Hardware

Encryption for Microsoft's wireless keyboards cracked

Security firm Dreamlab Technologies claims that it has cracked the encryption used by Microsoft's wireless keyboards and its base station. As a result, Dreamlab can now sniff all keystrokes sent from Microsoft's keyboards that communicate with each other on the 27 MHz band.

Security firm Dreamlab Technologies claims that it has cracked the encryption used by Microsoft's wireless keyboards and its base station. As a result, Dreamlab can now sniff all keystrokes sent from Microsoft's keyboards that communicate with each other on the 27 MHz band.

By using just a simple radio receiver, a sound card, and suitable software, Dreamlab Technologies was able to tap and decode the radio frequencies transmitted between the keyboard and PC/notebook computer. Keyboards that use Bluetooth for communication are not affected by this flaw.

According to heise Security:

Max Moser and Philipp Schrodel say that decryption was very easy because the devices use a simple XOR mechanism for encryption and the keys are only one byte long. They claim that even a PDA with a slow ARM-CPU would have derived the combination quickly. Aside from not using such keyboards, there is no workaround. Microsoft has yet to react to the Swiss firm's announcement.

You can read the press release (pdf) or the whitepaper (pdf) for more information about the exploit.

The eavesdropping was done at a distance of 10m using standard equipment, which isn't so bad. The concern is that with appropriate technical equipment, larger distances are possible.

Are you using a Microsoft wireless (RF) keyboard at the moment? Will this news prompt you to stop using it?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

 

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

44 comments
richard.wilson
richard.wilson

It's ANY wireless keyboards! Hell, any wireless signal can be cracked on anything. Look how many people's phones have been cracked! Here's the way around that if you own a MS keyboard or any other wireless keyboard...look around you within a range of 3-8 feet. If you see someone with a little antenna pointing toward you, THAT"S YOUR MAN! GET HIM! HE'S HACKING YOUR KEYSTROKES!!! *sarcasm* Seriously, to "crack the encryption and steal keystrokes", someone would have to be pretty much sitting on your head, and if they're that close, they could probably just watch your keyboard. Next thing you know they'll be blaming Microsoft for the window washer outside your building that just saw you type your password....

bkoelrich
bkoelrich

Does this encryption-code-cracking issue apply to Logitech brand cordless keyboards?

paulmah
paulmah

Are you using a Microsoft wireless (RF) keyboard at the moment? Will this news prompt you to stop using it?

joshleahy
joshleahy

The report states that, ?Max Moser and Phillipp Schr?del of Dreamlab Technologies succeeded in eavesdropping traffic from a distance of up to ten meters using a simple radio receiver.? This is a very important security discovery that should not be taken lightly. For example someone could monitor your keystrokes from the street in front of your home. They simple wait for you to type something like ?wellsfargo.com? then make note of you next several keystrokes which will probably consist of your username and password. This could be an even larger vulnerability in the office. Changing channels on the devices, as suggested by several members, is a good idea but keep in mind your keyboard is still vulnerable it is just not using the default configuration all the hacker needs to do is have a little patience to find your operating channel.

mike
mike

They'll blame that Window Washer just because he decided to work on Windows :-)

wsdelicate
wsdelicate

THe PDF from these guys says "A detailed analysis of Logitech models is still in progress and will be published when available." So stay tuned...

Freebird54
Freebird54

-- not that the encryption might be cracked, but that it would have any security in the first place!! Wireless (in all forms) is for convenience, not for security - and encryption is a delaying tactic in most cases, rather than protection. If some, shadowy 'they' were actively trying to find out what I do on my computer, there are easier ways get this information than trying to snoop a weak, directional 27MHz signal, and decrypting it to discover that I I hit CTRL and spin the mouse wheel a lot (change text size while reading). For starters, they could more easily gain information by picking up screen emanations from the CRT, or Van Eck phreaking the LCD signals :) I place greater trust in being uninvolved in anything that authorities (?) might be interested in - and in doing most of my banking in person.... No - I'll keep using my MS wireless keyboard, and let anyone who wants to stand out in the snow to snoop go right ahead....

Larry the Security Guy
Larry the Security Guy

If I owned this keyboard, the news would stop me from using it. But since I haven't shopped at MS for a number of years. I doubt I'd buy anything except toys that work in the 27MHz band, and I wouldn't trust any form of encryption transmitted where monitoring equipment is so widely available. Ultrasonic, UV or IR would be better options if your goal is avoiding bluetooth. All can be kept in the room, UV and IR can actually be filtered at windows and some IRs don't have to be in direct line of sight as long as there are reflective surfaces (my satellite remote works without direct line of sight, and it's not the RF variety).

bg4
bg4

ALL RF is sniffable and potentially crackable. Anything wireless, keyboards, mice, bluetooth, wifi, RF Lans, phones can all be sniffed with the right equipment. The equipment is available at any good radio shop or computer supplier. Whether it can be decoded and used is another question. Wireless keyboards can be sniffed from hundreds of metres away using a suitable antenna and a sensitive receiver. After all its just another source of RF. Just like BPL, it radiates from the power lines and can be easily sniffed for kilometres and I wouldn't mind betting its been cracked already as well. Stick with a wired keyboard, keylogging programs are easier to detect than someone listening to your wireless keyboard. Identity fraud starts with this sort thing... Just my 2 cents (ex gst)...

WDMilner
WDMilner

While the cracking of this specific encryption may be new, the sniffing of wireless signals, including keyboards and mice is not. A few years ago HP had to redo their wireless keyboards and mice due to workers in one office seeing what another worker was typing on their keyboard. Just one more reason to stick with a wired keyboard - in addition to no battery hassles or interference (27 MHz btw is the CB band as well as some RC toys). How often do you really use your keyboard more that 3-4 feet away from your system anyway? And with a USB keyboard you can get further than that.

gkrew
gkrew

No I will not stop using them because the encryption is cracked. I am confident that nothing that my users type using their keyboards can be dangerous to the company. Given the work needed to record the keystrokes I would not consider this a major threat.

Drew@Omaha
Drew@Omaha

First of all, the effective range may only be 10 feet but the signal can carry quite a bit further than that and can be picked up with more sensitive equipment, recorded, and cracked from across the street. I would say that this situation seems rather unlikely to me but then again, you just never know what your neighbor's 16 year old son is up to. Secondly, it was said that "Dreamlab can now sniff all keystrokes sent from Microsoft's keyboards that communicate with each other on the 27 MHz band.". The keyboards don't communicate with each other, do they?

cpudoc
cpudoc

I am surprised, no, SHOCKED that anyone could hear much less crack a signal on 27MHz. 27MHz has to be the trashiest, garbage band, below 902MHz! I must admit that I never thought to look there, somehow I would have expected more from Micro$oft, like putting them on 902MHz or 1.2GHz.

gervas.douglas
gervas.douglas

I used an MS wireless keyboard about 3 years ago. It was fine until we got a second one when we discovered mutual interference between them. Why am I not surprised to learn that they have yet another security problem??

kyle
kyle

I have a wireless MS keyboard and it doesn?t bother me. As I see it, this is just like physical vs wireless networking. Either can be sniffed, but both use different methods to do so. They already make physical sniffers for wired keyboards that are cheap so they have been vulnerable for some time. Wireless keyboards at least have encryption. Even if it is cracked (it was going to happen one day...) I still see it is more secure. The odds of your keyboards wifi signal going more than 10ft is slim to being with, so IF someone is sniffing it?s not like there is a large area to search (unlike wifi networks). I see no harm in having the wifi encryption on keyboards cracked in a home setting, but maybe in a business setting, even if it is very small. MS will probably make a new encryption method and all will be well again (until it is cracked).

sleepin'dawg
sleepin'dawg

Consider the security of cordless phones and cellular communications. It was only a matter of time before anyone twigged to the possibilities of decrypting wireless keyboards. The question you have to ask is;[b]"Are you doing anything that really requires you to take steps against this???"[/b] [b]Dawg[/b] ]:)

Mike Page
Mike Page

The range of the keyboard is only a few feet. So it depends upon the environment you are in. I don't work with sensitive material and I work at home. I could care less.

timbopro
timbopro

I am troubleshooting PC and network problems 6 days a week and have run accross numerous conflicts and problems with Microsoft's products. From corrupting boot files to conflicting with screensavers. And now they are hackable! Enough is enough! Logitech is my only brand from now on.

mhbowman
mhbowman

the expense and time associated buying the wireless keyboard/base and configuring it. It would be hard for me to justify the use of this technology when the keyboard is just going to sit on my desk exactly like the one that came with my computer. Unless of course I'm at home sitting on my couch and I have a laptop for that. Kinda reminds me people using an IR device to print. Pay for it, configure it, worry about line of sight etc. all for the sake of replacing a $15 printer cable that worked better anyway.

Meesha
Meesha

I just got my client's office MS wireless keyboard and mouse to work with a KVM for 2 PCs, sound and monitor, and now you're telling me that it's susceptible to War Chalking. http://en.wikipedia.org/wiki/Warchalking Yikes! I guess security is still on the world's number one most wanted list.

damon417
damon417

Does this mean that all wifi keystroke devices are/can be picked up by sniffers? Should I reconsider the use of wireless keyboards in general? Thanks, Damon

colin.harris
colin.harris

Can't beat a wired system. Though, to be fair, if the lead is damaged, the signals can be transmitted a short distance, but not at a fixed frequency. Time to save on batteries and get the old wired keyboards back out.

Larry the Security Guy
Larry the Security Guy

If you're saying that a wireless keybord, such as the MS variety on topic here, "can be sniffed from hundreds of metres away", I have to disagree because the emitter power, antenna efficiency and noise floor of the 27MHz band will severely affect your ability to even detect the keyboard signal, let alone decode it, beyond a few meters. Of course, you could spend thousands of dollars on a sensitive receiver and thousands of dollars on a highly directional antenna and tower (you'll need a tower, the 27MHz variety are a bit on the huge side) to listen in on your neighbor a couple doors down, but beyond that will be lost in the noise.

mike
mike

No wonder why each time the movie "Convoy" comes on I head straight for my keyboard... :-)

michaels.perry
michaels.perry

Ah! But they are not legal to use in other countries! MS (and Logitech, etc) want to sell to a world-wide market so they have to comply with laws in other countries - else no sale and a big legal bill!

JerryDFarrell
JerryDFarrell

I bet people who live near interstate highways have problems with thier Microsoft Keyboards. That band is designated for CB Radio use. Most truckers use power amplifiers of 100 watts or more in thier rigs. I only thought that toy manufatures of RC toys except for some hand held kids radios shared the band. I am shocked that Microsoft would use such a band especially with it's reputation of having garbage on the band. I would expect them to use a cleaner band as well. I bet even the $15 minature RC car transmitters can even cause interferance.

michaels.perry
michaels.perry

If using two, or more, similar wireless devices causes problems, just go through the setup procedure in the manual to use different channels for each device. My office has 9 wireless keyboards and we set them up to not cause problems. Takes about 30 seconds on each! Another case of RTFM?

quiron
quiron

You are right, standard ranges are from 3-5 meters (10-15 feets). But, that's only because the receiver of the keybord doesn't have a good sensitivity. If you make a simple design with on-shops circuitry, you'll be surprised, and can catch the signal for even 50 -100 meters (150-300 feets). Except if you live in a faraday's cage, of course

ssteele
ssteele

I use the wireless at home and don't see an issue, the proposed hacker would have to be inside my house in order to get anything. Could be an issue in more sensitive areas though.

mattohare
mattohare

I live in a midterrace. The house is only a few meters wide, and there's another one just on the other side of the wall on both sides. Add to that, there's another house just like mine at the other side of both of those. It's enough to keep our wifi to ourselves, much less keyboard and mouse signals. At least with infrared, it literally is line-of-sight!

PennT
PennT

Sounds like you need a vacation!

TheGooch1
TheGooch1

So you've never set up a media center computer to play games/movies/music on? I had one in my living room and had no need for cable. Wireless Keyboard/mouse were essential for this to work, unless you like the USB cable strung from the television all the way to the couch. Safetly hazard, too. Cable? Who needs cable/Satellite when you have Youtube on 55" LCD display?

barrie.duke
barrie.duke

I find they have short life compared to wired key boards which do not get 'mislaid' quite so easily.

michaels.perry
michaels.perry

All radio signals can be listened to - it's just a case of what you can then do with the 'information' you have obtained. Wireless keyboards and mice (they are not WiFi at 2.4GHz, just radio at 27 MHz) have a very limited range, usually about 10 feet or 3 metres maximum. So the 'eavesdropper' has to be within a few feet of your keyboard to gather the information. I think you would notice them 'listening in' to your typing efforts! The risk factor is virtually negligible. This is again a case of 'we can, so we will' and thence create a scare for no good reason.

mattohare
mattohare

There are two issues here. One issue is that any radio signal can be sniffed and recorded. The second issue is actually doing something with the recording. The article points out that bluetooth keyboards seem to be ok. People haven't worked out a crack for bluetooth's encryption for the keyboards for the time being.

mattohare
mattohare

I wonder how many of the people with wireless keyboards are the same trying to preach a reduced carbon footprint? Doesn't it take more electricity to broadcast radio signals than to put them through a wire? What about all the worries we get from some about radiation damage from cell phones and the like? *chuckle*

JCitizen
JCitizen

(EDITED) I prefer to think we the people have some modicum of control over bureaucrats through congress. Probably self deception of course. :)

michaels.perry
michaels.perry

Any sensitive work area that has radio signals that need be protected can be easily screened using a Faraday Cage system. Radio signals do not escape! (If they do, the system is not correctly designed!) I know of many DoD (USA) or MoD (UK) sites using Michael Faraday's ideas.

quiron
quiron

... mostly by receiver!!! Giving some specific transmition power, you reach a maximum distance when you can not difference from noise. But ussually that level is giving by the input stage of receiver. As example, compare receiving quality from an FM in an MP3 player against a high quality receiver.

TonytheTiger
TonytheTiger

by the transmitter or the receiver? You can buy receivers a lot more sensitive than the one than the one that comes with the keyboard. It might not be a big deal at home but the article said 10 meters. That's a couple offices away! And of course you have to ask if Microsoft thought it wasn't important, why did they encrypt it in the first place?

Mike Page
Mike Page

I just measured the range on my Microsoft wireless keyboard - 10 feet (3 meters). Practically speaking this is not much of a threat. Security wise it is far more important that I remember to lock my front door when I leave the house, so that my computer is not stolen along with other valuables. The level of importance of this security risk really depends upon your situation. For the vast majority of people it is not a concern.

avoelker
avoelker

10 meters is more than a few feet. I would look at the range of the wireless device and evaluate your office situation. If you have your own building and nothing near it, you're probably fine. If, however, you have a small wall between some possibly sensitive maerials and a public area, I might be a little more concerned. Remember, anything you type (usernames, passwords, social security nubmers, bank PINs, etc) can be seen. The easiest way to pick out a username/pass combination is to see the work "administrator" go by. Scarry, huh? 10 meters, that's around 31 feet.

techrepublic
techrepublic

Micheals Perry's comments above are not strictly true, I'm an engineer in the RF industry and am very aware that a 27MHz signal is capable of travelling very long distances (anyone who's used a 27MHz CB radio will know!). In fact, the 27MHz signal is likely to be "conducted" by the wiring and metalwork in the locality and so could travel much further. Also, the evesdropper doesn't need to be in close proximity to listen in. In fact, with a high gain directional antenna and a very sensitive receiver he/she could be a surprisingly large distance away. I know of people (working within government agencies) who have wirelessly received and displayed the CRT output of a computer from an adjacent government building - completely wirelessly! You'd be amazed at just how far an electromagnetic signal can travel! So, if you do have a 27MHz keyboard and are concerned about evesdroppers, perhaps an upgrade to a 2.4GHz model would be worhtwhile, as this frequency is far more constrained by the walls and windows of a building. Alex