Hardware

Wireless keyboards officially insecure?


Security research group Dreamlab have released a new white paper entitled 27Mhz Wireless Keyboard Analysis Report aka "We know what you typed last summer". The paper, written by Max Moser & Philipp Schrödel, describes the inherent design flaw which leaves a majority of consumer grade wireless keyboards wide open to keylogging.

The two major consumer brands affected by this vulnerability are Microsoft and Logitec. In fact Microsoft's Wireless Optical Desktop 1000 and Wireless Optical Desktop 2000 products are specifically mentioned as being vulnerable. It's also assumed that other 27Mhz products such as the Wireless Optical Desktop 3000, 4000 and the Laser Desktop series are open to attack in a similar way.

Due to the widespread use of these wireless devices, the huge security implications, and the fact that there is no quick fix for this design flaw -- Dreamlab have decided not to release a public proof of concept. Despite this, I'm sure it won't be long until code is readily available online. Dreamlab have released a video of an attack in progress.

It's quite worrying to see just how easy it is to sniff and extract keystrokes from these ‘consumer' grade devices with no need for dongles, trojans or specialist equipment. The 27Mhz keyboards only use 8bit encryption which can be cracked relatively quickly with quite modest hardware. From what I can tell, all that's required is a 27Mhz capable receiver, a sound card, and a computer. The range will obviously be dictated by the receiver and its antenna.

I started using a Bluetooth keyboard quite some time ago as I find it's much more reliable, but I still have one of the Microsoft Wireless Optical Desktop sets buried in the back of a cupboard somewhere. I'm quite tempted to dig it out and see what I can pick up!

14 comments
jc@dshs
jc@dshs

In an office where i work 3 computers had wireless keyboards and mice "installed." As one person typed on their machine one of the other computers displayed every keystroke on screen.

info
info

Because Microsoft encryption was pityfully weak, the writer inadequately assumes that ALL other (27MHz)keyboards fall in the same category. This is totally wrong, at least for Logitech keyboards which use a much stronger system. This is not at all 8 bits encryption like Microsoft's. For instance, key is much longer and is never transmitted on air, modifiers keys (shift, ctrl, alt, win) are also encrypted and a given key has multiple crypto patterns.

mikifin
mikifin

Ten years ago it was so simple to capture infra-red mice and keyboards we often used it as a prank on new testers. WI-FI same principle different technology. You would think that these super geeks would have learned. I guess they really aren't as smart as the rest of use, really.

danzig6
danzig6

As I work away with a wireless KB,I wonder how much of its miniscule output is parasiting to/on various houshold electrical connections nearby - not to mention the basic threat of the guy/gal in the alley behind my house. The shake 'n bake receiver built with malice aforethought might glean something of use to him/her. Naw - it's nothing? Consider another time when all those U-boat sailors were compromised when their 'unbreakable' comms were digested and unwrapped by a computer a lot bigger than the one you're toiling at now. I think I'll go to Wally World and get back into landline.....

bruce.dimon
bruce.dimon

My wireless keyboard has to be within two feet of the transceiver to work. The referenced document says "The keystrokes from any analyzed keyboard within the radio receiver's range can be sniffed." So my system is secure unless the hacker's antenna is in the same room. Could the radio emmissions be detected through the walls and across the yard?

demosthanese
demosthanese

Lets just say that a person has the intent to cap your wirelessKB... A) assuming they could listen remotely without any amplifier/sniffer physically in the room, they would have to be able to determine what text is being typed where, because the keyboard doesnt know where its typing. What they would be "hearing" would just be a string of text without context. B) again, assuming no physicaly sniffer, they would have to get the manufacturer decode sequence for that make/model keyboard to make. As an above poster said he could "hear" people keyboards (how do you know thats what it was btw?) but had no way of knowing what they were typing. Both of the above points require a lot more specialization than most people which brings me to... C) IF somone wanted to get into your keyboard it would probably be easier to but a physical tap into the room, a simple keylogger, or replace their antenna with one that would amp/bounce the signal to somewhere you wanted. I guess the point im trying to make is that casual attackers arent going to go this route. And if you are in some ISA cubical somewhere you already have heavy physical security and RF shielding on every window and wall.

armstrongb
armstrongb

We had some RF coming through the wall so we put a whiteboard on each side and that pretty much sealed the transmission. We had 2 individuals who set up their desks along a common wall in adjoining rooms and both used wireless keyboards and mice and there was some minor weirdness. Espcially with the mice. It did not seem to affect others who did not share a common wall and were in the same room.

w2ktechman
w2ktechman

walls usually decrease an RF signal in half or more. The transmitter for a keyboard is usually pretty weak as well, unlike many other forms of RF. And, like you, before I threw around my wireless keyboard (cause me a lot of stress often) I had to have the keyboard just a few feet away from the receiver, and a good line of sight as well. The keyboards transmitter has a low radius (semi directional), so the rf waves will only travel about 90 degrees wide anyway. so to sum it up, it would be very unlikely unless a receiver was setup within the same room, and facing the direction of the transmitted signal.

Justin Fielding
Justin Fielding

I'm no RF expert but I would think that with a sensitive receiver and directional antenna the range (for reception) could be greatly increased.

bennie3327
bennie3327

The RF transmitter in the keyboard is a low power device with a simple low directivity and very low (no) gain antenna. It is designed to be in contact with a receiving antenna from a variety of angles. This receiving and transmitting system work well within the very short range for what they were designed. Someone who intentionally wants to acquire the key strokes can fabricate (procure) an antenna with more gain which increases the directivity. One can utilize a more sensitive receiver (ham radio) coupled with a signal processor to acquire and decipher all the strokes (transmissions) from the target keyboard. This is relatively easy task to accomplish for a novice communications tech. Add a reason for acquiring the keystrokes along a little perseverance and that novice could print out all the text you typed and email it to you. Please don't compare the very limited "intended" functionality of the keystroke Tx-Rx system to one configured for exploiting the weaknesses of that target (victim) system. The original study purposely did not publish all of the methodology for good reason.

Justin Fielding
Justin Fielding

If that's the case it may be a non-issue. I guess this still opens up the possibility of key-logging 'bugs' that could be placed much more covertly than traditional in-line or software loggers.

seanferd
seanferd

Why don't we just suppose that parties directly interested in keylogging have the ability to put in place a local receiver which re-transmits on a freq to which walls, etc., are transparent? Edit to note that I am more generally responding to the thread rather than w2ktechman in particular, I just thought this was the best insertion point.

alec.wood
alec.wood

With a good receiver data transmissions like this can be picked up at very low levels - indeed signals which appear hidden in the noise floor are often resolvable with modern dsp techniques. On my own receiver, a Kenwood TS950SD, I can "hear" my neighbours wireless keyboard, and now I know what I am looking for I could hear two more last night. Not looked into what the data format is to see how easy they would be to decode though.

w2ktechman
w2ktechman

for most home users this is the case. But in a work environment, especially with cubicles, it can be easily taken into account. But other issues at work would include bluetooth and open wifi. Both are more severe security threats.