There are any number of ways for a hacker to attack, some more reliable than others. The most practical way might be to exploit the vulnerabilities of PC software, for example, but since patches can be delivered in typically only a couple of days that brief security loophole can be closed quite quickly.
Things get more complicated – and the stakes get higher – with hardware vulnerabilities, because usually a software update cannot solve the issue and, as such, a change of hardware is required. The latter is true of keyboard sniffing, whether that’s a wireless or wired keyboard.
Since the keyboard is an essential component of how we use computers – in most cases, this is how information is entered into the machine – any weakness in this peripheral can place any password-based authentication system in danger.
Keyboard as a Target
Since the keyboard has such an integral role with computer use it has been the subject of a number of studies, all of which explore methods of accessing the data that is entered by the user. That’s how researchers discovered just how easy it is to siphon a user’s password as they enter it into the keyboard simply by recording the sound of the keystrokes.
It was researchers Asonov and Agrawal who first realized that each key produces a different sound and, with the help of sophisticated software, were able to accurately reproduce text entered by a user.
Low-Cost Hardware Comes With a Variety of Vulnerabilities
Cyber security firm Bastille has discovered that two-thirds of wireless keyboards are susceptible to what they call a “KeySniffer” attack. As pointed out in a press release announcing their findings, this serious security vulnerability allows hackers to remotely decipher all keystrokes of wireless keyboards from up to 250 feet away.
This means that hackers can intercept your keystrokes – and with it your personal credentials – while you log into your bank account or type in your credit card details, and from that replicate the data in plain text. It’s easy to guess what comes next.
After testing low-cost wireless keyboards of 12 manufacturers, Bastille identified Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec products as being affected by the KeySniffer vulnerability.
What Is KeySniffer?
KeySniffer is a set of security vulnerabilities discovered by Bastille in non-Bluetooth wireless keyboards released by eight manufacturers. As you may already know, wireless keyboards and mice work by using a wireless dongle that is attached to computers using a USB port.
These products commonly communicate using proprietary protocols operating in the 2.4 GHz ISM band, so when a user hits a key on the wireless keyboard, that information is then sent to the USB dongle, which ‘translates’ it for the computer so the action can take place on the computer it is connected to.
To protect this wireless transmission the data must be encrypted, but that wasn’t the case for the low-cost keyboards – as identified by Bastille. This leaves room for hackers to create software that imitates a keyboard and transmits unencrypted keyboard packets to the USB dongle, or force a new device to pair without any user interaction.
Wireless vs Wired Keyboard
Protecting yourself from KeySniffer attacks is pretty simple: since there is no software that can be patched to resolve this serious vulnerability, the only way a higher level of security can be achieved is by replacing the low-cost hardware with a high-end version, preferably a wired option if possible.
While this does mean giving up the convenience of a cable-free life, your data is transmitted via a wired connection, which has a basic layer of security by default. But if you thought that this meant you would now be safe, just take off those rose-tinted specs for a second: there are other techniques with which hackers track your keystrokes if they really want to intercept your passwords.
Nowadays, however, it seems to be much easier to launch an avalanche of phishing attacks, that users seemingly are happy to give their passwords to “when asked nicely”. Password managers, however, act as security auditors for all your saved credentials: they will warn users if they are attempting to insert their username and password on a fraudulent site since they track the legitimate URL of the site you’re hoping to access and inform the user if there isn’t a match.
Best Password Managers of 2019