What is KeySniffer?
KeySniffer is a security vulnerability affecting non-Bluetooth wireless keyboards from eight vendors. The wireless keyboards susceptible to KeySniffer use unencrypted radio communication protocols, enabling an attacker to eavesdrop on all the keystrokes typed by the victim from several hundred feet away using less than $100 of equipment.
What are the Potential Effects of KeySniffer?
Using KeySniffer an attacker can see all the keystrokes a victim types including personal and private data such as credit card numbers, usernames, passwords, security question answers and other sensitive or private information - all in clear text.
Which Devices are Affected by KeySniffer?
The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Radio Shack, Anker, General Electric, Insignia and EagleTec See the list of known vulnerable wireless keyboards at: www.keysniffer.net
How was KeySniffer Discovered?
Marc Newlin, a member of Bastille’s Threat Research Team, made the KeySniffer discovery as part of Bastille’s ongoing research into current wireless and IoT vulnerabilities.
Did this Discovery Come as a Surprise to Bastille?
No, because KeySniffer is just the latest IoT vulnerability discovery. Bastille has long contended that the lack of security protocols and regulations in IoT devices makes them vulnerable. The top 10 wearables have already been hacked. Most of the popular IoT protocols have already been hacked, including Bluetooth, EnOcean, ZigBee and Z-Wave.
What Does the KeySniffer Discovery Say About the Current State of IoT Security?
The KeySniffer discovery validates Bastille’s thesis that the IoT is already being rolled out to individuals and enterprises with wireless protocols that have not been through sufficient security vetting. As a result, Bastille expects millions of devices to be vulnerable to currently undiscovered attacks.
Who is at Risk of Being Targeted by the KeySniffer Vulnerability?
From global enterprises to individuals, anyone using an affected wireless keyboard runs the risk of being a victim of a potential hack.
How can People Find Out if Their Device is at Risk?
Wireless keyboard owners with devices from Hewlett-Packard, Insignia, Toshiba, Kensington, Radio Shack, Anker, General Electric, and EagleTec should visit www.keysniffer.net for a list of known, affected devices. Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not susceptible to KeySniffer.
Is There a KeySniffer Fix? What can Consumers do to Protect Themselves?
First, unplug your wireless keyboard if it’s from one of the manufacturers listed above. Then visit www.keysniffer.net and determine if your keyboard is impacted. Unfortunately, none of the affected keyboards can accept a firmware update to prevent the KeySniffer vulnerability. Therefore consumers should consider replacing their affected device with a secure one.
This is not the first time a wireless keyboard has been shown to be vulnerable to a ‘sniffing’ attack, why is this still happening?
As long ago as 2010 (KeyKeriki) and more recently in 2015 (KeySweeper), researchers found that Microsoft keyboards using a Nordic Semiconductor chip and weak XOR encryption could be hacked. This should have been a wakeup call for all wireless keyboard manufacturers to add strong encryption and secure all future wireless keyboards. The KeySniffer vulnerability is based on new 2016 research by Marc Newlin and the Bastille Research Team which started with reverse engineering three distinct transceivers whose operating characteristics were previously unknown. Identifying the vulnerabilities was the result of reverse engineering the physical layer packet formats of each of the transceivers, revealing that the underlying data is unencrypted. There are millions of vulnerable keyboards out there and their owners, Corporate, Government and Consumer, should be aware of this vulnerability and its potential impact.
How is KeySniffer different that KeyKeriki or KeySweeper?
KeySniffer demonstrates that as many as two-thirds of the lower-cost wireless keyboards currently on the market implement no encryption whatsoever, leaving them vulnerable to passive keystroke sniffing and injection.
Prior research by Thorsten Schroeder and Max Moser (KeyKeriki) and Samy Kamkar (KeySweeper) demonstrated a flaw in the encryption used solely by certain Microsoft wireless keyboards. Specifically, their research demonstrated that the XOR-encryption as utilized by them was insecure, making it possible to sniff keystrokes.
The keyboards covered by the KeyKeriki and KeySweeper projects are based exclusively on Nordic Semiconductor nRF24L transceivers, which use a well documented physical layer radio protocol.
KeySniffer is novel in part because the keyboards use three distinct transceivers, not made by Nordic Semiconductor, whose operating characteristics were previously unknown. Identifying the vulnerabilities was the result of reverse engineering the physical layer packet formats of each of the transceivers, and then investigating the protocol to reveal that the underlying data is unencrypted.
The keyboards vulnerable to KeySniffer also enable a novel attack scenario not possible with the KeyKeriki/KeySweeper devices. In the case of KeyKeriki/KeySweeper, radio packets are only transmitted when a user is typing on their keyboard, which means an attacker can only detect vulnerable devices under certain conditions.
The USB dongles compromised in the KeySniffer vulnerability are constantly transmitting, regardless of whether or not the user is typing on their keyboard, making it possible to quickly survey an environment for vulnerable computers. Once a vulnerable computer has been identified, the attacker is immediately able to inject keystrokes.
|Affected Devices||Past generation of Microsoft wireless keyboards||Current generation of wireless keyboards from eight vendors|
|Radio Transceivers||Well documented transceiver from Nordic Semiconductor||Three previously undocumented transceivers from manufacturers other than Nordic Semiconductor which first needed to be reverse engineered by the Bastille Research Team|
|Vulnerable Computer Discovery||A vulnerable computer can only be identified when the user is actively typing||A vulnerable computer can be identified regardless of whether or not the user is present and/or typing.|
How is this different from the MouseJack vulnerability?
MouseJack was centered around injecting keystrokes into wireless mice, whereas KeySniffer is centered around sniffing keystrokes and the valuable personal and private data they expose from wireless keyboards, such as credit card numbers, social security numbers, passwords and security challenge answers, etc.
What equipment do you need, where do you get it, and how much does it cost?
A KeySniffer attack can be carried out using a $30-$40 CrazyRadio PA dongle which can be purchased on Amazon, or any other of the dozens of inexpensive 2.4GHz capable software defined radios. (SDR will allow for longer range.)
How far away can you complete this hack?
Commonly users and manufacturers make the mistake of believing that because wireless keyboards are designed to operate from only a few feet from the computer they operate, that the range of a hack is similarly limited. This is simply wrong. Software Defined Radios (SDRs) costing under $100 coupled with a directional antenna also costing less than $100 can, can undertake hacks from hundreds of feet away, through walls and glass, and do not have to be able to see the affected computer.
Does the victim know they are being hacked?
A KeySniffer attack is completely passive, and the victim has no way to know that an attack is or has taken place. For example, if a user has their login credentials or password stolen they might just assume it was stolen from a compromised web site.
BASTILLE NETWORKS FAQ
What is Bastille?
Bastille is the first company to detect and mitigate the rapidly emerging threats to the enterprise that are the unintended consequence of the IoT. Using a combination of next-generation sensors and software, Bastille enables the enterprise to detect, localize, and assess security risks by scanning the entire RF spectrum, gaining visibility into devices that operate on more than 100 distinct protocols.
How Does Bastille Help Businesses?
Bastille helps enterprise organizations protect cyber and human assets while providing unprecedented visibility of IoT devices that could pose a threat to network infrastructure.
Why is the Bastille Solution Needed?
By the year 2020, 50 billion devices will be connected to the Internet, with some 5 billion of these devices in the enterprise. With no true IoT security regulations mandated, many of these devices contain vulnerabilities that can be exploited by hackers and be used as a portal to infiltrate a network.
How Prevalent are IoT Threats?
Every major IoT protocol has already been hacked: Bluetooth, EnOcean, ZigBee, and Z-Wave. From wireless computer accessories to wearables, toys, and even automobiles, hackers are constantly exploiting IoT devices. This trend will only increase in the future. Today organizations do not have visibility into the full RF spectrum and the devices using it within their environment. Bottom line: you can’t protect what you can’t see.
How does the Bastille Solution work?
Bastille’s proprietary software and sensor technology safely and privately scans a corporation’s airspace, giving security personnel visibility into every emitting device on a premise. This allows companies to accurately quantify risk and mitigate threats.
How Does Bastille Make Companies More Secure?
First, you can’t protect what you can’t see. Bastille provides Situational Awareness via ambient detection to enable security teams to prevent RF data leakage by identifying airborne threats and flows. The patentedsolution also provides complete, comprehensive visibility into the location and movement of each IoT device – helping protect physical and human assets.
What Differentiates Bastille From the Competition?
Bastille is the first and only company to completely secure the enterprise by identifying airborne threats in the full RF Spectrum from 100 MHz to 6 GHz and allowing for preemptive response.