Security research group Dreamlab have released a new white paper entitled 27Mhz Wireless Keyboard Analysis Report aka “We know what you typed last summer“. The paper, written by Max Moser & Philipp Schrödel, describes the inherent design flaw which leaves a majority of consumer grade wireless keyboards wide open to keylogging.
The two major consumer brands affected by this vulnerability are Microsoft and Logitec. In fact Microsoft’s Wireless Optical Desktop 1000 and Wireless Optical Desktop 2000 products are specifically mentioned as being vulnerable. It’s also assumed that other 27Mhz products such as the Wireless Optical Desktop 3000, 4000 and the Laser Desktop series are open to attack in a similar way.
Due to the widespread use of these wireless devices, the huge security implications, and the fact that there is no quick fix for this design flaw — Dreamlab have decided not to release a public proof of concept. Despite this, I’m sure it won’t be long until code is readily available online. Dreamlab have released a video of an attack in progress.
It’s quite worrying to see just how easy it is to sniff and extract keystrokes from these ‘consumer’ grade devices with no need for dongles, trojans or specialist equipment. The 27Mhz keyboards only use 8bit encryption which can be cracked relatively quickly with quite modest hardware. From what I can tell, all that’s required is a 27Mhz capable receiver, a sound card, and a computer. The range will obviously be dictated by the receiver and its antenna.
I started using a Bluetooth keyboard quite some time ago as I find it’s much more reliable, but I still have one of the Microsoft Wireless Optical Desktop sets buried in the back of a cupboard somewhere. I’m quite tempted to dig it out and see what I can pick up!