Using a wireless keyboard? Your passwords can easily
be spied on
27 JULY 2016 • 10:51AM www.telegraph.co.uk
People using low-cost wireless
keyboards are at risk of having their passwords read, according to
researchers.
Eight
major keyboard brands accounting for millions of devices in use across the
world were shown to have a security hole that could let hackers up to 100m
away read every letter a victim types.
The
attack, called KeySniffer, could allow hackers to eavesdrop card
details, passwords, usernames and answers to security questions, among
other sensitive documents.
"When
we purchase a wireless keyboard we reasonably expect that the manufacturer has
designed and built security into the core of the product," said Marc
Newlin, a researcher at Bastille, the internet of things
security company that discovered the flaw.
Marc Newlin stands in front of the
dozen keyboards Bastille tested in the researchCREDIT: BASTILLE
Researchers
tested wireless keyboards from a dozen manufacturers and found that eight
were susceptible, including models from Toshiba and HP that don't use
Bluetooth to connect to a computer, but instead communicate
through unencrypted radio signals.
The
attack uses equipment that costs less than $100 (£76) and intercepts the signal
between the keyboard and its USB receiver. Unlike Bluetooth keyboards, there
are no industry standards for those that use radio signals, meaning
manufacturers can make their own choices about security.
As
well as being able to eavesdrop on what a victim is typing, the hack could
also let an attacker remotely type onto the affected computer.
Internet security: The five worst
ever cyber hacksPlay!02:06
A spokesman
from Kensington, one of the two vulnerable brands that have issued
statements, said: "We are happy to report that, to our knowledge, no
security incidents have been reported to us since this product launched.
"We
have taken all necessary measures to close any security gaps and ensure the
privacy of users." The company released an update to its Kensington Pro
Fit Wireless Desktop Set K72324 that introduced encryption to the
keyboard.
The
other brand to respond, General Electric, said it was aware of the issue and
"will work directly with its customers of this product to address any
issues or concerns".
The $12 "crazy radio"
dongle that Bastille used to test keyboards in previous research CREDIT: BASTILLE
The
researchers at Bastille previously found that hackers could remotely control more
than a billion keyboards using a $12 UBS radio antenna. The hack affected
keyboards from big name brands including Logitech, Dell, Microsoft, HP, Amazon
and Lenovo, according to Bastille.
Separate research revealed a similar attack
using a radio amplifier could unlock dozens of car models,
including Ford's Galaxy, Audi's A3, Toyota's Rav4, Volkswagen's Golf
GTD and Nissan's Leaf.
In
France, three quarters of cars stolen in the first four
months of 2015 were done so using this kind of interception, according
Traquer, the French leader in detecting and recovering stolen vehicles.
How
can I protect myself?
Unfortunately
there is no simple fix for the security hole. If you own one of the affected
keyboards you should contact the manufacturer, who is responsible for building
defences for such attacks and providing updates to their products'
software.
David
Emm, principal security researcher at Kaspersky Lab, said: "It's vital
that manufacturers of such devices consider security at the design stage.
"If
you are considering buying a wireless keyboard (or other wireless device),
check that it includes security features that will safeguard any data you send
or receive; and if you’re unsure, buy a wired device instead."
Is
my keyboard affected?
The full
list of affected devices among those the researchers
tested is:
The
company said: "This should not be considered an exhaustive list of all
vulnerable keyboards. There may be other brands and models that are vulnerable
to this, or other attacks."
Using a wireless keyboard? Your passwords can easily
be spied on
27 JULY 2016 • 10:51 AM www.telegraph.co.uk
People using low-cost wireless
keyboards are at risk of having their passwords read, according to
researchers.
Eight
major keyboard brands accounting for millions of devices in use across the
world were shown to have a security hole that could let hackers up to 100m
away read every letter a victim types.
The
attack, called KeySniffer, could allow hackers to eavesdrop card
details, passwords, usernames and answers to security questions, among
other sensitive documents.
"When
we purchase a wireless keyboard we reasonably expect that the manufacturer has
designed and built security into the core of the product," said Marc
Newlin, a researcher at Bastille, the internet of things
security company that discovered the flaw.
Researchers
tested wireless keyboards from a dozen manufacturers and found that eight
were susceptible, including models from Toshiba and HP that don't use
Bluetooth to connect to a computer, but instead communicate
through unencrypted radio signals.
The
attack uses equipment that costs less than $100 (£76) and intercepts the signal
between the keyboard and its USB receiver. Unlike Bluetooth keyboards, there
are no industry standards for those that use radio signals, meaning
manufacturers can make their own choices about security.
As
well as being able to eavesdrop on what a victim is typing, the hack could
also let an attacker remotely type onto the affected computer.
Internet security: The five worst
ever cyber hacksPlay!02:06
A spokesman
from Kensington, one of the two vulnerable brands that have issued
statements, said: "We are happy to report that, to our knowledge, no
security incidents have been reported to us since this product launched.
"We
have taken all necessary measures to close any security gaps and ensure the
privacy of users." The company released an update to its Kensington Pro
Fit Wireless Desktop Set K72324 that introduced encryption to the
keyboard.
The
other brand to respond, General Electric, said it was aware of the issue and
"will work directly with its customers of this product to address any
issues or concerns".
The
researchers at Bastille previously found that hackers could remotely control more
than a billion keyboards using a $12 UBS radio antenna. The hack affected
keyboards from big name brands including Logitech, Dell, Microsoft, HP, Amazon
and Lenovo, according to Bastille.
Separate research revealed a similar attack
using a radio amplifier could unlock dozens of car models,
including Ford's Galaxy, Audi's A3, Toyota's Rav4, Volkswagen's Golf
GTD and Nissan's Leaf.
In
France, three quarters of cars stolen in the first four
months of 2015 were done so using this kind of interception, according
Traquer, the French leader in detecting and recovering stolen vehicles.
How
can I protect myself?
Unfortunately
there is no simple fix for the security hole. If you own one of the affected
keyboards you should contact the manufacturer, who is responsible for building
defences for such attacks and providing updates to their products'
software.
David
Emm, principal security researcher at Kaspersky Lab, said: "It's vital that
manufacturers of such devices consider security at the design stage.
"If
you are considering buying a wireless keyboard (or other wireless device),
check that it includes security features that will safeguard any data you send
or receive; and if you’re unsure, buy a wired device instead."
Is
my keyboard affected?
The full
list of affected devices among those the researchers
tested is:
The
company said: "This should not be considered an exhaustive list of all
vulnerable keyboards. There may be other brands and models that are vulnerable
to this, or other attacks."
===========================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ
has a website with great
assets which are being added to on a regular basis. I have authored the
premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to
Improve,
Enhance and Add Power to Your Email". My new book, “You’re Hired! Super
Charge
Your Email Skills in 60 Minutes. . . And Get That Job!” has just been
published and will be followed by a trilogy of books on Netiquette for
young people. You can view my
profile, reviews of the book and content excerpts at:www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
