Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Keyboards may be leaking secrets, but probably not yours

Glenn Fleishman | Aug. 1, 2016
Some wireless keyboards use little or no security to protect what you're typing. Check your model.

If you've seen the headlines from late July about insecure wireless keyboards and you own a wireless keyboard, you may be wondering whether you should grab it and fling it under the next passing truck. Not so fast! The research, labeled KeySniffer, appears strong and deep, but not all wireless keyboards are the same.

Apple uses robust security to communicate between their input devices and host computers, as do many other manufacturers. However, if you're using anything but an Apple wireless keyboard, mouse, or Magic Trackpad, you should consultthe list of affected products.

Wireless input

A wireless keyboard and mouse can be very convenient when you don't have enough USB ports or lack ones in the place you need them, want the flexibility to move your input devices around beyond normal cable length, or hate the clutter and unsightliness. The personal area network (PAN) Bluetooth standard was developed in part to allow wireless input peripherals like keyboards.

Bluetooth wasn't initially a terrific solution for typing, however, because the first version had a complicated pairing process, especially on devices without screens, and didn't manage power usage well on standalone devices. Its low throughput could lead to dropped or delayed keystrokes. It took until after 2010 before the right standards and chipsets allowed both higher-throughput and power-efficient keyboards, which is why we saw an explosion of Bluetooth wireless keyboards not long after that.

The other issue was compatibility: Not every computer included Bluetooth until just a few years ago, when everything about using it became easier and more reliable. Apple started adding Bluetooth 4 to its products in 2011. (Bluetooth can still have trouble when you have more than a few devices on the network, even though each PAN technically supports up to seven devices; Apple even offers a rare bit of frank advice about this.)

If you were an early adopter, you might have purchased a non-Bluetooth keyboard or mouse. They used much cheaper radio equipment that didn't need to be compatible with anything, and included a USB dongle-often a tiny stub that barely extended from the port-which contained the radio system. You can still buy these, and it's a subset of this kind of keyboard that's the problem.

While Bluetooth includes encryption as a basic part of its operation, and the way in which it's implemented has gradually improved over its lifetime, the KeySniffer researchers at Bastille Research found that popular proprietary wireless keyboards employ no encryption at all. Previous research had shown vulnerabilities with some keyboards and mice, but KeySniffer expands it dramatically.

Keyboards that use one of three radio/chip systems, each of which comes from a separate manufacturer. No encryption on these configurations protects keystrokes from interception, and typing can be captured or new keystrokes injected into an affected computer. This could lead to collecting passwords, credit cards, and other personal data. If an office or company full of people bought the same gear, those are ripe pickings.

 

1  2  3  Next Page 

Sign up for Computerworld eNewsletters.