Bastille Discovers “KeySniffer” Vulnerability in

BastilleDiscovers“KeySniffer”VulnerabilityinWirelessKeyboardsWhichReveals
PrivateDatatoHackersinClearText
CompanyFindsMillionsofLow-CostWirelessKeyboardsAreSusceptibletoKeySnifferAttack
ATLANTA,GA–July26,2016–Bastille,thefirstcybersecuritycompanytodetectand
mitigatethreatsfromtheInternetofThings(IoT),todayunveiledamassivevulnerability
affectingthevastmajorityoflow-costwirelesskeyboards.Usinganewattackthatthe
BastilleResearchTeamhasnamed“KeySniffer,”hackerscanremotely“sniff”ALLthe
keystrokesofwirelesskeyboardsfromeightmanufacturersfromdistancesupto250feet
away.WhenconductingaKeySnifferattack,hackerscaneavesdropandcaptureevery
keystrokeavictimtypesin100percentcleartextandthensearchfor:
●
●
●
●
●
Cardnumbers,expirationdate,CVVcode
Bankaccountusernamesandpasswords
Answerstosecurityquestions:nameofyourfirstpet,mother’smaidenname,etc.
Networkaccesspasswords
Anysecrets:businessorpersonaltypedintoadocumentoremail
“Whenwepurchaseawirelesskeyboardwereasonablyexpectthatthemanufacturerhas
designedandbuiltsecurityintothecoreoftheproduct,”saidBastilleResearchTeam
memberMarcNewlin,responsiblefortheKeySnifferdiscovery.“Unfortunately,wetested
keyboardsfrom12manufacturersandweredisappointedtofindthateightmanufacturers
(two-thirds)weresusceptibletotheKeySnifferhack.”
ThekeyboardmanufacturersaffectedbyKeySnifferinclude:Hewlett-Packard,Toshiba,
Kensington,Insignia,RadioShack,Anker,GeneralElectric,andEagleTec.Vulnerable
keyboardsareeasyforhackerstodetectastheyarealwaystransmitting,whetherornot
theuseristyping.Consequently,ahackercanscanaroom,building,orpublicareafor
vulnerabledevicesatanytime.
AHistoryofWirelessKeyboardAttacks:
In2010,theKeyKerikiteamexposedweakXORencryptionincertainMicrosoftwireless
keyboards.In2015,SamyKamkar’sKeySweeperexploitedMicrosoft’svulnerability.Both
ofthosevulnerabilitiesutilizedaweaknessinMicrosoft’sencryption.
TheKeySnifferdiscoveryisdifferentinthatitrevealsthatmanufacturersareactually
producingandsellingwirelesskeyboardswithnoencryptionatall.Bluetoothkeyboards
andhigher-endwirelesskeyboardsfrommanufacturersincludingLogitech,Dell,and
LenovoarenotsusceptibletoKeySniffer.
Aspartofitsdisclosurepolicy,Bastillenotifiedaffectedvendorstoprovidethemthe
opportunitytoaddresstheKeySniffervulnerability.Most,ifnotall,existingkeyboards
impactedbyKeySniffercannotbeupgradedandwillneedtobereplaced.Tobesafe,
BastilleadvisestheuseofawiredorBluetoothkeyboard.Foracompletelistofaffected
devices,gotowww.KeySniffer.net.
Bastille’sdiscoveryofKeySniffercomesjustmonthsafterthecompanyunveiled
MouseJack,avulnerabilityaffectingmillionsofwirelessmice.Thislatestfindcoincides
withthecompany’songoingmissiontocompletelysecuretheEnterprisebyidentifying
airbornethreatsandallowingforapreemptiveresponse.
FormoreinformationonBastille,visitwww.bastille.netandfollowthemonTwitter
@bastillenetandLinkedIn.
AboutBastille
Launchedin2014,BastilleispioneeringInternetofThings(IoT)securitywithnextgenerationsecuritysensorsandairborneemissiondetection,allowingcorporationsto
accuratelyquantifyriskandmitigate21stcenturyairbornethreats.Throughitspatented
proprietarytechnology,Bastillehelpsenterpriseorganizationsprotectcyberandhuman
assetswhileprovidingunprecedentedvisibilityofwirelessIoTdevicesthatcouldposea
threattonetworkinfrastructure.Formoreinformation,visitwww.bastille.netandfollow
themonTwitter@bastillenetandLinkedIn.
MediaContact:
NoeSacoco
LMGPR
408.340.8130
[email protected]

Download Report