Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2016
09:31 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'MouseJack' Researchers Uncover Major Wireless Keyboard Vulnerability

KeySniffer attack shows two-thirds of low-cost wireless keyboards prone to keystroke capture and malicious keystroke injection.

The same researchers who earlier this year uncovered glaring vulnerabilities in many wireless mice today announced a new major flaw in the majority of the market's low-cost wireless keyboards that puts users at risk of having attackers remotely sniff all of their keystrokes and even inject their own malicious keystroke commands from distances of up to 250 feet away.

Dubbed KeySniffer by the Bastille Research Team who found it, the vulnerability puts any password, credential, security secret, or intellectual property byproduct that is typed, at risk of eavesdropping and capture by attackers. The affected manufacturers' products do not encrypt data transmitting between their keyboards and the USB dongle that wirelessly connects it to a computer.

According to Marc Newlin, the member of Bastille Research Team who made the discovery, eight of the 12 manufacturers tested for KeySniffer were vulnerable, including Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

Whereas previous wireless keyboard attack discoveries such as 2010's KeyKeriki and 2015's KeySweeper exploited weaknesses in Microsoft's encryption for its keyboards, this one is different because it shows that the affected manufacturers didn't encrypt transmissions at all. Even worse, attackers can sniff out KeySniffer-prone victims without them actively typing at their workstation.

"Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard," Newlin says. "The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building, or public space, for vulnerable devices regardless of the victim’s presence."

As a result, it becomes all the easier for attackers to quickly find vulnerable devices and set up shop to capture information once the user does start to type. What's more, the flaw also makes it possible to inject malicious keystrokes into the victim's machine, opening up a whole other world of attacks for the bad guys, including easier installation of malware, exfiltration of data, or execution of malicious commands, without any user interaction required.

The KeySniffer attack is made possible by a common vulnerability in undocumented USB transceivers from MOSART Semiconductor, Signia Technologies, and one unknown manufacturer, all of which Bastille reverse-engineered in order to properly examine data it found through exploratory attacks. The packet capture itself was conducted using an amplified USB dongle called the Crazyradio PA[6], which is more commonly used on open-source drones and for which Bastille developed custom firmware and software to communicate with the keyboards vulnerable to KeySniffer.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to researchers, this vulnerability fortunately does not affect Bluetooth and higher-end wireless keyboards, including those from Logitech, Dell, and Lenovo, none of which were impacted. However, the bad news is that keyboards that are susceptible to KeySniffer cannot be upgraded and the risk can only be mitigated by replacing them.

This vulnerability discovery by Bastille is the second peripheral attack found by the firm in five months. The first was MouseJack, a similar flaw in non-Bluetooth mouse devices that also had them transmitting information in the clear.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.