At first glance, a new hacking technique looks pretty scary. Using an attack researchers at cybersecurity firm Bastille are calling "keysniffer," hackers can detect every key you press on your wireless keyboard.
That means they can pick up your passwords, and maybe the answers to your security questions, like your mother's maiden name, too. The flaw affects keyboards manufactured by big names, like HP, Toshiba and General Electric. So far, bad news.
The good news? To use "keysniffer" on you, hackers would have to be almost close enough to literally smell you. The attack works within 250 feet, which is about three-fourths the length of a football field. So international hackers aren't going to get you, and neither is anyone else who isn't in your physical neighborhood. Like many vulnerable internet-connected devices, these keyboards are most at risk when someone with bad motives happens to be nearby -- or, more likely, has specifically targeted you. The same was true of flaws found in Hello Barbie, a doll that connects to Wi-Fi and learns to interact with its small human friends.
Still, the reason your keyboard might be a touch vulnerable is disconcerting. The vulnerable keyboards are sending each tip tap you type out over an unencrypted connection, according to Bastille researchers. That means the data flowing from your keyboard to your computer isn't scrambled up in any way, and it's no sweat for hackers to intercept and read.
Researchers from Bastille, led by researcher Marc Newlin, said they tested low-cost keyboards from 12 different manufacturers. In addition to keyboards from HP, Toshiba and General Electric (which licenses its name to manufacturer Jasco for the keyboards) wireless keyboards from Kensington, Insignia (a Best Buy brand), Radio Shack, Anker and EagleTec were vulnerable.
Denise Nelson, a spokeswoman for Kensington, said the company was working with Bastille on security issues. "They have taken all measures that they possibly can to close any security gaps," she said. Nelson said new Kensington keyboards would have an encrypted connection going forward. However, she did not know whether wireless keyboards already in use were still unencrypted. She added the Kensington support team was ready to help customers resolve any issues.
For its part, Jasco is aware of the report from Bastille and "will work directly with its customers of this product to address any issues or concerns," the company said in a statement. "Jasco Products Company is committed to delivering secure products to its customers and would like to express its appreciation to Bastille Threat Research Group for reporting these issues," the statement continued.
The rest of the manufacturers named by Bastille did not immediately respond to requests for comment. Bastille has a list of the exact models affected on its website. "When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product," Bastille researcher Newlin said in a statement.
110 Reykjavik, Iceland