Every keystroke you make on some wireless keyboards can be spied on by hackers lurking nearby, according to research released by cybersecurity firm Bastille Tuesday. The “vast majority” of low-cost wireless keyboards are vulnerable to an attack researchers have dubbed “KeySniffer,” according to the company.
“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Marc Newlin, the Bastille researcher who discovered the vulnerability, in a press release. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack.”
The attack allows hackers up to 250 feet away to eavesdrop on people as they type – potentially sucking credit card numbers, usernames, passwords and personal information shared with confidants, according to the researchers. The heart of the problem is that the connections between computers and the identified keyboards don’t use encryption, unlike more costly models, and are left vulnerable to a hacker with special equipment costing less than $100.
The issue does not affect Bluetooth keyboards because they are subject to industry standards that require stronger security measures, according to Bastille. However, the company said some keyboards from major manufacturers, including Toshiba and HP, that rely on radio signals are vulnerable. In HP’s case, Bastille found that its “HP Wireless Classic Desktop wireless keyboard” was vulnerable, while Toshiba’s PA3871U-1ETB wireless keyboard was also affected. Toshiba and HP did not immediately respond to a request for comment.
Kensington, the maker of another vulnerable keyboard called the Kensington ProFit Wireless Keyboard, released a statement saying it has taken “all necessary measures to close any security gaps and ensure the privacy of users” and has released a firmware update for the device that includes encryption. You can find a full list of the affected devices here.
Bastille says it reached out to manufacturers before going public with its research, but that many of the devices aren’t able to be updated to defend against the attacks. The cybersecurity firm recommends replacing the keyboards with Bluetooth or wired models. It remains unclear if any of the keyboard makers plans to offer refunds or replacements to consumers who purchased the vulnerable models.
(c) 2016, The Washington Post · Andrea Peterson