KeySniffer attack shows two-thirds of low-cost wireless keyboards prone to keystroke capture and malicious keystroke injection.


The same researchers who earlier this year uncovered glaring vulnerabilities in many wireless mice today announced a new major flaw in the majority of the market's low-cost wireless keyboards that puts users at risk of having attackers remotely sniff all of their keystrokes and even inject their own malicious keystroke commands from distances of up to 250 feet away.

Dubbed KeySniffer by the Bastille Research Team who found it, the vulnerability puts any password, credential, security secret, or intellectual property byproduct that is typed, at risk of eavesdropping and capture by attackers. The affected manufacturers' products do not encrypt data transmitting between their keyboards and the USB dongle that wirelessly connects it to a computer.

According to Marc Newlin, the member of Bastille Research Team who made the discovery, eight of the 12 manufacturers tested for KeySniffer were vulnerable, including Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec.

Whereas previous wireless keyboard attack discoveries such as 2010's KeyKeriki and 2015's KeySweeper exploited weaknesses in Microsoft's encryption for its keyboards, this one is different because it shows that the affected manufacturers didn't encrypt transmissions at all. Even worse, attackers can sniff out KeySniffer-prone victims without them actively typing at their workstation.






The Democratic Party suffered another hack, according to two reports Friday, heightening concerns Russia might be trying to influence the US presidential election.

The Democratic Congressional Campaign Committee, a group that raises funds for the party's candidates for the House of Representatives, confirmed its computers had been breached, according to Reuters. It's unclear what data, if any, was taken.

The attack might be related to a breach of the Democratic National Committee's computer network, which was revealed earlier this month. The code used in the DCCC attack resembled that used by a Russian government-linked hacking group suspected in the DNC breach, according to Reuters.

The FBI is addressing both hacks in a single investigation, The Washington Post reported.

The Kremlin has denied involvement in both attacks, Reuters said.

Neither the DCCC nor the Russian Embassy immediately responded to a request for comment, and the FBI didn't immediately provide comment.

The DCCC attack, which took place between roughly June 19 and June 27, may have been designed to get hackers access to donors' computers, Reuters reported.

On Wednesday, Republican presidential nominee Donald Trump took heat for seeming to encourage Russia to crack into US systems. Democratic nominee Hillary Clinton's campaign manager has accused Russian hackers of releasing DNC emails to WikiLeaks to help Trump win the upcoming election. Trump's campaign didn't immediately respond to an email seeking comment.



Cybersecurity experts are leading a new program to develop new data analysis methods better to protect the nation’s power grid. The goal of this project is to develop technologies and methodologies to protect the grid from advanced cyber and threats by developing the means to distinguish between power grid failures caused by cyber attacks and failures caused by other means, including natural disasters, “normal” equipment failures, and even physical attacks.

Cybersecurity experts Jamie Van Randwyk of Lawrence Livermore National Laboratory(LLNL) and Sean Peisert of Lawrence Berkeley National Laboratory(Berkeley Lab) are leading a new program to develop new data analysis methods better to protect the nation’s power grid.

The project, “Threat Detection and Response with Data Analytics,” i  part of a $220 million, three-year Grid Modernization Initiative launched in January 2016 by the Department of Energy to support research and development in power grid modernization.




Wearable devices can give away your passwords, according to new research.

In the paper "Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN" scientists from the Stevens Institute of Technology and Binghamton University combined data from embedded sensors in wearable technologies, such as smartwatches and fitness trackers, along with a computer algorithm to crack private PINs and passwords with 80-percent accuracy on the first try and more than 90-percent accuracy after three tries.

Yan Wang, assistant professor of computer science within the Thomas J. Watson School of Engineering and Applied Science at Binghamton University is a co-author of the study along with the lead researcher, his advisor Yingying Chen, from the Stevens Institute of Technology.

"Wearable devices can be exploited," said Wang. "Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers."

"This was surprising, even to those of us already working in this area," says the lead researcher Chen, a multiple time National Science Foundation (NSF) awardee. "It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.