Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2016
09:31 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'MouseJack' Researchers Uncover Major Wireless Keyboard Vulnerability

KeySniffer attack shows two-thirds of low-cost wireless keyboards prone to keystroke capture and malicious keystroke injection.

The same researchers who earlier this year uncovered glaring vulnerabilities in many wireless mice today announced a new major flaw in the majority of the market's low-cost wireless keyboards that puts users at risk of having attackers remotely sniff all of their keystrokes and even inject their own malicious keystroke commands from distances of up to 250 feet away.

Dubbed KeySniffer by the Bastille Research Team who found it, the vulnerability puts any password, credential, security secret, or intellectual property byproduct that is typed, at risk of eavesdropping and capture by attackers. The affected manufacturers' products do not encrypt data transmitting between their keyboards and the USB dongle that wirelessly connects it to a computer.

According to Marc Newlin, the member of Bastille Research Team who made the discovery, eight of the 12 manufacturers tested for KeySniffer were vulnerable, including Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

Whereas previous wireless keyboard attack discoveries such as 2010's KeyKeriki and 2015's KeySweeper exploited weaknesses in Microsoft's encryption for its keyboards, this one is different because it shows that the affected manufacturers didn't encrypt transmissions at all. Even worse, attackers can sniff out KeySniffer-prone victims without them actively typing at their workstation.

"Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard," Newlin says. "The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building, or public space, for vulnerable devices regardless of the victim’s presence."

As a result, it becomes all the easier for attackers to quickly find vulnerable devices and set up shop to capture information once the user does start to type. What's more, the flaw also makes it possible to inject malicious keystrokes into the victim's machine, opening up a whole other world of attacks for the bad guys, including easier installation of malware, exfiltration of data, or execution of malicious commands, without any user interaction required.

The KeySniffer attack is made possible by a common vulnerability in undocumented USB transceivers from MOSART Semiconductor, Signia Technologies, and one unknown manufacturer, all of which Bastille reverse-engineered in order to properly examine data it found through exploratory attacks. The packet capture itself was conducted using an amplified USB dongle called the Crazyradio PA[6], which is more commonly used on open-source drones and for which Bastille developed custom firmware and software to communicate with the keyboards vulnerable to KeySniffer.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to researchers, this vulnerability fortunately does not affect Bluetooth and higher-end wireless keyboards, including those from Logitech, Dell, and Lenovo, none of which were impacted. However, the bad news is that keyboards that are susceptible to KeySniffer cannot be upgraded and the risk can only be mitigated by replacing them.

This vulnerability discovery by Bastille is the second peripheral attack found by the firm in five months. The first was MouseJack, a similar flaw in non-Bluetooth mouse devices that also had them transmitting information in the clear.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...