wireless keyboards, including those from Logitech, Dell, and Lenovo, none of which were impacted. However, the bad news is that keyboards that are susceptible to KeySniffer cannot be upgraded and the risk can only be mitigated by replacing them.

This vulnerability discovery by Bastille is the second peripheral attack found by the firm in five months. The first was MouseJack, a similar flaw in non-Bluetooth mouse devices that also had them transmitting information in the clear.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12198
PUBLISHED: 2019-05-20
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
CVE-2019-12185
PUBLISHED: 2019-05-20
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.