Did anyone really expect a wireless desktop to be secure?
According to researchers at Dreamlabs Technologies, the 27MHz wireless technology used to connect wireless keyboards to PCs is vulnerable to attack. Surprise, surprise!
According to a whitepaper published by Max Moser and Philipp Schrödel [PDF link], the keystroke signals sent from Microsoft's Wireless Optical Desktop 1000 and 2000 are encrypted using nothing more than with a simple one-byte offset cipher. This means that there's only a small number of possible encryption keys (256) and a hacker need only sniff about 50 keystrokes to be able to break the encryption (if they didn't want to go to the hassle of brute forcing the key).
To our surprise, only the actual keystroke data seems to be encrypted. The Metaflags and identifier bits aren't encrypted or obfuscated.
The one byte USB Hid code is encrypted using a simlple XOR mechanism with a single byte of random data generated during the association procedure.
This means that there are only 256 different key values possible per keyboard and receiver pair. We did not notice any automated key change interval and therefore assume that the encrpytion key stays the same until the user reassociates the keyboard.
256 key combination can be bruteforced even with very slow computers today. We did not analyze the quality of the random number so far because it was not needed to successfully break the encryption.
There's no proof of concept code yet but given the basics outlined in the paper, it won't be hard for someone interested in making use of this information to figure it out.
Oh, and don't think that you're safe just because you're not using a Microsoft wireless keyboard - Dreamlabs also working on breaking Logitech's "Secure Connect" protocol too. And because all these security protocols are baked into the hardware, there's no fix.
The only upside is range. Most wireless keyboard have an appalling working range and it's going to be hard to leverage this attack in the real world (for example, my old Microsoft Wireless Optical Desktop 1000 would only barely work beyond a range of about 3 feet (1 meter).
Thoughts?