Keyboards may be leaking secrets, but probably not yours

Glenn Fleishman
2 August, 2016
View more articles fromthe author
AAA
Security

Apple, keyboard, shortcuts, help, macworld australiaIf you’ve seen the headlines from late July about insecure wireless keyboards and you own a wireless keyboard, you may be wondering whether you should grab it and fling it under the next passing truck. Not so fast! The research, labeled KeySniffer, appears strong and deep, but not all wireless keyboards are the same.

Apple uses robust security to communicate between their input devices and host computers, as do many other manufacturers. However, if you’re using anything but an Apple wireless keyboard, mouse, or Magic Trackpad, you should consult the list of affected products.

Wireless input

A wireless keyboard and mouse can be very convenient when you don’t have enough USB ports or lack ones in the place you need them, want the flexibility to move your input devices around beyond normal cable length, or hate the clutter and unsightliness. The personal area network (PAN) Bluetooth standard was developed in part to allow wireless input peripherals like keyboards.

Bluetooth wasn’t initially a terrific solution for typing, however, because the first version had a complicated pairing process, especially on devices without screens, and didn’t manage power usage well on standalone devices. Its low throughput could lead to dropped or delayed keystrokes. It took until after 2010 before the right standards and chipsets allowed both higher-throughput and power-efficient keyboards, which is why we saw an explosion of Bluetooth wireless keyboards not long after that.

The other issue was compatibility: Not every computer included Bluetooth until just a few years ago, when everything about using it became easier and more reliable. Apple started adding Bluetooth 4 to its products in 2011. (Bluetooth can still have trouble when you have more than a few devices on the network, even though each PAN technically supports up to seven devices; Apple even offers a rare bit of frank advice about this.)

If you were an early adopter, you might have purchased a non-Bluetooth keyboard or mouse. They used much cheaper radio equipment that didn’t need to be compatible with anything, and included a USB dongle—often a tiny stub that barely extended from the port—which contained the radio system. You can still buy these, and it’s a subset of this kind of keyboard that’s the problem.

While Bluetooth includes encryption as a basic part of its operation, and the way in which it’s implemented has gradually improved over its lifetime, the KeySniffer researchers at Bastille Research found that popular proprietary wireless keyboards employ no encryption at all. Previous research had shown vulnerabilities with some keyboards and mice, but KeySniffer expands it dramatically.

Keyboards that use one of three radio/chip systems, each of which comes from a separate manufacturer. No encryption on these configurations protects keystrokes from interception, and typing can be captured or new keystrokes injected into an affected computer. This could lead to collecting passwords, credit cards, and other personal data. If an office or company full of people bought the same gear, those are ripe pickings.

Further, unlike a previous vulnerability documented with some Microsoft wireless keyboards, these vulnerable wireless systems broadcast continuously, making it possible for an attacker to scan for any adapter attached to a computer that’s awake without waiting for users to be present and typing. With a high-gain antenna, a ne’er-do-well can be hundreds of feet away from the source. The total cost is no more than $200 in equipment, and potentially half as much.

What’s your exposure?

The affected keyboards comprise a good portion of the non-Bluetooth models on the market. They’re made or sold under the Anker, General Electric, HP, and Toshiba brand names, among others. Wired attempted to contact every company that made the list, and reported most didn’t reply; only one plans on trying to fix it and another denied the lack of encryption.

Bastille Research points to this as part of the overall problem with the Internet of Things (IoT): Smart, often single-purpose hardware devices with little or no direct interface that use proprietary, typically undisclosed standards, and come with no certification or promise. They often can’t be updated.

The Federal Trade Commission has been highlighting IoT security issues since at least 2013, but no U.S. agency has regulatory oversight to force compliance to security or other standards. The FTC can only take action if a company misrepresents what it offers, as it did with Trendnet in 2013. If the keyboards were marketed as secure and aren’t, the FTC could potentially intervene.

Sticking to industry-backed, widely adopted, lab-tested, certified standards seems like a safer course of action, and I’ve been advising for a while not buying into any ecosystem that relies on a company-developed and company-controlled protocol and involves a startup firm, which doesn’t yet have a roadmap of profitability and stability, unless you’re prepared to get burned.

Even then, industry standards need to improve. Despite Bluetooth fixing and advancing its security, even the current flavor includes a version of a legacy approach for pairing hardware like keyboards that lack a screen. That remains vulnerable, but requires a more determined hacker. Here’s a very technical rundown of why. (Wi-Fi had its issues in the past, but it’s generally considered secure now with anything but a very short WPA passphrase and with Wi-FiProtected Setup disabled.)

If you’re using one of the keyboards that’s Bastille has shown lacks encryption, you should consider getting rid of it if you use it in any populated area, or work in an industry in which you have a regulatory or other burden to uphold about privacy and confidentiality. A hacker might target you or your company, or they may scan wherever they go to hoover up details. Bastille Research recommends using only Bluetooth keyboards, despite the potential of existing exploits that would allow interception. They’re less likely by far, because those exploits requires more effort, and may involve more discrete targeting.

Apple pairs Bluetooth with Wi-Fi for a number of features in OS X, so disabling it when not in use with a keyboard or mouse isn’t always practical. Putting a computer to sleep or turning off a power switch on a keyboard is less intrusive and similarly effective.

This exploit isn’t that large in context of hacks of routers and other gear, and obviously it’s not the last of its kind. Billions of IoT devices are coming online in the next few years, and few will be robustly secured or easily upgradable.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us