Radio Hack Steals Keystrokes from Millions of Wireless Keyboards | WIRED

Many wireless keyboards are not safe.


  1. Tomi Engdahl says:

    Wireless Keyboards Vulnerable to Sniffing, Injection Attacks

    Wireless keyboards from several vendors don’t use encryption when communicating with their USB dongle, allowing remote attackers to intercept keystrokes or send their own commands to the targeted computer.

    The attack method, dubbed KeySniffer, was discovered by researchers at IoT security company Bastille. Experts tested non-Bluetooth wireless keyboards from 12 manufacturers and determined that devices from eight of them are vulnerable to KeySniffer attacks.

    Bastille said the affected products are inexpensive wireless keyboards from HP, Toshiba, Insignia, Kensington, Radio Shack, Anker, General Electric and EagleTec. It’s possible that products from other companies are impacted as well. Experts determined that higher-end keyboards produced by firms like Lenovo, Dell and Logitech are not affected as they encrypt communications.

    Kensington informed the security firm that it has released a firmware update to address the issue.

    This is not the first time Bastille has found such vulnerabilities. Earlier this year, the company warned that wireless mice and keyboards from several top vendors were vulnerable to so-called MouseJack attacks, where malicious actors send key press packets to a targeted computer through the affected device’s USB dongle in an effort to conduct arbitrary actions. MouseJack is particularly effective against wireless mice because these devices typically don’t use encryption and proper authentication mechanisms.


    KeySniffer is a set of security vulnerabilities affecting non-Bluetooth wireless keyboards from eight vendors. The wireless keyboards susceptible to KeySniffer use unencrypted radio communication, enabling an attacker up to several hundred feet away to eavesdrop and record all the keystrokes typed by the victim. This means an attacker can see personal and private data such as credit card numbers, usernames, passwords, security question answers and other sensitive or private information all in clear text. The equipment needed to do the attack costs less than $100 putting it in reach of many teenage hackers.

    The keyboard manufacturers affected by KeySniffer include: Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack and Toshiba.

    KeySniffer exposes personally identifiable information such as:

    Card Numbers, expiration date, CVV code
    Bank account usernames and passwords
    Answers to security questions: Name of your first pet, mother’s maiden name, etc.
    Network access passwords
    Any secrets: business or personal typed into a document or email
    Date of birth
    Employer confidential information

    “When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product. Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack.”
    — Marc Newlin, Bastille Research Team member responsible for the KeySniffer discovery.

  2. Tomi Engdahl says:

    Wireless Mouse/Keyboard Dongles Expose Computers to Attacks

    Researchers at IoT security company Bastille claim to have found a way to hack computers via a vulnerability present in many wireless mouse and keyboard dongles.

    Wireless mice and keyboards communicate with computers over Bluetooth, radio frequency (RF) and infrared via a USB dongle plugged into the device. Over the past years, researchers demonstrated that the lack of strong security mechanisms used by these peripheral devices can be leveraged to log keystrokes and even send arbitrary data to a computer.

    Experts have shown that data can be easily captured by a nearby attacker from many wireless keyboards that use Bluetooth and RF. It has also been demonstrated that Bluetooth keyboard attacks in which an attacker transmits data to the device via the USB dongle are possible.

    An attacker who is within 100 meters (328 feet) of the targeted device can exploit the flaw, which Bastille has dubbed “Mousejack,” to remotely type arbitrary commands into a victim’s computer using just a $15 USB dongle connected to the hacker’s laptop. A malicious actor can use this method to download malware, steal files, and perform other activities they could normally do if they had access to the computer’s keyboard.

    Since the vulnerability affects the USB dongles shipped with wireless keyboards and mice, it can be exploited to attack any PC, Mac or Linux computer. The security hole poses a serious risk because the attacker does not need physical access to the targeted machine before carrying out malicious operations.

    For a Mousejack attack to work, the attacker must somehow pair their malicious device with the targeted dongle.

    “To prevent unauthorized devices from pairing with a dongle, it will only accept new devices when it has been placed into a special ‘pairing mode’ by the user, which lasts for 30-60 seconds,” Bastille researchers explained. “It is possible to bypass pairing mode on some dongles and pair a new device without any user interaction.”

    In a theoretical attack scenario described by Bastille, the attacker first identifies a target device by listening to RF packets transmitted when the user is typing on the keyboard or moving the mouse. The hacker can then force-pair their fake keyboard with the victim’s dongle and start transmitting key press packets to the targeted computer.

  3. Tomi Engdahl says:


    KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.

    All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.


Leave a Comment

Your email address will not be published. Required fields are marked *