Text entered from a number of wireless keyboard models learned to intercept from a distance of 75 meters

8 out of 12 keyboard models tested by a specialist send typed characters in clear text without coding

Wireless keyboards of various models, produced by 8 companies, are exposed to a vulnerability that allows an attacker to intercept keystrokes from a distance of up to 75 meters. The danger of this vulnerability, which was called KeySniffer , is difficult to underestimate - it allows you to get any passwords, credit card numbers, questions and answers to secret questions. All this is text without encryption.

Companies whose keyboards are affected by this vulnerability are named information security specialists who have discovered the problem. These are Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec. The first to report a vulnerability found was Mark Newlin, a researcher at Bastille Networks.

He also reported a similar problem back in February - only then it was about the possibility of remote input of keystrokes for a wireless mouse. The researcher was able to send commands for the mouse, simulating pressing the keyboard keys (not pressing the mouse buttons) from a distance of 225 meters. And the operating system interpreted these signals correctly by performing the appropriate function or putting a symbol in the editor. After studying this issue, Newlin took up wireless keyboards. He bought 12 different models in an electronics supermarket, and began to study the data transfer protocols that these devices work with.
')
As it turned out, 8 out of 12 keyboards studied do not encrypt the data sent at all. All of these keyboards are sold in stores now. Some of them were presented in 2014 and 2015, but they are still popular. “We expected the manufacturers of these relatively new keyboards to take the issue of information security seriously, but this, unfortunately, is not so,” the researcher says.

“As soon as I completed the initial phase of reverse engineering, I realized that all these devices send keystrokes in plain text,” said Newlin.

He found that a number of keyboards were equipped with transceivers that were not previously documented. Keyboards from Hewlett-Packard, Anker, Kensington, RadioShack, Insignia, and EagleTec were equipped with transceivers manufactured by MOSART Semiconductor. Toshiba's keyboards used Signia Technologies' transceivers. Keyboards General Electric equipped with noname transceivers - who releases them, is unknown.

Eight of the 12 keyboards studied worked with transceivers (transceivers), about which there was no information. What chips were used in these devices was unclear. Both Newlin and colleagues decided to study them on their own. Experts performed reverse engineering by examining both the electronic components of the transceivers and the radio frequencies with which these elements worked.

To gain access to the data transmitted by the keyboards, you need inexpensive equipment. All you need is a “long-range” Crazyradio type radio system operating at 2.4 GHz. You can buy it on Amazon for only $ 30-40. After reversing the engineering of transceivers for keyboards, the researcher wrote the firmware for Crazyradio. The system with this firmware began to work as a regular transceiver of any of the keyboards. The Crazyradio has also added a directional antenna worth $ 50.



Newlin connected the created system to a laptop and was able to receive signals from wireless keyboards at a distance of up to 75 meters. The victim’s computer is not needed - no manipulations are required. It’s enough to sit in a public place where there are users working with their laptops or tablets using a wireless keyboard (there are a lot of them) and waiting for all the data entered by the victim to their PC.

You can expect on the street next to the block houses, where a large number of residents. Let someone work on a computer using a keyboard that is vulnerable to hacking. Even if no one is typing text, but the computer and keyboard are turned on, an attacker can scan the location, and having received a keyboard signal, understand what is there to profit from.

Bastille Networks sent information about the problem to all hardware vendors with vulnerabilities. In this case, the message said that the manufacturers have 90 days to remedy the situation. The most interesting thing is that no one answered, except for one company. This company announced that it is no longer engaged in the creation of wireless keyboards. And there seems to be no way to fix the problem. After all, the problem is not in the drivers for the keyboard, but in the device itself, this is a hardware vulnerability. The simplest solution for the manufacturer is not to release problem keyboards models anymore.

There is no such thing as too many dongles. #mousejack #defcon pic.twitter.com/ghMW8SJs8M

- Marc Newlin (@marcnewlin) July 21, 2016

“As far as I know, there is no way to update the firmware of these devices, since all the control software is sewn into the chip on the board. Therefore, to solve the problem, somehow enabling encryption is impossible, ”says Newlin.

Bastille Networks advises all owners of keyboards with a vulnerability to stop using them, switching to a wired or Bluetooth keyboard. Bluetooth is not the most secure, wireless protocol, but it's better than nothing.

Recently, another information security specialist, Samy Kamkar, found a way to crack Microsoft's wireless keyboards. He was able to collect, decrypt and record information that was entered by users of such a keyboard. Kamkar created a special device, KeySweeper, consisting of Arduino and other electronic components. The device looks like USB charging, but in reality it is a spy device.