New Threat From Wireless Keyboards

USB Keyboard-Flickr-CC Lic-Tsutomu Kamimori

If you have about $12 to spare, you can eavesdrop on many wireless USB keyboards.  That means that you can capture web sites, userids, passwords, socials, credit card numbers and anything else someone might type in.

The problem with the USB keyboard (and likewise USB mouse) standards is that the standard didn’t say anything about protecting the data, so it is up to the manufacturer to decide if they want to encrypt the data or not.

While the researchers who discovered this only tested keyboards from eight manufacturers including HP, Toshiba, Radio Shack and Kensington, there is no reason to assume that most other USB based wireless keyboards and mice don’t suffer the same problem.

When standards do not REQUIRE manufacturers to add features, unless there is a business reason (i.e., it is a feature they can put on the box or in ads), they likely won’t spend the money to implement that feature.

In addition, for many manufacturers, while they might make the keyboard, they may buy the radio component from some other company and at that point, price is probably the most important feature, as long as the device works.

As a result of this report, and the earlier disclosure of a similar vulnerability, it is possible that some manufacturers may have added encryption.  However, almost no one is going to figure out how to update the firmware in the radio of their wireless keyboard – assuming that is even possible.

In addition, not only could the attacker eavesdrop on what you are typing, but they could insert their own characters.  I think this part is very unlikely since the attacker would need to be looking at the data in real time and figure out how to abuse it.  If they are just eavesdropping, then they can take whatever data they capture away and look at it later.

The initial attack required that the attacker capture sample data and so it wasn’t very easy.  This new attack allows an attacker to be up to 250 feet away for the affected keyboards.  Someone that far away would be pretty inconspicuous.

The solution to this problem is simple, but it does cost some money.

First, stop using your wireless keyboard or mouse.  If it makes you feel better, go outside, put it in front of your car and roll back and forth a few times.  Now that you feel better, there are some solutions.

Since this is computer agnostic – meaning it could be a desktop, laptop, phone or tablet, Windows, Mac, Android or iOS, you need to make sure that the chosen solution works with your setup.

The least expensive solution is to get an old fashioned keyboard and mouse – the kind that have a wire coming out of the back.  As long as your device supports that, this is the simplest solution.

The more expensive solution – although not horribly so – is to get a Bluetooth (R) keyboard.  In this case, you still need to make sure that your computer supports Bluetooth.  I tried this on a computer that I was sure supported Bluetooth, but it turns out that it does not.  There are Bluetooth adapters that you can buy for computers that don’t support Bluetooth, but that is yet something else to figure out how to get to work and to break.  The reason why this works is that the Bluetooth standard REQUIRES strong encryption.

The last alternative is to go out in the country and find an empty field where there is nothing for 150 feet in any direction.  Stand in the middle and use your wireless keyboard.  If you see anyone approach you, stop using the keyboard.  This is probably not a very practical solution, however.

Assuming your computer supports Bluetooth, this is probably the quickest and easiest solution.

If a USB keyboard is your only option and you are concerned, do your research and find a high end keyboard that does encryption.  I say high end because the article talks about some low end ones that do use encryption, but the encryption is weak and might as well not be there.

This picture courtesy of Tsutomu Kamimori, Flickr, under a Creative Commons license.

Information for this post came from Forbes.

Leave a Reply

Your email address will not be published.