Cybersecurity firm uncovers major vulnerabilities on wireless keyboards

Information typed on a wireless keyboard could be easily intercepted, a cybersecurity research firm has warned.

According to San Francisco-based Bastille keyboards transmitted what was being typed in "clear text", which made it possible for attackers to listen in on from up to 76 metres away.

The firm added that it was not possible to update the affected keyboards which should be replaced.

The researchers came across 12 different companies producing vulnerable keyboards.

Bastille added that none of the firms had taken measures to warn users or to rectify the issue in future products, Bastille said.

"We went into a bunch of big box stores and purchased wireless keyboards," said Ivan O'Sullivan, Bastille's chief research officer.

"We were shocked to find that two-thirds transmitted all of their data in clear text, no encryption," BBC News reported. "We did not expect to see this. We didn't think it would be in clear text. Hackers can intercept all the keystrokes from your keyboard up to 250 feet away. Through glass, walls, floors."

The affected keyboards used radio signals to transmit what the user was typing and the researchers used a cheap, USB-powered radio antenna, to follow what was being typed. They were also able to control the keyboard, inserting their own keystrokes.

The same researchers had earlier this year  uncovered glaring vulnerabilities in many wireless mice.

Bastille has dubbed the vulnerability KeySniffer. The vulnerability puts password, credential, security secret, or intellectual property byproduct that is typed, at risk of eavesdropping and capture by attackers.

According to Bastille, manufacturers' products did not encrypt data transmitting between their keyboards and the USB dongle that wirelessly connects it to a computer.

Marc Newlin of Bastille said eight of the 12 manufacturers tested for KeySniffer were vulnerable, including Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

While in earlier wireless keyboard attack discoveries such as 2010's KeyKeriki and 2015's KeySweeper, weaknesses were exploited in Microsoft's encryption for its keyboards, this one is different because it showed that the affected manufacturers did not encrypt transmissions at all.