Further, unlike a previous vulnerability documented with some Microsoft wireless keyboards, these vulnerable wireless systems broadcast continuously, making it possible for an attacker to scan for any adapter attached to a computer that's awake without waiting for users to be present and typing. With a high-gain antenna, a ne'er-do-well can be hundreds of feet away from the source. The total cost is no more than $200 in equipment, and potentially half as much.
What's your exposure?
The affected keyboards comprise a good portion of the non-Bluetooth models on the market. They're made or sold under the Anker, General Electric, HP, and Toshiba brand names, among others. Wired attempted to contact every companythat made the list, and reported most didn't reply; only one plans on trying to fix it and another denied the lack of encryption.
Bastille Research points to this as part of the overall problem with the Internet of Things (IoT): Smart, often single-purpose hardware devices with little or no direct interface that use proprietary, typically undisclosed standards, and come with no certification or promise. They often can't be updated.
The Federal Trade Commission has been highlighting IoT security issues since at least 2013, but no U.S. agency has regulatory oversight to force compliance to security or other standards. The FTC can only take action if a company misrepresents what it offers, as it did with Trendnet in 2013. If the keyboards were marketed as secure and aren't, the FTC could potentially intervene.
Sticking to industry-backed, widely adopted, lab-tested, certified standards seems like a safer course of action, and I've been advising for a while not buying into any ecosystem that relies on a company-developed and company-controlled protocol and involves a startup firm, which doesn't yet have a roadmap of profitability and stability, unless you're prepared to get burned.
Even then, industry standards need to improve. Despite Bluetooth fixing and advancing its security, even the current flavor includes a version of a legacy approach for pairing hardware like keyboards that lack a screen. That remains vulnerable, but requires a more determined hacker. Here's a very technical rundown of why. (Wi-Fi had its issues in the past, but it's generally considered secure now with anything but a very short WPA passphrase and with Wi-Fi Protected Setup disabled.)
If you're using one of the keyboards that's Bastille has shown lacks encryption, you should consider getting rid of it if you use it in any populated area, or work in an industry in which you have a regulatory or other burden to uphold about privacy and confidentiality. A hacker might target you or your company, or they may scan wherever they go to hoover up details. Bastille Research recommends using only Bluetooth keyboards, despite the potential of existing exploits that would allow interception. They're less likely by far, because those exploits requires more effort, and may involve more discrete targeting.
Sign up for Computerworld eNewsletters.