It's 2016 and your passwords can still be sniffed from wireless keyboards Millions of low-cost wireless keyboards are susceptible to a vulnerability that reveals private data to hackers in clear text. The vulnerability – dubbed KeySniffer – creates a means for hackers to remotely “sniff” all the keystrokes of wireless keyboards from eight manufacturers from distances up to 100 metres away. “When we …
password managers protect from this weakness
Not really. There's a lot of commercially confidential information that isn't passwords, and all of that would be readable from 100m away too. Either information that is useful in and of itself (think about all the emails sent internally by a hedge fund manager, and how useful they would be to other trading firms), or indirectly to bolster a later spear-phishing attack.
Bluetooth range is pretty short. Unless you live in an apartment with paper thin walls, I don't think people could get close enough to your keyboard to steal keystrokes. As for the mouse, what exactly are they going to learn by stealing your mouse movements and clicks?
If you're that paranoid, you might want to consider enclosing your computer area in chicken wire to make it Tempest proof - your HDMI cable might be radiating a signal and PCs don't use HDCP between the monitor and computer!
"...and PCs don't use HDCP between the monitor and computer!"
You mustn't have heard of Protected Media Path. Newer AMD/ATI and nVidia cards with HDMI ports CAN and DO enforce HDCP because of Protected Media Path. Otherwise, BluRay players and other DRM'd content may not allow playback at full resolution.
Bluetooth range is short between two typical devices, but a sensitive SDR fed from a largish highly directional aerial will be able to read signals from at least 50 times the typical distance, and the cost of such a setup is trivial - under £100.
The risk of the average person being targeted is probably less than that of being mugged, but for people who will be regularly typing information that has a high monetary value (politicians, financial workers etc.), the risk is considerably higher.
All those Coffee shops with Free Wi-fi are great places to do some snooping. Be it just using your eyes and reading the screens or intercepting the WiFi traffic or tapping BT. It is little wonder that people spend their whole working day in places like that. Think of all that lovely data they are able to slurp and sell on to the Ad Slingers and/or the bad guys.
IMHO, using WiFi in those places is just asking for trouble. If I have to do that then I do it from my Tablet. It has no banking apps, no email and no contacts to steal. I use it mostly for SatNav, Ebook reading and Picture slideshows.
There is no way on hell that I'll connect to the Wifi from my laptop. In fact, the first thing I do is turn off WiFi in those places. What do I use it for then? Writing my latest novel that's what. Ok so I'm not yet in the league of J.K. Rowling but I do have an audience for my work even though it is small.
Be careful out there. It is not only walls that have ears these days.
"Bluetooth range is pretty short. Unless you live in an apartment with paper thin walls, I don't think people could get close enough to your keyboard to steal keystrokes."
What does Bluetooth range have to do with anything? As the article explicitly states, no Bluetooth keyboards were found to have a problem, it's wireless keyboards using various other radio connections that are the problem, and they could have pretty much any arbitrary range depending on what transmitter they happen to use - up to 100m away according to this report.
"As for the mouse, what exactly are they going to learn by stealing your mouse movements and clicks?"
Who knows? Good security generally means you're not leaking information at all, rather than simply hoping the information you are leaking isn't useful to anyone. There are endless examples of people not bothering to secure seemingly innocuous information only for someone else to prove it wasn't that innocuous after all. A recent related example would be using the accelerometer in a phone, often not secured because it can't do anything harmful, to reconstruct keystrokes from a keyboard on the same desk.
Obviously there are limits and wrapping everything in tin foil is overkill for most people. However, deliberately broadcasting all your information in plain text for anyone to see is generally considered something to be avoided even by those who aren't especially paranoid.
"XOR encryption in certain Microsoft wireless keyboards."
Oy vey ... I am not surprised.
Logitech are confusing because they have their special radio dongle which is not really Bluetooth and they ALSO have Bluetooth keyboards (Bluetooth security having its own problems which suspiciously sound as if someone was trying to keep it insecure; nah, can't be... )
Now, how hard is it to crack either of these systems??
I use a Logitech wireless keyboard, but I'm under no illusions that I'm really "safer" than someone who uses an unencrypted product. The majority of people on Earth have no idea how to implement proper encryption, but for those that do, it's usually a simple matter to find a weakness or workaround for whatever they design. In the specific case of wired/wireless keyboards, you can make a video or audio-only recording of your typing, and in the latter case, extrapolate the unique sound of each specific key on the keyboard. Vowels and the space bar are the easiest ...
If you'd like to remain in a chronic state of depression regarding the current state of "security engineering," follow Ross Anderson at his Website here:
http://www.cl.cam.ac.uk/~rja14/
Or download his entire book for free (Security Engineering - Second Edition):
http://www.cl.cam.ac.uk/~rja14/book.html
*turns on noise filter*
Unless your source of noise is in the same room as you, plods probably have the capability to screen enough of it out to STILL discern your actions. We're talking plods who can glean out tiny signals from near the radio noise floor. Compared to that, filtering out acoustics is a cakewalk.
I was just going to say can anyone remember the episode of spooks where they convinced a guy to type out some known piece of text so they could map his keystrokes from audio, and then they were able to "listen in" on what he hyped on his non web connected embassy PC.
If you're brain dead to checking out the technology you buy, convenience always has a neat price...
Meh, whatever... You probably are ok in a sea of blithering data and have escaped so far.
There will always be another interesting method of compromise once you've closed this hole.
I don't think it matters to this lot. Most have failed to read the most interesting bit about bluetooth devices: "Bluetooth keyboards and higher-end wireless keyboards from manufacturers including Logitech, Dell, and Lenovo are not susceptible to KeySniffer"
Besides, you're not paranoid until you start to suspect your wired keyboard, made in China, might have a little secret that hides and waits until you are not typing to communicate with the home base about your goings on...
Bus Wankers!
As luck would have it, just bought new Logitech keyboard and mouse, wireless, on sale when my last KB started missing every third keypress.
The possible security of my keyboard is so far down the list of security concerns that it doesn't even register.
Then again my bank still doesn't allow "special" characters and Uppercase in passwords, so I may not be the best role model.
The possible insecurity of your keyboard is indeed not something that most of us should be concerned about. Especially when scientists have the ability to ghost your keypresses from listening into the electromagnetic fluctuations that they generate.
The real issue is : how many people are actually at risk outside of a wifi café ? Not many, I'll wager.
I'll stick to wired keyboards though, because I see no reason to make things easier for the bastards.
...but surely that only works on CRTs and now (nearly) everyone has LED/LCD screens it's obsolete.
I'm more taken by the claim that it's possible " to .. “sniff” all the keystrokes of wireless keyboards from ... up to 100 metres away." Now, I appreciate "up to 100" includes "a maximum of 5" but this MS3000 won't do more than about 10 feet. Or is that a limitation of my receiver and they're using Arecibo-size kit?
TEMPST is a matter of ANY AND ALL electromagnetic leakages. CRTs are simply the most obvious, but they're paranoid enough to want checks on the fluctuations that could come from the mains cable, keyboard cables, etc. They want as close as possible to a zero-EMI device (since EMI can be picked up and interpreted) while still being functional.
PS. As for range, thing a Software-Defined Radio paired up with a well-made Yagi (highly-directional) antenna.
They can make a reader to pull keystrokes off a wireless keyboard form 100 meters but my keyboard doesn't work if it's more than 1 meter away from the desk?
Me thinks people at the keyboard manufacturers need to do some work on their receivers cause it's obviously not an issue with the keyboard itself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
