Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2016
09:31 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

'MouseJack' Researchers Uncover Major Wireless Keyboard Vulnerability

KeySniffer attack shows two-thirds of low-cost wireless keyboards prone to keystroke capture and malicious keystroke injection.

The same researchers who earlier this year uncovered glaring vulnerabilities in many wireless mice today announced a new major flaw in the majority of the market's low-cost wireless keyboards that puts users at risk of having attackers remotely sniff all of their keystrokes and even inject their own malicious keystroke commands from distances of up to 250 feet away.

Dubbed KeySniffer by the Bastille Research Team who found it, the vulnerability puts any password, credential, security secret, or intellectual property byproduct that is typed, at risk of eavesdropping and capture by attackers. The affected manufacturers' products do not encrypt data transmitting between their keyboards and the USB dongle that wirelessly connects it to a computer.

According to Marc Newlin, the member of Bastille Research Team who made the discovery, eight of the 12 manufacturers tested for KeySniffer were vulnerable, including Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

Whereas previous wireless keyboard attack discoveries such as 2010's KeyKeriki and 2015's KeySweeper exploited weaknesses in Microsoft's encryption for its keyboards, this one is different because it shows that the affected manufacturers didn't encrypt transmissions at all. Even worse, attackers can sniff out KeySniffer-prone victims without them actively typing at their workstation.

"Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard," Newlin says. "The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building, or public space, for vulnerable devices regardless of the victim’s presence."

As a result, it becomes all the easier for attackers to quickly find vulnerable devices and set up shop to capture information once the user does start to type. What's more, the flaw also makes it possible to inject malicious keystrokes into the victim's machine, opening up a whole other world of attacks for the bad guys, including easier installation of malware, exfiltration of data, or execution of malicious commands, without any user interaction required.

The KeySniffer attack is made possible by a common vulnerability in undocumented USB transceivers from MOSART Semiconductor, Signia Technologies, and one unknown manufacturer, all of which Bastille reverse-engineered in order to properly examine data it found through exploratory attacks. The packet capture itself was conducted using an amplified USB dongle called the Crazyradio PA[6], which is more commonly used on open-source drones and for which Bastille developed custom firmware and software to communicate with the keyboards vulnerable to KeySniffer.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to researchers, this vulnerability fortunately does not affect Bluetooth and higher-end wireless keyboards, including those from Logitech, Dell, and Lenovo, none of which were impacted. However, the bad news is that keyboards that are susceptible to KeySniffer cannot be upgraded and the risk can only be mitigated by replacing them.

This vulnerability discovery by Bastille is the second peripheral attack found by the firm in five months. The first was MouseJack, a similar flaw in non-Bluetooth mouse devices that also had them transmitting information in the clear.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
CVE-2019-12175
PUBLISHED: 2019-07-17
In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled.
CVE-2019-12475
PUBLISHED: 2019-07-17
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.
CVE-2019-13346
PUBLISHED: 2019-07-17
In MyT 1.5.1, the User[username] parameter has XSS.
CVE-2019-13403
PUBLISHED: 2019-07-17
Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.