New IoT Threat Exploits Lack of Encryption in Wireless Keyboards
The researchers who discovered MouseJack reveal a new vulnerability that allows attackers to remotely "sniff" keystrokes of some wireless keyboards.
Even though the Internet of Things (IoT) is still quite new, hackers are relying on some pretty old vulnerabilities – like a lack of encryption -- to compromise IoT devices.
A research team from Bastille, a cybersecurity company that specializes in detecting and mitigating threats from the IoT, earlier this year published its findings on a vulnerability called MouseJack that affected most wireless, non-Bluetooth computer keyboards and mice on the market.
KeySniffer vs. MouseJack
The same team, led by Bastille researcher Marc Newlin, today published information on an even more insidious vulnerability it calls KeySniffer. Like MouseJack it exploits weaknesses in security associated with software-defined radio transceivers used in wireless keyboards. But unlike MouseJack, which primarily allows a hacker to inject keystrokes and type on a victim's machine, KeySniffer attacks by sniffing keystrokes. That means KeySniffer can be a passive attack in which the victim is unaware that keystrokes are being sniffed, Newlin explained.
Another key difference: MouseJack requires a potential victim to be present and using a device's mouse for an attacker to identify the vulnerable device and its radio address. But this is not necessary with KeySniffer because the USB dongles used in wireless keyboards transmit packets of information every 16 milliseconds, Newlin said. "That way, the keyboard can find the dongle – but it also means an attacker can quickly survey an area for vulnerable devices."
The MouseJack and KeySniffer vulnerabilities are both a bit surprising, given that a different security research team revealed an encryption vulnerability in certain Microsoft wireless keyboards in 2010; that vulnerability was successfully exploited by a hacker called Samy Kamkar, who used it to create an inexpensive device called KeySweeper that looked like a USB charger and sniffed, decrypted, logged and transmitted the information typed into keyboards with the vulnerability.
Lack of Encryption
When Newlin and the Bastille team purchased 12 popular wireless keyboards to evaluate, they found four of them transmitted encrypted communications and thus did not have the KeySniffer vulnerability. The other eight, however, transmitted keystrokes in cleartext.
A list of the keyboards with the KeySniffer vulnerability, which includes devices from Hewlett-Packard, Toshiba, General Electric and Radio Shack, can be found on a website created by Bastille, which also offers technical details on how the vulnerability can be exploited.
"Unlike MouseJack, which uses well documented chips, we had to reverse engineer the chips in the wireless keyboards. We assumed we'd be looking for weaknesses in protocols or encryption. But as it turned out, as soon as we finished reverse engineering they were transmitting in cleartext – so that was the end of the story in terms of finding vulnerabilities," Newlin said. "After the 2010 vulnerability played out, my thinking was vendors would begin using encryption more regularly. But the keyboards we evaluated all came to market in the last two to three years, so that doesn’t seem to be the case."
Newlin said the attack he devised, using some $100 worth of equipment purchased from Amazon, can be conducted within a radius of about 250 feet of vulnerable wireless keyboards. However, he said it could be amplified with better gear. Attackers could also construct a small device that could be easily concealed and left behind in an area to record keystrokes, either transmitting information back to a hacker or retrieved later.
"That would be a much more severe attack because you could capture all of a device's keystrokes over an extended period of time," he said. "The technical complexity to implement a device like that is fairly low. We have no evidence that the vulnerability is being exploited in the wild, but based on the lack of complexity it would be very conceivable to do without a lot of time or effort."
In addition, he said, an attacker could inject keystrokes into a computer using information gathered from sniffing. "Doing that would be a pretty comprehensive way to gather information from someone's computer."
While Bastille notified all eight vendors of the KeySniffer vulnerability, it has only had a conversation with General Electric, Newlin said. General Electric does not manufacture the vulnerable keyboard; it was produced by a company called Jasco that licenses the GE name to put on the product. In speaking with Jasco, Bastille found it is no longer manufacturing wireless keyboards and mice. This means the company will not patch the product, as it no longer makes it. None of the vulnerable keyboards can accept a firmware update to prevent the vulnerability.
"Most of these vendors do not manufacture their own keyboards. They use a lot of different OEMs, and many of them use keyboard-specific transceivers so they do not even know how the thing communicates," Newlin said. "The abstraction makes it even more difficult for vendors to respond to these vulnerabilities."
Vendors need to do a better job of working with their OEMs to ensure security is built into their products from the start, said Ivan O'Sullivan, Bastille's chief risk officer.
"Keyboards from three vendors – Logitech, Dell and Lenovo -- are not susceptible to KeySniffer because they designed encryption in from the beginning," O'Sullivan said. "Vendors need to say to their contract manufacturers: 'It is critical to us that you provide us with a secure device that has a high level of encryption.' For example, they could have chosen to specify the use of a Nordic semiconductor chip that transmits encrypted keystrokes, but they didn't."
The proliferation of low-cost wireless radios combined with the use of proprietary communications protocols instead of industry-standard ones like Bluetooth is "making it easier for people to be able to pick these devices apart and find these kinds of vulnerabilities," Newlin said.
O'Sullivan agreed, noting that, "Ten years ago software-defined radio was a military-grade technology, but now there are so many software-defined radios under a thousand bucks. That puts it in the hands of a whole new group of people."
Wired keyboards are the easiest and best way to avoid these kinds of vulnerabilities, Newlin said. Bluetooth is the next best option. "Even though there are encrypted wireless keyboards that use proprietary protocols, it is just a safer call to use an industry-standard protocol," he said.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.