SAN FRANCISCO – Using an attack that researchers at cybersecurity firm Bastille are calling “keysniffer,” hackers can detect every key you press on your wireless keyboard. Think about that next time you’re using your laptop in a coffee shop.
That means they can pick up your passwords and maybe the answers to your security questions, like your mother’s maiden name. The flaw affects keyboards manufactured by big names such as HP, Toshiba and General Electric. So far, bad news.
The good news? To use “keysniffer” on you, hackers would have to be pretty close. The attack works within 250 feet, which is about three-fourths the length of a football field. So international hackers aren’t going to get you, and neither is anyone else who isn’t in your physical neighborhood. But public Wi-Fi spaces? Hum.
Like many vulnerable internet-connected devices, these keyboards are most at risk when someone with bad motives happens to be nearby — or, more likely, has specifically targeted you. The same was true of flaws found in Hello Barbie, a doll that connects to Wi-Fi and learns to interact with its human friends.
Still, the reason your keyboard might be a touch vulnerable is disconcerting. The vulnerable keyboards are sending out each character you type over an unencrypted connection, according to Bastille researchers. That means the data flowing from your keyboard to your computer isn’t scrambled, and it’s no sweat for hackers to intercept and read.
Researchers from Bastille, led by Marc Newlin, said they tested low-cost keyboards from 12 manufacturers. In addition to keyboards from HP, Toshiba and General Electric (which licenses its name to manufacturer Jasco for keyboards), wireless keyboards from Kensington, Radio Shack, Anker, EagleTec and Best Buy’s Insignia brand were vulnerable.
Denise Nelson, a spokeswoman for Kensington, said the company is working with Bastille on security issues. “They have taken all measures that they possibly can to close any security gaps,” she said.
Nelson said new Kensington keyboards will feature an encrypted connection going forward. However, she did not know whether wireless keyboards already in use were still unencrypted. She added that the Kensington support team is ready to help customers resolve any issues.
Jasco is aware of the report from Bastille and “will work directly with its customers of this product to address any issues or concerns,” the company said in a statement. Jasco is “committed to delivering secure products to its customers and would like to express its appreciation to Bastille Threat Research Group for reporting these issues.”
The rest of the manufacturers named by Bastille did not respond to requests for comment. (Editor’s note: Anker eventually responded; see update note at bottom of story.)
Bastille’s website offers a list of the exact models affected.
This story was published by CNET.Com.
