Are Wireless Keyboards Leaking Your Data?
Wireless keyboards transmit every keystroke to your computer, via a low-power radio signal. Is it possible for a hacker to intercept that signal, to steal your passwords and other sensitive data? In some cases, yes. Should you panic? Maybe. Here’s what you need to know…
Is Your Keyboard Secure?
Tech news is pretty slow during the dog days of summer, so it’s a perfect time to grab headlines by beating dead horses. That’s what happened at the end of July, when the tech media suddenly exploded with headlines like these:
“Flaws in wireless keyboards let hackers snoop on everything you type” … “Radio Hack Steals Keystrokes from Millions of Wireless Keyboards” … “It’s Shockingly Easy to Hack Some Wireless Keyboards” … and “Hackers can pick off, inject wireless keyboard keystrokes from 8 vendors, maybe more”.
I suppose they needed to write about something besides the July 29 end of free Windows 10 upgrades, if only for a day.
The brief uproar originated from Atlanta-based Bastille Networks. Bastille specializes in “software and sensor technologies to detect and mitigate threats affecting the Internet of Things,” particularly wireless things such as keyboards, mice, security cameras, etc. Founded in March, 2014, Bastille is a startup struggling for name recognition. It found some in the flurry of FUD (fear, uncertainty, and doubt) that its latest report unleashed.
The gist of that report is that wireless keyboards from at least eight manufacturers either lack encryption entirely or implement it so badly that it does not stop hackers from injecting keystrokes into a user’s computer. Bad guys can take over your machine from a distance of up to 250 feet, Bastille claims, or record your login credentials and other sensitive information as you type it.
Nothing New Under the Sun
The thing is, this vulnerability of wireless input devices has been known for years; here is an article on the subject from 2007. Yet I have not seen a single example of any user who has been hacked via a wireless keyboard or mouse.
The eight manufacturers whose keyboards and/or mice Bastille tested include Hewlett-Packard, Anker, Kensington, RadioShack, Insignia, Toshiba, GE/Jasco and EagleTec. The exact models in which Bastille found vulnerabilities are listed here.
Only three vendors – Anker, GE, and Kensington – have responded to Bastille’s alarm about their products. All of them are dutifully grateful to Bastille for bringing this matter to their attention. Anker and Kensington also state that they have received no complaints involving the issue. Anker has withdrawn its vulnerable product from the market, and will exchange existing products for another (presumably secure) one — if the original product is still under warranty.
Only Kensington states that it has released a new product with AES encryption, the Pro-Fit Wireless Desktop Set. http://goo.gl/rY0tS7 with a $29.95 list price. That’s not bad at all for a wireless keyboard and wireless mouse combo. I have seen rip-offs on Amazon that want $249 for similar encrypted wireless keyboards alone.
In the end, Bastille has done the world a service by forcing at least one major manufacturer to implement encryption on its wireless input devices. The vulnerability will probably continue to be ignored by most other vendors, and by users who value low price over high security.
Should You Replace Your Keyboard?
There is no evidence that hackers have been exploiting this vulnerability, despite it being well known for over ten years. But then again, identity theft is rampant, and the cause cannot always be determined with certainty. I was checking into a hotel last week, and I noticed that the desk clerk was using a wireless keyboard. Hopefully it was a secure model that didn’t broadcast my home address, driver’s license and credit card number to that sketchy guy hanging out in the lobby with a laptop.
If you’re a home user with a wireless keyboard on the naughty list mentioned above, the chances that you’ll be targetted by hackers within a 250-foot radius seem pretty slim to me. But if you work in a business where you deal with sensitive customer data, you should consider swapping out your vulnerable wireless keyboards for a wired model, or get one that implements the wireless feature securely.
Do you use a wireless keyboard? Your thoughts on this topic are welcome. Post your comment or question below…
Original article here.