Did anyone really expect a wireless desktop to be secure?
Summary: According to researchers at Dreamlabs Technologies, the 27MHz wireless technology used to connect wireless keyboards to PCs is vulnerable to attack. Surprise, surprise!
According to researchers at Dreamlabs Technologies, the 27MHz wireless technology used to connect wireless keyboards to PCs is vulnerable to attack. Surprise, surprise!
According to a whitepaper published by Max Moser and Philipp Schrödel [PDF link], the keystroke signals sent from Microsoft's Wireless Optical Desktop 1000 and 2000 are encrypted using nothing more than with a simple one-byte offset cipher. This means that there's only a small number of possible encryption keys (256) and a hacker need only sniff about 50 keystrokes to be able to break the encryption (if they didn't want to go to the hassle of brute forcing the key).
To our surprise, only the actual keystroke data seems to be encrypted. The Metaflags and identifier bits aren't encrypted or obfuscated.The one byte USB Hid code is encrypted using a simlple XOR mechanism with a single byte of random data generated during the association procedure.
This means that there are only 256 different key values possible per keyboard and receiver pair. We did not notice any automated key change interval and therefore assume that the encrpytion key stays the same until the user reassociates the keyboard.
256 key combination can be bruteforced even with very slow computers today. We did not analyze the quality of the random number so far because it was not needed to successfully break the encryption.
There's no proof of concept code yet but given the basics outlined in the paper, it won't be hard for someone interested in making use of this information to figure it out.
Oh, and don't think that you're safe just because you're not using a Microsoft wireless keyboard - Dreamlabs also working on breaking Logitech's "Secure Connect" protocol too. And because all these security protocols are baked into the hardware, there's no fix.
The only upside is range. Most wireless keyboard have an appalling working range and it's going to be hard to leverage this attack in the real world (for example, my old Microsoft Wireless Optical Desktop 1000 would only barely work beyond a range of about 3 feet (1 meter).
Thoughts?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Range doesn't matter that much
You're right in that this won't be exploited very often, but could be used in targeted espionage situations. Me, I'm just to cheap to buy these anyway....
re: Range doesn't matter that much
"This will only be exploited by corporate espionage. How about I drop an intercept/repeater behind your desk? Then I can listen from further away. Maybe I can exploit it through the cubicle wall?"
In a corporate setting, keylogger software installed on the client machines will be far more useful than some kind of intercept/repeater for your "sniffer".
Granted that, unless you're an IT snooper at the company, you wouldn't have access to the logs. Not that I think [b]you[/b] are, but are there that many office drones who are really interested in finding out what "Joe" in the next cubicle is typing?
The "encryption" (such as it is) that the MS wireless keyboards use is mainly needed so that neighboring wireless MS keyboards don't interfere with each other. (I have an identical pair of MS wireless keyboards that sit within four feet of each other, and their receiver dongles are [b]not[/b] interchangeable.) That there are only 256 different encryptor codes could be a problem in a large office, but could be mitigated by separating the offending pairs as widely as possible.
The effective receiver range is variable, and can easily be affected by materials interposed between the keyboard and the receiver. For example, the receiver for the keyboard I'm using right now sits on a 1.5" thick composition desktop, and is physically three feet away from the keyboard itself (which sits on a carrel that is beneath the desktop level.) If I move the receiver further away, or set it under the LCD monitor, the keyboard has trouble reliably connecting with it. Go figure.
I have to agree with SO.CAL.GUY--intercepting wireless keyboard signals is essentially a non-issue.
i think this is a non issue (NT)
Wrong, Wrong, Wrong, it *IS* an issue
HP's wireless keyboards can transmit data to other computers in faraway buildings. No this is not a feature but an astonishing security flaw, discovered by two neighbours in Stavanger, southern Norway.
http://www.theregister.co.uk/2002/11/21/why_does_my_typing_appear/
Cordless keyboard wrote on neighbor's computer
While a Stavanger man typed away at his desktop computer his text was also streaming in on his neighbor's machine in a building 150 meters away. Hewlett-Packard have never received a complaint like it.
http://www.aftenposten.no/english/local/article427668.ece
HP's incredibly powerful wireless keyboards are bringing Norwegian neighbours together again. This time, a letter of complaint typed by Oslo man Are Wormnes on his home PC travelled by courtesy of the the HP keyboard to the computer of neighbour ?rjan Stokkeland.
http://www.theregister.co.uk/2003/01/21/qwertyoops/
Are "Blue Tooth" devices also vulnerable?
technology/protocol.
Bluetooth is more secure.
Actually there is a solution...
1. Don't use a computer (humor intended for the slow ones...)
2. Use the "old" school wired keyboard. Granted they can be monitored as well, but it's a tad more obvious in many cases and a bit more difficult.
]:)
When are people going to get it, that technology is not the panacea of solutions that is being peddled? ]:)
No fix?
Working range isn't the same as hackable range
That's too bad because I like the 27 MHz devices since they don't get killed from 2.4 GHz Wi-Fi connections http://blogs.zdnet.com/Ou/?p=906. BlueTooth security isn't all that great either but it's wide open like this.
Just another reason ....
Of course there is a fix, just recall the hardware.
This solution requires good ethical standards and performance. (NT)
can 27MHZ keyboards be overheard on a CB radio?
Being overheard on CB
I tried to find the full frequency for Microsofts wireless keyboards, but according to microsoft.com, all they have to say is that their keyboards & mice use 2.4 Ghz Bluetooth