Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
HP Security Hardware

Popular Wireless Keyboards From HP, Toshiba and Others Don't Use Encryption, Can Be Easily Snooped On (threatpost.com) 85

Reader msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday. If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers -- essentially anything typed on a keyboard, in clear text. Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability. Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn't appear to be a way to actually fix the vulnerability, it's likely the companies will eventually consider the devices end of life.
This discussion has been archived. No new comments can be posted.

Popular Wireless Keyboards From HP, Toshiba and Others Don't Use Encryption, Can Be Easily Snooped On

Comments Filter:
  • Solution found (Score:2, Insightful)

    by Anonymous Coward
    Use a wired keyboard.
    • ...use a laptop; it comes with a keyboard at no extra cost.

      (what?)

      • ...use a laptop; it comes with a keyboard at no extra cost.

        ... except for the thousands of dollars in medical expenses and lost wages when you develop carpal tunnel syndrome. I use a keyboard about 10 hours per day. There is no way I am going to do that with the crappy chiclet keyboard that came with the laptop. Also, using a built in keyboard is awkward with my 43" 4k external display [amazon.com].

        • except for the thousands of dollars in medical expenses and lost wages when you develop carpal tunnel syndrome.

          You aren't likely to develop carpal tunnel syndrome unless you're already predisposed to the condition, which is usually predicted by having a more square wrist than a more rectangular one, in addition to other anatomical features in your hand, such as its relative height and width.

          And if you are predisposed to it, then lots of actions (ranging from writing to beating the captain) can cause it when repeated often.

          If you aren't predisposed to it however, then you aren't likely to ever get it no matter how mu

      • by donaldm ( 919619 )

        ...use a laptop; it comes with a keyboard at no extra cost.

        (what?)

        Not if that laptop comes with Microsoft Windows 10, it has a perfectly good keystroke logger that is turned on by default.

        At least a desktop is fully upgradable if you so desire, unlike a laptop which has limited upgradability usually in memory and storage. Comparing performance and price a desktop wins over a laptop all the time. The only thing the laptop wins is in portability.

    • Agreed. I never wanted a wireless keyboard from the first day they existed, for three reasons. The pain of having to change and hunt down batteries, the utter and complete lack of security, and because it's pointless to be wireless. So other people just NOW realized there were security problems? Were these the same people who were surprised that their parents could see their drunken party photos on facebook?

      • by donaldm ( 919619 )

        Agreed. I never wanted a wireless keyboard from the first day they existed, for three reasons. The pain of having to change and hunt down batteries, the utter and complete lack of security, and because it's pointless to be wireless. So other people just NOW realized there were security problems? Were these the same people who were surprised that their parents could see their drunken party photos on facebook?

        Depends on your computing needs. Personally, I prefer wireless to cables and as for hunting batteries my Logitech MK710 and matching mouse I only need to change them every one to two years. I also have a popup display that tells me their battery strength. My keyboard is also encrypted between itself and the unifying receiver.

  • I'm fairly sure that these rely on the "signal that can barely reach my couch let along outside my house" method of "security" :-)

    • wireless snooping techniques confirmed: The limitations for household wireless services are strictly due to the antennas in use. Build a big/sensitive enough antenna or array of antennas and you can accurately recieve and decode most if not all of the signals, even if the consumer devices in question can't pick them up despite being much closer together.

      Just because cheap electronics seem low range given the endpoints you have available doesn't mean they actually *ARE* low range for an adversary dedicated t

      • With the right antennas, NASA routinely deciphers transmissions sent with a power comparable to a CB radio coming from three times the distance to Pluto.

        • Holy shit, my neighbor put up 123 different antennas directed at my rural home about two years ago. The three acre array seemed suspicious but I'm a trusting guy. Time to do away with my wireless keyboard.
    • by dattaway ( 3088 )

      Never underestimate the power of a high gain directional antenna. The chip antennas in the USB dongles aren't that great.

    • by AHuxley ( 892839 )
      The device range is tested, tuned, looked for, amplified by another device to just outside the building.
      Collection is then just a local device away e.g. UK spied on Russians with fake rock http://www.bbc.com/news/world-... [bbc.com] "contained electronic equipment and had been used by British diplomats to receive and transmit information".
      Thats how the range problem is never an issue. The real trick is getting nations, people, groups to use and trust leaky fully imported wireless devices.
  • I always assume wireless keyboard are cheap consumer products built by the lowest bidder and designed by people whose primary interest is getting a product out the door in advance of or for the next big release of whatever their company's actual product is.

    Most wireless keyboards' performance reflects that. It doesn't surprise me in the slightest their security is similar.

    • I always assume wireless keyboard are cheap consumer products built by the lowest bidder and designed by people whose primary interest is getting a product out the door in advance of or for the next big release of whatever their company's actual product is.

      Right, I have always wondered about this, which is why I don't use a wireless keyboard for passwords even when it is available. (Yes that means using two keyboards at times.)

      But my question: Has anyone studied how secure keyboards from Logitech, Apple, Microsoft and Dell are? You would think the big vendors would say something about it in their product descriptions, but I have never found anything on security. Anyone work for a keyboard manufacturer who can enlighten us?

      • Based on my cursory Googling:

        Microsoft keyboards have been broken for a while.
        http://arstechnica.com/securit... [arstechnica.com]

        Logitech apparently actually uses 128-bit AES, though the question of how they generate their symmetric key isn't exactly answered in a way that's satisfying.
        http://www.logitech.com/images... [logitech.com]

        Not sure about Dell. Couldn't find much on their keyboards with my cursory Googling. They seem to mostly rebrand other people's wireless keyboards?

        And Apple keyboards all seem to be bluetooth.

    • The problem is public key algorithms are too computationally expensive to do, so they're left, usually, with AES (symmetric -- pre-exchanged key). But the key-exchange for AES is hard/impossible to do without adding something else into the solution. In the end, yeah, they don't want to pay to do all that (and most buyers don't really care).
      • by Anonymous Coward

        "But the key-exchange for AES is hard/impossible to do without adding something else into the solution."

        For dedicated wireless hardware the key can be set at the factory on both the dongle and the device. A strong master key should last the lifetime of the device, and can be used to exchange session keys chosen at intervals appropriate for the application and power requirements of the device.

    • by Threni ( 635302 )

      It's like any software that comes with hardware. Printer software, camera software, random usb device software. It's always shit, written by some fucking idiot in china (nowadays it'll be their fuckwit cousin in India). When you pay for software it's usually fine otherwise the vendor will go out of business but the only requirement for "software that comes with hardware" is that it's legally functional; that is, it's not so useless that it allows the customer to immediately get their money back. That's a

  • I doubt they will withdraw these from the market.  Odds are they will do the same thing the last time issues like this became public: pretend nothing is wrong and keep selling the devices to unsuspecting users.
  • No shit sherlock (Score:5, Interesting)

    by OzPeter ( 195038 ) on Tuesday July 26, 2016 @04:00PM (#52585177)

    In 2001 Security - Logitech Wireless Mice & Keyboards Can Be Sniffed [slashdot.org]
    In 2007 Wireless Keyboard "Encryption" Cracked [slashdot.org]
    And In Feb 2016 Mousejack Attacks Exploit Wireless Keyboards and Mice [slashdot.org]

    And I am sure there are plenty more stories on slashdot just on this subject

  • [Technology] that [doesn't use encryption] is [vunerable] to [some type of data sniffing tool]

    Security researchers at firm [pick a company] have [discovered] a [flaw/bug/exploit] [enabling] the collection of [data...of which we will enumerate all types to drive the point home: passwords, logins, keystrokes, pin codes, secure access numbers, credit card information, birthdays, AC posts, or even missile launch codes!]
  • https://forums.logitech.com/t5/Keyboards-and-Keyboard-Mice/Wireless-keyboard-stream-encryption-scrambling-encoding/td-p/584316

    TL;DR: Logitech devices using both bluetooth and the unifying receiver are encrypted by default. Glad I don't have to toss out a bunch of devices.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Too bad Bluetooth's encryption is still so easy to break.

  • by holophrastic ( 221104 ) on Tuesday July 26, 2016 @04:51PM (#52585535)

    I don't suspect that anyone ever thought that they did. Hey, my wired keyboard can be snooped on from up to a million feet above, with nothing more than a child's telescope. Good thing I'm not a target, because there's also a window nearby. Can you imagine typing on a laptop on a park bench? Martians with telescopes could see my slashdot password!

    Or, they could have better things to do.

  • I'd much prefer to hear about the keyboards that did pass the test and encrypt transmissions. Logitech, easily as popular as Microsoft and more popular than ANY of the named brands, wasn't tested? Why not?

    • Logitech, easily as popular as Microsoft and more popular than ANY of the named brands, wasn't tested? Why not?

      Their hardware is already known to be vulnerable.

      If your keyboard doesn't use bluetooth, it is certainly vulnerable.

      If your keyboard does use bluetooth, it might still be vulnerable.

  • Popular Wireless Keyboards From HP, Toshiba and Others Don't Use Wire, Can Be Easily Snooped On

    I know it's a popular joke, but it's absolutely real. If you are mildly concerned, wire beats crypto wireless, because you can implement crypto wrong a million ways, and implementing a wire wrong is not that common. Meanwhile, versus adversaries that can read the wire somehow, you'd want a wired crypto keyboard, which I'm not aware of existing.

    • by jetkust ( 596906 )

      I know it's a popular joke, but it's absolutely real. If you are mildly concerned, wire beats crypto wireless, because you can implement crypto wrong a million ways, and implementing a wire wrong is not that common.

      So how are you going to go about wiring your cellphone?

  • Still works after all these years, still secure from wireless snooping.

    • by GuB-42 ( 2483988 )

      Not really secure from acoustic snooping though...

  • I know you can pair blue tooth devices, but are newer versions of blue tooth like 4.0 encrypted and protected against someone listening in?

    Also does encryption reduce battery life on the keyboard? I stopped using 2.4Ghz wireless keyboards when someone in my house and I interfered with each others keyboards. Since then we have pretty much gone wired. But I would like a wireless keyboard for a PC connected to our TV.

    • Bluetooth 2.1 and up are pretty good security wise, links are always encrypted and pairing with SSP can also protect you from an MITM attack. (e.g. using numeric comparison or passkey entry is secure from MITM. See the relevant wikipedia page [wikipedia.org] for specifics.)

      Since encryption is required (and usually done in dedicated hardware), there shouldn't be a difference in battery life.

  • This is a reason among others why I still use wired keyboard, mouse and earpieces.
  • It seems that the cited article is touting a solution in search of a problem.

    How many computers that process secure information have wireless keyboards? How many computers that process sensitive information and have wireless keyboards are within 250 feet of an area where a person can set up a surreptitious sniffer system? Yep, the keyboard issue is really a non issue. Especially as wireless keyboards, in reality, have a range that is less than three meters. My bright idea of hooking the

"Plastic gun. Ingenious. More coffee, please." -- The Phantom comics

Working...