Spies are everywhere

Шпиономания

Other issues in this category (7)
  • add to favourites
    Add to Bookmarks

Keyboard tricks

Read: 276 Comments: 2 Rating: 8

The developers behind the SwiftKey keyboard disabled the cloud sync feature after users reported that other people's email addresses and phone numbers were appearing on the prediction bar. Users complained that the keyboard’s predictive text feature was suggesting other users' phone numbers and email addresses to them. They also reported incidents of the language settings changing without their knowledge.

The SwiftKey keyboard application stores user input history in the cloud. Thus, it uses this information to personalize the predictive text feature separately for each user. But, it turned out that an issue with the SwiftKey cloud was resulting in users receiving information about other people's keystrokes.

Currently, the company is claiming that there is no reason to panic and that the problem isn’t really a security issue.

https://blog.swiftkey.com/important-information-relating-to-the-status-of-our-sync-services

http://www.anti-malware.ru/news/2016-08-01/20502

The smart keyboard mixed up user preferences. It’s a good thing it didn't perform any actions on their behalf!

I reversed engineered the Logitech dongle DFU process so they can run custom firmware and be used for nRF24L sniffing/injection.

https://twitter.com/marcnewlin/status/756229468851695616

He turned the Unifying Dongle into a sniffer. As far as I can tell, attackers can send fake clicks to the Logitech dongle.

https://geektimes.ru/post/278904

Let's assume that you left your desktop or laptop computer unattended and locked the screen, but the receiver for your wireless keyboard is still connected to it. Does this mean criminals can unlock the system remotely and do whatever they want?

Wireless keyboards can also be used to spy on users.

Samy Kamkar crafted a device that covertly collects data from the wireless keyboards of certain manufacturers including Microsoft.

#drweb

Kamkar's device looks like a USB charger. Just leave it in a room where wireless keyboards are being used and the device will log every keystroke.

The gadget can use an internal battery as well as an electrical outlet. If you disconnect it from a power supply, the red LED indicator will turn off, but the device will remain operational.

Information about the package contents, an assembly manual, and KeySweeper software download links are published on Samy Kamkar's blog at GitHub.

https://tjournal.ru/p/keysweeper

http://www.securitylab.ru/news/469775.php

Wireless keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec contain a vulnerability that lets attackers intercept keystrokes from a distance of up to 75 meters.

It turned out that 8 out of the 12 keyboards examined do not encrypt the data they transmit.

"As far as I know, there is no way to update the firmware for these devices, because it is hardcoded in the chip on the board. That's why there is no way to solve the problem by somehow toggling on encryption”, Marc Newlin said.

Previously, the security researcher with Bastille Networks reported that clicks could be injected remotely into wireless mice. He was able to send commands that imitate keystrokes (not mouse clicks) from a distance of 225 meters. And the operating system interpreted these signals correctly by performing the corresponding tasks or inserting a symbol in the text editor.

https://geektimes.ru/post/278904

#vulnerability #IoT #peripherial_device #security

Dr.Web recommends

Unfortunately, device manufacturers still rarely care about user safety.

Many IoT devices aren't designed to receive firmware updates, or the procedure involved is way too complicated. Take, for example, the 2015 incident when 1.4 million Fiat Chrysler automobiles were recalled to close a vulnerability that allowed criminals to compromise the vehicles via a wireless network. To install the update, owners had to get their vehicles to Fiat Chrysler dealers or use a USB key to perform the procedure on their own. The truth is that a significant number of the vehicles affected couldn't get the updates because the procedure was difficult. Consequently, the vehicles remain exposed to attack especially if all their other components are working properly.

https://www.internetsociety.org/sites/default/files/report-InternetOfThings-20151221-ru.pdf

And an anti-virus (as well as any other security software) is powerless unless it is installed on the target device (which is the most likely development) by the manufacturer. Users are very unlikely to be able to install anti-virus software on devices of this kind.

Shouldn't we ask manufacturers if they have implemented any measures to protect users from attacks, and that when they find vulnerabilities (and they will!), they update their firmware to get rid of them? Or should we follow this recommendation:

Bastille Networks recommends that all users whose keyboards are affected by the vulnerability discard their keyboards in favour of wired or Bluetooth keyboards.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments