Other issues in this category (27)
Friday, December 16, 2016
The developers behind the SwiftKey keyboard disabled the cloud sync feature after users reported that other people's email addresses and phone numbers were appearing on the prediction bar. Users complained that the keyboard’s predictive text feature was suggesting other users' phone numbers and email addresses to them. They also reported incidents of the language settings changing without their knowledge.
The SwiftKey keyboard application stores user input history in the cloud. Thus, it uses this information to personalize the predictive text feature separately for each user. But, it turned out that an issue with the SwiftKey cloud was resulting in users receiving information about other people's keystrokes.
Currently, the company is claiming that there is no reason to panic and that the problem isn’t really a security issue.
The smart keyboard mixed up user preferences. It’s a good thing it didn't perform any actions on their behalf!
I reversed engineered the Logitech dongle DFU process so they can run custom firmware and be used for nRF24L sniffing/injection.
He turned the Unifying Dongle into a sniffer. As far as I can tell, attackers can send fake clicks to the Logitech dongle.
Let's assume that you left your desktop or laptop computer unattended and locked the screen, but the receiver for your wireless keyboard is still connected to it. Does this mean criminals can unlock the system remotely and do whatever they want?
Wireless keyboards can also be used to spy on users.
Samy Kamkar crafted a device that covertly collects data from the wireless keyboards of certain manufacturers including Microsoft.
Kamkar's device looks like a USB charger. Just leave it in a room where wireless keyboards are being used and the device will log every keystroke.
The gadget can use an internal battery as well as an electrical outlet. If you disconnect it from a power supply, the red LED indicator will turn off, but the device will remain operational.
Information about the package contents, an assembly manual, and KeySweeper software download links are published on Samy Kamkar's blog at GitHub.
Wireless keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec contain a vulnerability that lets attackers intercept keystrokes from a distance of up to 75 meters.
It turned out that 8 out of the 12 keyboards examined do not encrypt the data they transmit.
"As far as I know, there is no way to update the firmware for these devices, because it is hardcoded in the chip on the board. That's why there is no way to solve the problem by somehow toggling on encryption”, Marc Newlin said.
Previously, the security researcher with Bastille Networks reported that clicks could be injected remotely into wireless mice. He was able to send commands that imitate keystrokes (not mouse clicks) from a distance of 225 meters. And the operating system interpreted these signals correctly by performing the corresponding tasks or inserting a symbol in the text editor.
The Anti-virus Times recommends
Unfortunately, device manufacturers still rarely care about user safety.
Many IoT devices aren't designed to receive firmware updates, or the procedure involved is way too complicated. Take, for example, the 2015 incident when 1.4 million Fiat Chrysler automobiles were recalled to close a vulnerability that allowed criminals to compromise the vehicles via a wireless network. To install the update, owners had to get their vehicles to Fiat Chrysler dealers or use a USB key to perform the procedure on their own. The truth is that a significant number of the vehicles affected couldn't get the updates because the procedure was difficult. Consequently, the vehicles remain exposed to attack especially if all their other components are working properly.
And an anti-virus (as well as any other security software) is powerless unless it is installed on the target device (which is the most likely development) by the manufacturer. Users are very unlikely to be able to install anti-virus software on devices of this kind.
Shouldn't we ask manufacturers if they have implemented any measures to protect users from attacks, and that when they find vulnerabilities (and they will!), they update their firmware to get rid of them? Or should we follow this recommendation:
Bastille Networks recommends that all users whose keyboards are affected by the vulnerability discard their keyboards in favour of wired or Bluetooth keyboards.