Your wireless keyboard may be giving up your secrets.
With an antenna and wireless dongle worth a few bucks, and a few lines of Python code, a hacker can passively and covertly record everything you type on your wireless keyboard from hundreds of feet away. Usernames, passwords, credit card data, your manuscript or company's balance sheet -- whatever you're working on at the time.
It's an attack that can't be easily prevented, and one that almost nobody thought of -- except the security researchers who found it.
Security firm Bastille calls it "KeySniffer," a set of vulnerabilities in conventional, low-cost non-Bluetooth wireless keyboards that can allow a hacker to eavesdrop from a distance.
Here's how it works: some wireless keyboards use proprietary and mostly unsecured and untested radio protocols to connect to a computer -- unlike Bluetooth, a known wireless standard that's been tried and tested over the years. These keyboards are always transmitting, making it easy to find and listen in from afar with the right equipment. But because these keystrokes aren't encrypted, a hacker can read anything on a person's display, and directly type on a victim's computer.
The attack is so easy to carry out that almost anyone can do it -- from petty thieves to state-actors.
Marc Newlin, a researcher at the company who found the flaw said it was "pretty alarming" to discover.
"A hacker can 'sniff' all of the keystrokes, as well as inject their own keystrokes on the computer," he explained on the phone this week.
The researchers found that eight out of 12 keyboards from well-known vendors -- including HP, Kensington, and Toshiba -- are at risk of eavesdropping, but the list is far from exhaustive.
The scope of the problem is so significant that the researchers fully expect that "millions" of devices are vulnerable to this new attack.
Though not all wireless keyboards are created equal and many are not susceptible to the eavesdropping vulnerability, there is an easy fix to a simple problem.
"Get a wired keyboard," the researchers said.