from the pay-attention-there-is-gonna-be-a-quiz dept.
Arthur T Knackerbracket has found the following story:
Millions of low-cost wireless keyboards are susceptible to a vulnerability that reveals private data to hackers in clear text.
The vulnerability – dubbed KeySniffer – creates a means for hackers to remotely “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 100 metres away.
“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” said Bastille Research Team member Marc Newlin, responsible for the KeySniffer discovery. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two thirds) were susceptible to the KeySniffer hack.”
The keyboard manufacturers affected by KeySniffer include: Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec. Vulnerable keyboards are always transmitting, whether or not the user is typing. Consequently, a hacker can scan for vulnerable devices at any time. A complete list of affected devices can be found here.
Wireless keyboards have been the focus of security concerns before. In 2010, the KeyKeriki team exposed weak XOR encryption in certain Microsoft wireless keyboards. Last year Samy Kamkar’s KeySweeper exploited Microsoft’s vulnerabilities. Both of those took advantage of shortcomings in Microsoft’s encryption.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @09:57AM
No wireless keyboards for me, but I did compromise on a wireless mouse. Also I don't trust touchscreen keyboards for valuable passwords.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @10:06AM
What's the security risk here specifically, other than generic smartphone surveillance issues? Haptic feedback being recorded by a microphone?
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @10:14AM
Your fingerprints on the glass.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @10:28AM
That could be solved by randomizing the position of keys when password fields are being used. Not a feature I've seen, but...
(Score: 1) by fraxinus-tree on Wednesday July 27 2016, @10:36AM
Have you ever tried to type on a randomized keyboard? Or even on a different keyboard layout?
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @10:43AM
Tap, tap, tap. Argh. So many touchscreens. I've forgotten how to touch-type! This Star Trek TNG future sucks.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @10:44AM
It's a 8-64 character password, not a 140 character tweet or 1,500 word essay.
(Score: 2, Funny) by Anonymous Coward on Wednesday July 27 2016, @01:11PM
For you maybe... I use inspiring quotes from my manager: "The Acting Senior Manager of IT Operations institutionalizes future differentiators." or "The Chief Technical Catalyst standardizes a consistency at the individual, team and organizational level. The customers iterate high-level pyramids."
(Score: 2) by edIII on Wednesday July 27 2016, @09:04PM
Then we come up with an icon based password dictionary titled "PHBs in their natural habitat"...
{manager}-{tps reports}-{hell_spike}-{anal_pineapple_bomb}-{rectal_prolapse}
{CEO}-{douchenozzle}-{space_ship}-{air_lock}-{surface_of_sun}
{PHB}-{etcha_sketch}-{laptop_shake}-{technical_documentation}
Randomize the icons on the screen, choose your actor, attributes, story, and final outcome :) It may double as a corporate stress reducer, unless forced to enter it during a major presentation.......
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by SomeGuy on Wednesday July 27 2016, @12:27PM
There is absolutely no need to worry about that. Nobody is going to go to all the trouble of lifting prints from your grease covered computer screen (how do you read through that anyway?) to get access to your fingerprint locked devices.
They'll just cut off your finger.
ROFL biometrics.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @05:20PM
No, he's talking about how the position of the 4 smudges on your phone screen reveals the 4 digits of your unlock code, not lifting the fingerprints themselves.
(Score: 2) by Scruffy Beard 2 on Wednesday July 27 2016, @07:33PM
Have you tried to figure out a password from looking a fingerprints? Touch-screens have too many fingerprints to easily discern the ones caused by entering the password.
My own password has mixed case, which requires the use of the shift "button".
My larger concern is that the phone may not do enough key-stretching to make my password secure against an off-line attack (I have device encryption enabled, but long passwords are almost impossible on a touch-screen)..
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @10:38AM
Screenshots.
(Score: 4, Insightful) by Aiwendil on Wednesday July 27 2016, @10:46AM
Seriously - up until wireless HIDs starts to handle KVM and for that matter work _before_ the OS is loaded it will just be another hassle with high latency and battery-issues and laughable short lifespan.
I fail to see any non-trivial situation where one could resonably rely on a wireless keyboard.
Oh, and I would be interested in a list of wireless keyboards that encrypt properly (setting up a media centre) and are OS agnostic/works with the generic keyboard drivers/modules
And now get off my lawn before I beat you silly with my 1391411 and resume typing.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @12:59PM
I guess I could see a usecase for wireless keyboards where it needs to be switched between computers in different rooms a lot (so you would need the display)... but, to be honest, I fail to see why a USB would not be just fine even in that situation. Even moreso, if you're so concerned about security that you can't SSH into the various machines, then I'm pretty sure you'll stay away from wireless anything.
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 27 2016, @01:36PM
Use case for wireless for every client I've had that wanted them, was to reduce the number of cables on people's desks.
(Score: 1, Funny) by Anonymous Coward on Wednesday July 27 2016, @03:30PM
What's wrong with wires? They work great and you don't have to keep changing batteries in keyboards and mice. Wireless mice I can kind of see being useful with laptops, but wireless keyboards? WTF. Even with a tablet I'd want it wired if possible.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @04:22PM
For a fixed keyboard on a desk? An irrational attachment to "neatness". [1]
For a mouse, I can sometimes see the value, those times being when the mouse cable snags on something and prevents it from moving in the direction I wanted it to move
[1] Note that in the "desk" environment the wire to the wired keyboard could have been hidden within the desk such that the look of the desk with a wired keyboard was identical to the look of the desk with a wireless keyboard
(Score: 2) by frojack on Wednesday July 27 2016, @07:20PM
Yeah, that battery changing every odd numbered year is really starting to impact the budget.
I've found that wireless mice wring every last joule of energy out of a battery. I often put batteries from lights and radios and other gadgets into my drawer for feeding the mouse. It will get at least another 9 months out of a supposedly dead battery.
Where wired makes a positive difference is gaming. The latency of the radio link puts you at a disadvantage that you will notice the minute you revert back to a wired mouse.
No, you are mistaken. I've always had this sig.
(Score: 2) by edIII on Wednesday July 27 2016, @10:16PM
Yep. I just replaced a single AAA battery that started affecting the click on the mouse. May have lasted over 3 years for me at this point, and it was the original factory battery. At the end though, I was turning it off and back on every 5 minutes :) I was determined to go for a record.
In all seriousness though, wireless keyboards and mice rock for low power. I've had several Logitech solar power keyboards and they just plain work. Even at low low power they're still working, but "hitching". I bet it would run off a 30W light bulb deep underground with no issues. What we need is a solar powered mouse.... two of them. Leave one in the sun, and use the other. Switch and repeat.
The security issue can be handled very easily with OTP and be uncrackable (the signal at least). Biggest challenge is key exchange, but if you allow that to happen via USB, it requires the attackers to be close enough for sophisticated side-channel attacks. A 1GB flash chip embedded in the devices is very adequate to handle the actual amount of information being exchanged between HID devices and their host systems. Large enough, and you can support profiles for multiple host systems. I'd go further and allow a bonus for the ultra-paranoid of both charging the devices and allowing *wired* operation to replace the wireless whenever directly plugged into the host system, still using OTP to make it that much harder for side-channel attacks to succeed. You can go wireless, but only 50 miles outside of civilization and if you're covered in tin-foil head to toe ;)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Knowledge Troll on Wednesday July 27 2016, @02:52PM
Seriously - up until wireless HIDs starts to handle KVM and for that matter work _before_ the OS is loaded it will just be another hassle with high latency and battery-issues and laughable short lifespan.
(additional emphasis mine)
Uhhhhhhhh what? Ok it is early, the coffee is just starting to kick in, but I've read this twice and I'm still going WTF. Question: are you only thinking of Bluetooth? My keyboard uses one of those tiny easy to lose dongles (and it has been 5 years now with out losing it; most of the time it lives on the end of another larger USB hub).
To confirm my wireless keyboard is a standard USB HID I just validated I can interrupt boot and drive the BIOS configuration with it. No OS loaded.
I agree with almost everything you said (though probably not for the same reasons) except the part about HID not functional until OS loads. I can't figure that one out.
The fact that the wireless keyboard can drive the BIOS is one part of why the dongle is disconnected aside from the rare cases where I want to actually use a keyboard while not sitting at my desk but I can still see some display device.
(Score: 2) by Aiwendil on Wednesday July 27 2016, @03:31PM
Mind telling me what make and model that is? Since I so far have a 100% failure rate (I was in the habit of borrowing wireless keyboards from friends until I gave up, some 15 or so keyboards in)
Nice to see that some (most - if I've just have had very bad luck) works in BIOS.
(Score: 2) by jmorris on Wednesday July 27 2016, @03:43PM
Go to Walmart, buy the Logitech, done.
Bus 003 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver
Appears as a USB Keyboard/Mouse to BIOS and Linux. Laptop style keyboard and pointer, dongle stores in keyboard when not in use. Use it to control my MythTV when I need to do something the IR Remote can't.
(Score: 2) by Knowledge Troll on Wednesday July 27 2016, @04:24PM
Mind telling me what make and model that is?
Sure - it is a complete and total POS I got because it was the cheapest unit on the shelf. It was my first shot at these things (see my other comments for why I didn't invest much in a keyboard) and honestly I suspect it has zero or worthless security.
Manufacturer: Dynex
Product title: Wireless Keyboard Mouse Combo
Model: EMJKDX-WLCMDB02 (or possibly "oh two" as there is no slash through it)
It is old enough now I've worn off a good chunk of the lettering and one home row key nub is nearly sanded off completely by my fingers.
(Score: 2) by frojack on Wednesday July 27 2016, @05:41PM
Oh, and I would be interested in a list of wireless keyboards that encrypt properly (setting up a media centre) and are OS agnostic/works with the generic keyboard drivers/modules
Any of the newer Logitech models would be on that list.
I just picked up a compact-ish cheap Logitech Mk235 [logitech.com] keyboard+Mouse wireless usb combo for 15 bucks (half of MSLP) which indicated encrypted transmissions between the devices and the Dongle.
My use case is a Linux computer that runs headless most of the time but will have console attention frequently. ZERO problems getting it to work, Seriously, this is a long solved problem. There was nothing to install.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by Knowledge Troll on Wednesday July 27 2016, @02:14PM
This should come as a surprise to no one at this point. Even when wireless is "secured" the security is often garbage; especially so on cheap devices. Here are two techniques to mitigate:
1) Reduction of attack surface through minimized use: do not use the wireless keyboard all the time, when using it do not type any privileged or protected information into it, and if you are not actively using the wireless keyboard unplug the receiver. I strictly follow this.
2) Minimize RF exposure through physical placement: my wireless POTS telephones have a common base station which is placed in the basement. There is a cone of coverage that goes up and out from my house. My neighbors are blind to the base station as is the street or anything not flying. One can probably identify that the cordless phone is in use, maybe even the model, and possible might be able to sniff one side of the conversation. Won't be attaching rogue handset, making unauthorized phone calls, or checking my voice mail.
Both techniques limit the exposure of the wireless systems to the smallest duration possible while still maintaining some level of convenience. My house has been carefully scrubbed of antennas connected to computers and their RF systems. Then slowly devices are white listed using the most limited access possible. WiFi? Fuck no! But if you do have it turn it only when you need it and consider using the basement hole as I've done.
(Score: 0) by Anonymous Coward on Wednesday July 27 2016, @02:38PM
This would have been useful information three days ago when I threw away a stack of the old things. I'm sure somewhere in the back of my mind I could have known but didn't think about it at the time.
Oh well.