KeySniffer : How an attacker can sniff your data from 250 feet
Bastille, the cyber security company which detected the threats in Internet of Things (IoT) has unveiled a new vulnerability that could potentially affect millions of users. The vulnerability is present in many low-cost wireless keyboards that were tested in the study and found to communicate without encryption. The attack which can exploit this vulnerability has been named as “KeySniffer” by the Bastille Research Team. As per the research team, an attacker can “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 250 feet away and all that by using only $100 worth of equipment.
The study explains that Bluetooth devices are relatively safe because there is no standard protocol which needs to be followed. Therefore each manufacturer uses its own security scheme. However, when it comes to the wireless keyboards, they are required to communicate using proprietary protocols operating in the 2.4 GHz ISM band. Wireless keyboards work by transmitting radio frequency packets from the keyboard to the USB dongle which is plugged into user’s computer. Once the user presses any key on the keyboard, it is converted into a radio frequency packet and sent wirelessly to the dongle. However, the data is not encrypted before its transmission as radio frequency packet which makes the entire communication between the wireless keyboard and the dongle vulnerable to hacking. All that hacker needs to do is to plug in a similar dongle in his device and start receiving radio frequency packets. Once hacked, the data is found in the form of clear text. Thus a hacker sipping coffee in a nearby cafe can hack into your device and you won’t even come to know.
The KeySniffer vulnerability does not lie with high-end wireless keyboard manufacturers which encrypt the data before transmission. The encrypted data in high end devices is received by the USB dongle which is authorized to read it because it knows the encryption key. Moreover, even Bluetooth devices are much safer than wireless keyboards. The reason being that Bluetooth devices can operate only over a narrow range of few metres. Therefore, the attacker needs to sit closer to you in order to “sniff” into your keystrokes.
Bastille Research Team also published the list of vulnerable devices. The list is not a comprehensive one. It only contains the details of the devices used in the experiment and which failed the test.
As per the study, the wireless keyboards were vulnerable to not only keyboard sniffing but also keyboard injection attacks. It means that an attacker can inject their own malicious keystroke commands into the victim’s computer. This can be used to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer. The research clearly demonstrates how sniffing and injection attack can be done. It says the keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. Thus an attacker can find a vulnerable keyboard even if the user is not typing at that moment and subsequently capture information when the user starts typing.
The study recommends the users of vulnerable keyboards to switch to Bluetooth or wired keyboards in order to protect themselves from sniffer and injection attacks. It says the transceivers used in wireless keyboards vulnerable to KeySniffer are inherently insecure due to lack of encryption and do not support firmware updates.