Using a wireless keyboard? Your passwords can easily be spied on
People using low-cost wireless keyboards are at risk of having their passwords read, according to researchers.
Eight major keyboard brands accounting for millions of devices in use across the world were shown to have a security hole that could let hackers up to 100m away read every letter a victim types.
The attack, called KeySniffer, could allow hackers to eavesdrop card details, passwords, usernames and answers to security questions, among other sensitive documents.
"When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product," said Marc Newlin, a researcher at Bastille, the internet of things security company that discovered the flaw.
Researchers tested wireless keyboards from a dozen manufacturers and found that eight were susceptible, including models from Toshiba and HP that don't use Bluetooth to connect to a computer, but instead communicate through unencrypted radio signals.
The attack uses equipment that costs less than $100 (£76) and intercepts the signal between the keyboard and its USB receiver. Unlike Bluetooth keyboards, there are no industry standards for those that use radio signals, meaning manufacturers can make their own choices about security.
As well as being able to eavesdrop on what a victim is typing, the hack could also let an attacker remotely type onto the affected computer.
A spokesman from Kensington, one of the two vulnerable brands that have issued statements, said: "We are happy to report that, to our knowledge, no security incidents have been reported to us since this product launched.
"We have taken all necessary measures to close any security gaps and ensure the privacy of users." The company released an update to its Kensington Pro Fit Wireless Desktop Set K72324 that introduced encryption to the keyboard.
The other brand to respond, General Electric, said it was aware of the issue and "will work directly with its customers of this product to address any issues or concerns".
The researchers at Bastille previously found that hackers could remotely control more than a billion keyboards using a $12 UBS radio antenna. The hack affected keyboards from big name brands including Logitech, Dell, Microsoft, HP, Amazon and Lenovo, according to Bastille.
In France, three quarters of cars stolen in the first four months of 2015 were done so using this kind of interception, according Traquer, the French leader in detecting and recovering stolen vehicles.
How can I protect myself?
Unfortunately there is no simple fix for the security hole. If you own one of the affected keyboards you should contact the manufacturer, who is responsible for building defences for such attacks and providing updates to their products' software.
David Emm, principal security researcher at Kaspersky Lab, said: "It's vital that manufacturers of such devices consider security at the design stage.
"If you are considering buying a wireless keyboard (or other wireless device), check that it includes security features that will safeguard any data you send or receive; and if you’re unsure, buy a wired device instead."
Is my keyboard affected?
The full list of affected devices among those the researchers tested is:
Anker Ultra Slim 2.4GHz Wireless Compact Keyboard
EagleTec KS04 2.4 GHz Wireless Combo keyboard
General Electric 98614 wireless keyboard
HP Wireless Classic Desktop wireless keyboard
Insignia Wireless Keyboard NS-PNC5011
Kensington ProFit Wireless Keyboard
RadioShack Slim 2.4GHz Wireless Keyboard
Toshiba PA3871U-1ETB wireless keyboard
The company said: "This should not be considered an exhaustive list of all vulnerable keyboards. There may be other brands and models that are vulnerable to this, or other attacks."