Every keystroke you make on some wireless keyboards can be spied on by hackers lurking nearby, according to research released Tuesday by the cybersecurity firm Bastille. The “vast majority” of low-cost wireless keyboards are vulnerable to an attack that researchers have dubbed “KeySniffer,” according to the company.
“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product,” Marc Newlin, the Bastille researcher who discovered the vulnerability, said in a news release. “Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack.”
The attack allows hackers up to 250 feet away to eavesdrop on people as they type — potentially sucking up credit card numbers, usernames, passwords and personal information shared with confidants, according to the researchers. The heart of the problem is that the connections between computers and the identified keyboards don’t use encryption, unlike more costly models, and are left vulnerable to a hacker with special equipment costing less than $100.
The issue does not affect Bluetooth keyboards because they are subject to industry standards that require stronger security measures, according to Bastille. However, the company said some keyboards from major manufacturers, including HP and Toshiba, that rely on radio signals are vulnerable. In HP’s case, Bastille found that its HP Wireless Classic Desktop keyboard was vulnerable, while Toshiba’s PA3871U-1ETB wireless keyboard was also affected. HP and Toshiba did not immediately respond to a request for comment.
Kensington, the maker of another vulnerable keyboard called the Kensington ProFit Wireless Keyboard, released a statement saying it has taken “all necessary measures to close any security gaps and ensure the privacy of users” and has released a firmware update for the device that includes encryption. You can find a full list of the affected devices here.
Bastille says that it reached out to manufacturers before going public with its research but that many of the devices aren’t able to be updated to defend against the attacks. The cybersecurity firm recommends replacing the keyboards with Bluetooth or wired models. It remains unclear whether any of the keyboard makers plans to offer refunds or replacements to consumers who purchased the vulnerable models.