Research has found that wireless input devices from a number of big-name manufacturers are insecure, and that some use no encryption at all.
Security company Bastille Networks explained that the wireless input devices transmit keystrokes and mouse movements unencrypted or poorly encrypted, enabling them to be sniffed from distances of up to 100 metres.
Tens of millions of wireless keyboards and mice are in use worldwide, but a hacking tool called KeySniffer can 'sniff' the keystrokes of wireless keyboards from at least eight companies. The security flaws could enable a determined attacker to get passwords and other sensitive information from the devices.
The tool was used to test devices from 12 manufacturers, and found holes in products from eight of them. The affected brands include Anker, EagleTec, General Electric, HP Inc, Insignia, Kensington and Radio Shack. Significantly, devices from Logitech and Microsoft appear to be secure.
"Vulnerable keyboards are easy for hackers to detect as they are always transmitting, whether or not the user is typing. Consequently, a hacker can scan a room, building or public area for vulnerable devices at any time," warned Bastille in an advisory.
Part of the problem, claimed the company, is that wireless keyboards typically transmit at 2.4GHz bands using proprietary tools and, unlike Bluetooth, there is no security standard that all manufacturers can adopt.
"In order to prevent eavesdropping, high-end keyboards encrypt the keystroke data before it is transmitted wirelessly to the USB dongle. The dongle knows the encryption key being used by the keyboard, so it is able to decrypt the data and see which key was pressed," said Bastille Networks engineer Marc Newlin.
"[But] many of today's inexpensive wireless keyboards do not encrypt the keystroke data before it is transmitted wirelessly to the USB dongle.
"This makes it possible for an attacker to eavesdrop on everything a victim types, as well as transmit their own malicious keystrokes, which allows them to type directly on the victim's computer."
Only two of the eight vendors have responded to the research. Kensington said in a statement: "We have taken all necessary measures to close any security gaps and ensure the privacy of users.
"Kensington has released a firmware update that includes AES encryption. Products with the new firmware will be updated with a new part number, K72324USA."
This is not the first time that wireless keyboards and mice have been the subject of hackers' attentions.
The first research into the security of wireless devices was conducted in about 2009, and the majority were insecure until the development of KeyKeriki, a small device designed to be used surreptitiously in the target environment where it would log keystrokes for download and analysis later.
"Consider this scenario. You are in your home office and logging into your bank account using your computer that has a wireless keyboard," wrote security specialist Siva Ram at the time.
"Someone is outside your window (or has dropped the device there) and is logging your credentials. Or you are making a purchase and typing in your credit card and CVV number. Someone is getting all this information.
"Another scenario is if someone slips this device into their laptop bag and brings it to work. They can potentially log all the keystrokes from all the people in neighbouring cubicles."
A number of manufacturers have since improved the security of wireless keyboards and mice, most notably Logitech, but many manufacturers, including some big names, still don't appear to have caught up.
The KeyKeriki team exposed weaknesses in the XOR encryption used in a number of wireless keyboards from Microsoft in 2010, while an exploit called KeySweeper was developed in 2015 to take advantage of the vulnerability.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display