Wireless Keyboard "Encryption" Cracked

squidinkcalligraphy writes "While everyone is going on about wireless network security, it seems few have considered that increasingly common wireless keyboards can be vulnerable to eavesdropping. Particularly when the encryption is pitifully weak. All that's needed is a simple radio receiver, sound card, and a brute-force attack on the 8-bit encryption used. Passwords galore! Bluetooth, it seems, is safe for the moment."

Why a soundcard !

[iMaple]

Using nothing more than a simple radio receiver, a soundcard and suitable software, Swiss security firm Dreamlab Technologies managed to capture and decode the radio communications between a keyboard and a PC. Why did they need a sound card to crack a wireless keyboard ? Play operatic songs to crack glass keyboards ? or to play "You have been pwned" on blaring speakers after the cracking is over ? On a serious note, they do not need any sound input/output for this, right ?

Re:Why a soundcard !

[WombatDeath]

I doubt they need output, but perhaps the function of the sound card is to capture the input from the radio receiver.

Re:Why a soundcard !

[MrNemesis]

Why didn't they list their graphics cards? Surely you can't have a hacking session with power metal blaring in the background and not have a wall of monitors showing alpha-blended hexagons, otherwise none of the hacks will work...?

I think this paper needs to be peer reviewed by Crash Override.

Re:Why a soundcard !

[QuantumG]

I don't mean to be a prick, but was there any need to reply to that kind of retarded question? Why not just let him continue in his ignorance.. obviously he has no interest in knowing, otherwise he would have RTFA.

Re:Why a soundcard !

[Tribaal_ch]

They most probably use the soundcard for analog/digital conversion: radio recivers output analog data, and computers handle digital data.
- Trib'

Re:Why a soundcard !

[iMaple]

but was there any need to reply to that kind of retarded question? Why not just let him continue in his ignorance.. obviously he has no interest in knowing, otherwise he would have RTFA. Well, I didn't read the white paper, but I did RTFA and that doesn't mention anything why the sound card was used. And I assumed that the simple radio receiver was a simple pci card like radio device (I had a TV signal receiver card that u just digitized the TV signals and u could watch broadcast TV on your computer .. so I was thinking of that when I asked the question), for some reason I didn't realize that they meant a radio with a audio output. Does that make me a bit slow.. yes; ignorant/retarded ... maybe; but its not flamebait/troll as u are implying.

Re:Why a soundcard !

[thetartanavenger]

A sound card is a cheap alternative to a digital and more importantly, recordable oscilloscope. By plugging the radio into the sound card, it allowed them to record the individual bit's being sent by the device to be analysed using a waveform viewer. If you were using a normal oscilloscope for that purpose the data flashes on the screen so fast it's impossible to be useful in any way, except possibly to read the carrier frequency of the signal, which is something your sound card would probably have alot of trouble doing because they're generally too slow.

Re:Why a soundcard !

[link-error]

    I used this exact same method to decode the old pagers by using a scanner plugged into my soundcard. Worked pretty good.

Re:Why a soundcard !

[Fordiman]

"Why did they need a sound card to crack a wireless keyboard?"

Line in. Demodulate the 27MHz EM in hardware, and the resulting output is a simple electrical signal. Assuming that a keyboard doesn't need a terrible lot of bandwidth, it's unlikely that the pulse frequency is terribly high (lower max frequency DSPs are cheaper than higher ones), so the 96kHz max capture off a sound card should be more than enough. Even if it isn't, though, there are fourier techniques to detect aliasing and get a higher frequency signal, assuming that there's nothing else on the 27MHz band (which you can ensure by enclosing the experiment in a Faraday cage).

Re:Why a soundcard !

[Fordiman]

"Why not just let him continue in his ignorance?"

Well, because the less you share information with the apparently ignorant, the more ignorant society at large is.

If I ask a question, even if it's a dumb one, I desire an answer. As such, I respond to questions I have the answers to. Be the change you want to see in the world, and all.

Re:Why a soundcard !

[Fordiman]

Relax, man. Dude's being an asshat. You're right; it's perfectly logical to assume the use of an integrated USB/PCI/generic radio-to-PCM device for intercepting a radio signal - with one little exception that can be rationalized away as hardware hacking:

Your basic radio-to-PCM device doesn't have a sufficiently flexible tuner to reach below the 85MHz FM lower limit into the depths of 27MHz. An analog FM tuner can be easily hacked to do this, but you'd basically have to rip out the capacitor DAC that a fully digital device would have.

Re:Why a soundcard !

[Fordiman]

Old cassette deck reader + wire + soundcard + software = magnetic strip reader

Re:Why a soundcard !

[Amouth]

i think if you where goign to put your self and your target in a Faraday Cage - it might be alittle easier to jsut look over there sholder to see what they are typing

Re:Why a soundcard !

[DeadChobi]

That's why you use a DAQ board instead of an oscilliscope. Some of those have sample rates in the Megasample range. And with the right software you can easily store all the data you're acquiring.

Re:Why a soundcard !

[danomac]

I doubt they need output, but perhaps the function of the sound card is to capture the input from the radio receiver.

I doubt the sound card is able to process 2GHz bands (assuming these devices use the standard 2GHz band, that is...) Audio cards are normally designed for human hearing (i.e. 20Hz-20kHz.) I don't think an audio card would work that far out of its range unless it's heavily modified.

I don't particularly like wireless devices myself - in my house, as an example, there's so much interference that my cordless phone (5.2GHz) and my cell phone have trouble. I'm lucky to sync with my WAP 20-30 feet away and get speeds of 50KB/sec. The closer I get the worse it gets... I don't know what's causing the interference but there's something. Neighbour's microwave maybe?

Re:Why a soundcard !

[GameboyRMH]

or to play "You have been pwned" on blaring speakers after the cracking is over ?
I think the song you're looking for is "Invasion of the Gabber Robots" by "The Laziest Men on Mars"

http://youtube.com/watch?v=t91FwBAYH8A

Re:Why a soundcard !

[Eternauta3k]

Oh come on... RF -> Radio -> AF -> Sound Card -> spooky hacky software

Re:Why a soundcard !

[schwaang]

The coolest use for a soundcard I've seen is still the SoundcardEEG.

Re:Why a soundcard !

[davidsyes]

They apparently watched Voyage to the Bottom of the Sea's episode "Escape from Venice"

http://www.imdb.com/title/tt0742263/

and thought they could break the encryption. They had the notes wrong... shoulda been:

"La lah lah lah, lah lah luh luh lahaha, luhu, luha, haha la..."

Next time, they should get somebody with phantom of whatever music to decrypt the ms keyboard... Logitech's will need Bach or Beethoven or something better...

Re:Why a soundcard !

[UncleTogie]

Old cassette deck reader + wire + soundcard + software = magnetic strip reader

Will it read both 3-track and 4-track cards? Jus' curious...

Re:Why a soundcard !

[RobinH]

What you really need is a digital storage oscilloscope. They're in the $10k+ range for a good standalone unit, but you can find reasonable ones that attach to a PC, such as the BitScope.

Re:Why a soundcard !

[Fordiman]

Yeah, but you have to build a jig and read the tracks one at a time. You can do better with the smaller readers from a cassette 4-track (you have to remodulate in hardware to combine the data into a single software-decodable stream - a couple kHz is fine for normal-speed swiping), but those things are just too nifty to destroy.

Re:Why a soundcard !

[Fordiman]

The faraday cage is to isolate the target frequency and modulation with the same model keyboard to calibrate your software (and possibly your antenna). You then take the appropriately optimized system into the room *next* to your target. The problem with an optical sniff is that the person may sniff you back and subsequently retaliate.

Re:Why a soundcard !

[thetartanavenger]

Aye but the thing about sound cards is that they're cheap and you most likely already have one. If it suits the purpose then why not? When you're attempting mischeif you don't necessarily have yours hands on that kind of equipment nor necessarily the means to purchase it. Reasonably priced is surprisingly unreasonable for us poor students.

My use was reverse engineering a device to cause a lecturer of mine a little more stress than normal, and in that case you can't exactly go asking them for specialist equipment. Starts ringing alarms bells...

urm

[wwmedia]

wouldn't the hacker have to be you know, under your nose quite literally, to intercept the signals from your keyboard?

Re:urm

[tacet]

not really. the antenna is the best receiver, so hacker equipped with yagi antenna can intercept signals from reasonable distance. /excuse my english

Re:urm

[sqrt(2)]

My wireless logitech keyboard works from the next room over, although a bit unreliably. It's the basic, white, model with no fancy function keys or anything. I don't think they make it anymore.

So you might need to worry about it in say, an office or school environment.

Re:urm

[Glonoinha]

This.

Honestly if you are close enough to employ this technique (including operating the kind of hardware necessary to do this undeniably cool hack) then you are close enough to shoulder surf long enough to get the guy's password. Or wait for him to go to lunch, flip over his keyboard and read his password from the post-it note on the back-side of his keyboard. Or even just start typing, because most people don't even bother to lock their machine before walking away for lunch.

It is a cool, if mildly impractical hack - but given that my keyboard receiver is less than a meter from my keyboard and I STILL have occasional connection issues - I doubt it is going to be used against my workstation anytime soon.

Re:urm

I have an even simpler solution, just stand next to them and watch what they type

Re:urm

[Ephemeriis]

wouldn't the hacker have to be you know, under your nose quite literally, to intercept the signals from your keyboard?

TFA says they were able to snoop from up to 10 meters away with a "simple radio receiver". That's not too bad. 10 meters could easily put you in a different room, on a different floor, or outside. And that's just with a basic antenna... Put together something more directional and I'm sure you could get more distance. Definitely enough to snoop on someone from the office/apartment next to you.

Re:urm

[vtcodger]

***Honestly if you are close enough to employ this technique (including operating the kind of hardware necessary to do this undeniably cool hack) then you are close enough to shoulder surf long enough to get the guy's password.***

I'd imagine that the creepy dude in the next apartment gets a quite usable signal from your wireless keyboard. As does the hippie type upstairs and the guy across the hall with too many teeth, two expensive cars, and no visible means of support. Then there are the fake cable company employees out in the parking lot. Maybe they are using that 27 element yagi on top of the van for something other than tracking errant cable TV signals down.

I don't think it is something to be overly paranoid about unless you are in charge of security for a company with real secrets to protect, but here's a link http://cryptome.org/tempest-leak.htm.

Note that TEMPEST is mostly concerned with inadvertent radiation from equipment that is supposed to be hard wired. Wireless stuff deliberately puts out an RF signal, so its range is probably going to be a lot greater.

Re:urm

[CastrTroy]

10 metres away though what kind of material? 10 metres away through air wouldn't surprise me. However, in my apartment building, there's concrete floors/ceilings. How easily would the signal travel through that?

Re:urm

[IBBoard]

The place I work at does some security work and as part of one of their tests they too a directional aerial up the nearby hill. The hill is only about a mile away, but from the top of it then they could pick up wireless networks and some keyboards from the main site. AFAIK it wasn't anything overly fancy either, just a fairly standard directional aerial of the type that could be done to a lesser extent with a normal aerial and a Pringles tin.

Re:urm

[amorsen]

10 metres away though what kind of material? 10 metres away through air wouldn't surprise me. However, in my apartment building, there's concrete floors/ceilings. How easily would the signal travel through that?

It's 27MHz. It'll penetrate anything. The only reason why distance is severely limited by default is that the antennas are crap.

Re:urm

[Fordiman]

Not exactly. You could employ a homebrew dish antenna from a room or two away, much like using a remote directional mic. Hell, since radio works better through walls than sound, you don't even need to be visible to the victim.

Re:urm

[Fordiman]

Feh. A simple optical sniff? Where's the l33tness in that?

Now, an optical sniff from a distance - for example, mounting a chip ccd inside and feeding it to a gumstix, both within the victim's monitor and powered thereby, would be an impressive optical sniffing hack.

Re:urm

[Fordiman]

Easily enough that a dish-type antenna would still pick it up, I'll bet.

Re:urm

[Ephemeriis]

10 metres away though what kind of material? 10 metres away through air wouldn't surprise me. However, in my apartment building, there's concrete floors/ceilings. How easily would the signal travel through that?

The article doesn't say, but I would assume that it was air. Of course other materials are going to cut down signal strength... So maybe you only get 5 meters instead of 10 - depending on where your computer is physically located that can still put the snooper on the other side of a wall. And again, that's with a simple receiver, nothing fancy or directional or anything. Sure, if you're burried in a concrete bunker you're probably OK, but if you've got windows near your PC or if you're in a cube farm there's a very real possibility of people snooping on you and staying relatively hidden.

And if the whole process is as simple as they make it sound, I doubt if it will be long before we see wireless keylogger devices similar to those available for wired keyboards already. Only you wouldn't actually have to plug anything into the PC...just drop some little battery-powered device in a drawer or waste basket near the PC, and pick it up a few hours/days later.

Re:urm

[thestuckmud]

TFA mentioned the keyboards operate on 27MHz. That's a wavelength of over 11 meters. At about half a wavelength wide, a yagi will not be small.

Others suggested dish antennas. For 27Mhz, no way.

Re:urm

The only reason why distance is severely limited by default is that the antennas are crap.

It's hard to make a good desktop antenna when you wavelength is over 11 meters. Another poster here talked about using a dish. If a hacker is using a dish the size of a radio telescope outside my house, I'll probably notice.

Re:urm

At what distance, exactly, can you say that the signal is completely gone? Today it might be 50 feet, tommorrow it might be 500 feet, or 5000 feet. Its at least as much a function of the capability of the receiver as the strength of the original signal, or intermediate obstructions.

Its like the RFIDs in your passport. The government, based on the sales pitch from the vendor, are absolutely sure the chip cannot be read unless within a few centimeters. Lo-and-behold, turns out that was a wee bit optimistic.

To make any assumption, whatsoever, about the distances required to read the signal, at the expense of a secure, encrypted channel, is egregiously poor judgment by the vendor.

Its likewise improper to even attempt "guess" at what a safe distance is. There is no safe distance. Period.

Re:urm

[rycamor]

In our development dept., one guy used a wireless Logitech keyboard to set up his test FreeBSD box, then left the box on for the next couple days without checking (he did log out, though). Next time we looked at it, the screen was covered with login passwords, chat discussions, company memos, etc... We fairly freaked for a minute, then after a bit of quick reconnaissance, discovered that the company's sales director was also using the same keyboard in an office 3 rooms over. So somehow not only did these two keyboards happen to have the same encryption key, but the signal went through 3 walls and 30 ft of space to reach our console. We stopped using wireless anything after that.

Re:urm

[Drenaran]

Ok, assuming that the two keyboards did have the same encryption key (more below), and further assuming that this event happened to be seen by you personally (rather than, say, some girls in a dorm somewhere), the best you could hope for is having a friggin ton of text in your password field. To have logged into the system the other guy would have to have unknowingly and coincidentally typed in the other users password, followed by "enter", without having typed anything before hand to mess it up. Oh, and given the nature of graphical interfaces (those chat windows, etc.) and mouse interactions... (you can see where I'm going here). Good job of detailed framing to give your story credibility though, got modded up well enough.

(short rant on probability) Having two identical encryption keys is certainly possible, however extremely unlikely - but so is having two ethernet cards with the same address on the same network; something which happens on college campuses from time to time. The difference being though that the radius on the campus includes 10's of thousands, while a keyboard only has 30-40ft to play with.

Re:urm

[rycamor]

Read my post again. I never said the other person logged into the BSD box. I said that there was text all over the screen. This was not an XDM session waiting to receive a password, as in a standard Fedora install or some such. A bare console, with 'login:' prompt will show all kinds of text if you just start typing. Basically it looked something like this:

login: So I was telling him that blah blah blah blah....
Password:
Login incorrect
login: and if he ever wants to blah blah blah...
Password:
Login incorrect
login: mycutepasswordtowhatever
Password:
Login incorrect
login: TO ALL SALES LEADERS, remember....
Password:
Login incorrect

Etc... and much more of this, so we had to hit scroll lock and review several pages worth of screen. And of course the other user's graphical interface had nothing to do with this, since all we were getting was keystrokes directly from the keyboard.

And yes, I did see this with my own eyes, and I've been working with Linux and Unix systems for nigh on 10 years now. The other person in the story had been doing serious Unix systems stuff for close to 20 years, so yes, this is credible.

Re:urm

Don't post as an AC and give us your real physical address and see if you notice us other ACs outside. Sounds like a fun challenge.

Re:urm

[kaidadragonfly]

And yes, I did see this with my own eyes, and I've been working with Linux and Unix systems for nigh on 10 years now. The other person in the story had been doing serious Unix systems stuff for close to 20 years, so yes, this is credible. Or you could be, ya know, lying.

Under my desk

[courteaudotbiz]

Hey, I already got problems using my wireless keyboard 5 feet away from its receiver, so the guy trying to spy on me would have to be pretty close, no?

Re:Under my desk

[lhaeh]

That idea came up when this item was posted to Hack A Day The reason for the limited reception range is that receivers use pathetically small, internal antennas: Mine was about 1/32 wavelength. With a full wave antenna or directional antenna, you can easily pick them up from outside a building. After I added a lager (1/4 or 1/8 wave) antenna to my receiver, I could type with my keyboard outside the house.

Re:Under my desk

[Bearhouse]

FTFA: "succeeded in eavesdropping traffic from a distance of up to ten meters using a simple radio receiver. More sensitive receivers may make it possible to capture keystrokes over larger distances"

A decent arial can make a massive difference to reception - directional antennas, like those used by people trying to sniff your wifi, can extend the range 10x.

Radio reception can be highly influenced, and non-linear, due to local conditions. Try moving your receiver...

Re:Under my desk

[chuckymonkey]

Not if he's pretty good with a directional antenna. That's the magic of a parabola. For instance look at this, particularly the parts about Bluetooth. Hence why you never do anything important of any kind of wireless unless it has very good encryption.

Re:Under my desk

[chuckymonkey]

Easy there, just because someone reads slashdot does not mean that they have ever been interested understanding radio waves. It was a legitimate question and deserves a legitimate answer. That's called improving the discussion and educating along the way. For all you know this guy could be a master of accounting and if you asked a (to him) basic question about accounting and he responded like you did I don't think that you would be very appreciative. Yes, I see your low UID and I also don't care rude is rude.

Re:Under my desk

[dintech]

A low ID troll is still a troll. The guy (QuantumG) has posted four obnoxious items in this thread already today. What a moron.

Re:Under my desk

[kubrick]

What part of "please read the article before commenting" is optional?

'Please' usually implies a request.

such as reading the article before commenting and not commenting at all if they don't understand the subject matter

Must have been before my time.

Re:Under my desk

[EatHam]

After I added a lager (1/4 or 1/8 wave) antenna to my receiver, I could type with my keyboard outside the house.

After I added a lager to my receiver, I also could type from outside the house, but when I finally went back in, the receiver was belligerent, and insisted on driving the car though it was in no state to do so.

Re:Under my desk

[QuantumG]

Must have been before my time. Touché.

Re:Under my desk

I don't know about that. I mean, I think you have to take other aspects into consideration too, such as that the evil Kilokahn lives inside computer circuits. With the help of Malcolm Frink, he creates mega-virus monsters to attack electronic systems. Meanwhile, a freak accident turned Sam Collins into Servo. His friends join forces in their Samurai attack vehicles. Together, they transform into the Superhuman Samurai Syber-Squad!

Re:Under my desk

[HouseArrest420]

Really big aerials can hear really weak signals. I know 4 year olds who have grasped that I call bull shit on that, or at least the fact that 10 minutes after you tell them what's what that he'd remember anything about aerials, a frames, wip's, omni, line of sight, or any other type of antenna/directional capabilities of anything including your home phone.

The only reason I think this way is because my son (6yearsold) took me to his school for som job fair and I had to explain just what it was I did for a living. Talk about a dead house. They only perked up interest when I pulled out the walkie talkies to show em omni directional reception, and even then the just kept buzzing each other.....not sure if any of them will grow to be communications experts but in a field whose capabilities are being pushed farther and farther every day we study it....I don't think anyone could ever consider themselves an expert.

But you may call me master. j/k

Re:Under my desk

Thou speakest the truth!

Re:Under my desk

[Big+Jason]

You call that low?

Re:Under my desk

[Fordiman]

Didn't you know? They don't teach radio in grade school anymore. Too busy with these computer things.

Radio's not the hobby it used to be, man. Lay off the young'in.

Re:Under my desk

[nacturation]

Really big aerials can hear really weak signals. I know 4 year olds who have grasped that I call bull shit on that, or at least the fact that 10 minutes after you tell them what's what that he'd remember anything about aerials, a frames, wip's, omni, line of sight, or any other type of antenna/directional capabilities of anything including your home phone. He didn't mention anything about all that. You're basically explaining: "See that huge antenna? That works better than a small antenna. Bigger is better." And what kid won't understand that?

Re:Under my desk

[Zerbey]

Not really, I've picked up short range wireless devices from over 100ft away with my cheap RadioShack antenna and a basic scanner. Wireless signals go further than you think.

Re:Under my desk

[HouseArrest420]

A 4 year old. Most can't tell thier left from right, but they're to understand bigger antennas work better than small ones (and depending on the type of antenna this is falicious information)? I doubt it. Do you have kids?

Re:Under my desk

[Scootin159]

eh, you probably just bought yours.

Re:Under my desk

[Alsee]

eh, you probably just bought yours.

Wouldn't much matter. Someone who would actually go out and purchase for a low ID for nothing more than the sake of the number warrants comparable Geek Cred as someone who just happened to stumble across Slashdot early enough to snag a low ID. Both methods are Geek-significant in their own way, and both methods are absolutely meaningless in their own way. It's a wash.

-

Re:Under my desk

[courteaudotbiz]

Thanks a lot! No, I'm not a radio guy. I understand a little about radio waves, but not enough to know that I can catch the signal of my wireless keyboard at home from my workplace 15 miles away! ;-)

However, I can write a whole HTML website in notepad without ever using any reference guide, debug a 1500 server farm's DNS AD service in minutes, completely configure a Cisco router with a PAT and some static routes in less than 5 minutes, design a complex IP adressing scheme in my mind and completely implement it then document it by heart, navigate the Windows registry to anything I want to set in the blink of an eye...

But no, I don't know much about radio signals, and that's why I was asking the question! So thanks chuckymonkey, your comment is really welcome! :-)

Re:Under my desk

[epee1221]

I would expect the kid in question is basing this on the idea that bigger means more powerful.

Re:Under my desk

[XHIIHIIHX]

Wow, and to think I was just about to rip that ugly antenna off the roof finally.

Re:Under my desk

[HouseArrest420]

Sorry for the late response

would expect the kid in question is basing this on the idea that bigger means more powerful. Well there's your first problem. Expecting the kid in question (a 4 year old) to know or understand ANYTHING besides whats their favorite cartoon character is futile (for the lack of a friendlier term).

The last thing I would expect of them is to grasp the idea that bigger is better for anything longer than 2-5 min. Well...that might not be the LAST thing I'd expect of them, but you get the idea. Especially when most 4 year olds can't tell you the difference in the feelings they experience between having to piss or crap....or even accurately judge when either needs to be done, in an effective way.

Again I'm basing this observation off of an every day 4 year old, not a prodigy.

Gimme a break

[DNS-and-BIND]

OK, instead of broadcasting in the clear, the keyboard gets a little encryption algorithm to prevent anyone from listening in. Some blowhard then takes it upon himself to crack the gradeschool encryption, and trumpets it far and wide as a "security breach". Durrrr...

Anyone concerned about security doesn't use a wireless keyboard....Durrrr

Re:Gimme a break

[scrantaj]

Sadly the unwashed masses on the internet are not concerned about security because they don't understand it. These are the people who fall for phishing mails, don't keep their AV up to date or blindly click ok on every dialog box that pops up on their system ( a response re-inforced by Vista's insistance on user interaction to do anything ). Expecting these people to use a wired keyboard to improve their security is pointless. They use wireless keyboards because they are "cool" or so that they don't have to mess around with all those untidy cables.

Re:Gimme a break

[dsginter]

Anyone concerned about security doesn't use a wireless keyboard....Durrrr

That might seem like a trivial concept to you but I saw a wireless keyboard in use at a doctors office some years ago. When I mentioned to the staff that I didn't want them typing my personal details on that particular keyboard, they looked at me like I was wearing an actual tin foil hat.

Geeks need to realize that geeks aren't the only people who work in IT. Sensationalizing this sort of story hurts nobody and might actually spread awareness.

Re:Gimme a break

[jim.hansson]

Anyone concerned about security uses shielded cables

Re:Gimme a break

[aproposofwhat]

Bloody audiophile!

Re:Gimme a break

[Yvanhoe]

Here in France, 3 years ago, the geek magazine "pirate mag" made fun of French military (Yes we also do that here) because they proudly announced the opening of their new "cyber-warfare strategical center" (or some other shiny words) and the picture that was given to every newspaper were two officers holding wireless keyboards in front of a flat display. The keyboard model was of course a very common one with absolutely no encryption.

Re:Gimme a break

[arivanov]

You are telling the wrong story.

There is a well established connectivity layer for such devices which has reasonable encryption, key management and interference/frequency control. It is also widely interoperable. It is called Bluetooth.

So some blowhard that does not have any f*** clue whatsof***ever decides to go the cheapskate route and use Rot13-like wankoff instead of the well established system. As expected - the first kid coming about cracks it with ease.

And that is the actual story. Rinse, repeat. Microcrap, Logicrap, Whatever chinese radio crap, etc. All of them on 2.4GHz buggering up WiFi, Blueotooth and other well behaved stuff.

There are only two BT keyboard on the market in the UK at the moment. One is by Apple and you have drag your arse to an applestore as they refuse to ship it and the other one is by targus and is a supermicro keyboard. Situation with mice is not much different. Same story with IR which while not having encryption does not have a lot of eavesdropping problems either. There is nothing available. Only crap.

So frankly, I would very gladly buy the kid whoddunit a beer because this helps reduce the crap on the market and the market to switch to a proper connectivity layer.

Re:Gimme a break

[Bearhouse]

Right. Worse still, I was at the doctor's a while ago when I saw him furiously trying to close lots of Internet Explorer pop-ups.

The conversation went something like this:

Me: You don't have a pop-up blocker then?
Dr: No. What's that?
Me: How about security software, anti virus?
Dr: No. What's that?
Me: How many patient records are stored on that thing?

*sigh*

Re:Gimme a break

[v1]

That same doctor probably made a paper printout of the details at some point, and threw them away to be taken out by the trash man the next day, just after the dumpster diver recovered your medical history for his personal amusement. The risk of the keystroke theft occurring are a lot lower than the odds of a traditional dumpster dive which I imagine you hadn't even considered. It does no good to make noise about the cat in the room if you are ignoring the elephant.

Re:Gimme a break

[Richard+W.M.+Jones]

OK, instead of broadcasting in the clear, the keyboard gets a little encryption algorithm to prevent anyone from listening in. Some blowhard then takes it upon himself to crack the gradeschool encryption, and trumpets it far and wide as a "security breach". Durrrr...

I hope you never type any passwords or credit card numbers on your keyboard ...

Rich.

Re:Gimme a break

[kannibal_klown]

There are only two BT keyboard on the market in the UK at the moment. One is by Apple and you have drag your arse to an applestore as they refuse to ship it and the other one is by targus and is a supermicro keyboard. Situation with mice is not much different. Same story with IR which while not having encryption does not have a lot of eavesdropping problems either. There is nothing available. Only crap.

It's not that much better on this side of the pond. I don't know why there aren't more BlueTooth devices out. It makes no sense.

OK, I can understand the market for some non-Bluetooth wireless devices because I guess a Bluetooth dongle is more expensive than a generic radio receiver USB dongle. But that shouldn't completely replace BlueTooth. Yet the market is flooded with regular radio input devices to the point it's hard to find decent Bluetooth mice and keyboards.

The last non-Bluetooth mouse/keyboard combo I had was getting interference with something (or its signals crossed with another similar device). The mouse cursor would occasionally move and click on it's own even with new batteries. Granted this was in a densely populated office, but still it was quite annoying. I'm not having that problem with the Bluetooth devices though.

I'm using the Apple BlueTooth keyboard right now. The only problem I have is that it doesn't come with a number pad, but that's less of a big deal for me now. But I wish there were more choices.

Re:Gimme a break

[ozbird]

Nitpick: There's a significant difference between working in IT and working with IT.

Re:Gimme a break

[Mike89]

And that is the actual story. Rinse, repeat. Microcrap, Logicrap, Whatever chinese radio crap, etc. All of them on 2.4GHz buggering up WiFi, Blueotooth and other well behaved stuff.

No offense, but you're an idiot. Don't run your mouth off as though you know what you're talking about. (For the most part?) They don't operate on 2.4 ghz, most on the 900 mhz range from what I've seen.

Also, why SHOULD they use Bluetooth? It instantly adds to the build cost, which passes the cost on to me. I don't care if it's Bluetooth or 'chinese radio crap', as long as it works (And, FYI, my 'Logicrap' keyboard works just fine.)

Re:Gimme a break

[Dragonslicer]

I have a Bluetooth keyboard and mouse (the first ones Logitech released; I've paid the early-adopter price in bugginess, though the monetary price hasn't changed much in two years), and the biggest problem right now is that there's no Bluetooth support in the BIOS. I have to keep a regular corded USB keyboard in case I have to do anything in the BIOS or grub. I also run into the keyboard and mouse not being detected by the time the login screen comes up, but I think that's more of a (K)Ubuntu problem.

Re:Gimme a break

While you're buying that kid a beer maybe you could get him to explain search engines to you, if you genuinely believe that there are only 2 suitable products on the market... there are more but here are a few to start you off.

http://www.google.co.uk/products?q=MX5000&btnG=Search+Products&show=dd
http://www.google.co.uk/products?q=DiNovo+bluetooth&btnG=Search+Products&show=dd
http://www.google.co.uk/products?q=apple+bluetooth+keyboard&btnG=Search+Products&show=dd
http://www.google.co.uk/products?q=microsoft+optical+elite&btnG=Search+Products&show=dd

See, someone will even post that god awful apple thing to you, should you so wish.

Re:Gimme a break

haha, you fell for the antivirus scam.

You fail it.

Re:Gimme a break

[bay43270]

I'm pretty sure throwing out patient records without shredding them would be illegal under HIPAA. And although it doesn't specifically mention wirelesss keyboards, it does mandate policies to limit access to equipment containing medical records.

Re:Gimme a break

Anyone concerned about security doesn't use a wireless keyboard....Durrrr Well just about everyone with a PC that I know of either types in passwords and/or credit card numbers on their keyboards.

So exactly who are these manufacturers marketing and selling these "keystroke broadcasters" to? The six children that don't like Webkinz?

Re:Gimme a break

[CastrTroy]

How do you know the keyboard wasn't just a specialized designed super encryption wireless keyboard in a standard casing that happened to look the same as the one they sold to regular goes? The manufacturer could have easily taken an existing wireless keyboard, and added extra encryption in the same case.

Re:Gimme a break

[fallen1]

I am the head of IT for a large dental practice and we use wireless keyboards and mice in all of our operatories, at our front desk area, and in a couple of other areas -- because the owners wanted it that way, over my objections. They sign the paychecks so after I made sure they understood my objections, I gave them what they asked for.

It does make it easier to deploy our systems in our operatories because of the distances between the dental chairs and the computer bays. I would need 12 to 18' long cords on keyboards (and mice) and that would be a massive pile of shit to deal with in a hygiene or doctor's operatory due to how our system works. Not just our system, but the majority of dental practices (and I've seen a lot of medical practices setup the same or similar) are arranged the same way. The air space is so great between where the keyboards and mice need to sit and where the computers are located that it would not be practical to run cabled keyboards and mice. Plus, the chances of someone monitoring our wireless keyboards is so slim that I felt the risk was minor. I still do.

On the other hand, I believe the chances of someone trying to get into a wireless network are much greater and even with newer encryptions and firewalling/controlled access I would never allow such a network to be installed in this building. If they tried to push that agenda, I'd have my personal lawyer draw up a contract for the owners to sign absolving me of all responsibility for any break-ins that might happen and guaranteeing me a position with the company after any breach (or a VERY large golden parachute clause so I would have a lot of time to find a new position). That would probably get their attention and shut down the wireless network chatter but, as I said above, I still do not think there is enough of an issue with wireless keyboards to warrant more than a slight increase in watch status.

Of course, a couple of high profile theft of identity/information cases involving wireless keyboards will change my (and everyone else's) mind about that. Natch.

Re:Gimme a break

[commanderfoxtrot]

I recently bought a wireless mouse- a Microsoft notebook one. It's great.

I looked at bluetooth, but was under the impression that the response times (lag) just weren't as good as direct radio.

Is this false?

(There's also the problem of Bluetooth just being more complex and prone to going wrong..)

Re:Gimme a break

[headLITE]

Not sure why this is modded Troll. It's only a bit of flaming wrapped around the basic truth that people in general don't understand basic physics for a variety of good and valid reasons. For example, on this page I've seen many comments to the effect that the range of a wireless keyboard is only so short, failing to take into account that you could just use a bigger antenna (essentially). I wouldn't call the authors of these comments idiots, but if they represent the technologically oriented crowd like they should on a platform like slashdot, then what reason is there for not believing the general public to be ignorant of such matters?

Re:Gimme a break

[headLITE]

You didn't include his answer. Was it "none, I'm forbidden by law from storing them on this computer"?

Re:Gimme a break

[headLITE]

No offense, but you're an idiot. Don't run your mouth off as though you know what you're talking about. (For the most part?) They don't operate on 2.4 ghz, most on the 900 mhz range from what I've seen. And the "from what I've seen" is exactly the problem with your statement. Unlike in the USA, in Europe the 900 MHz band is used for GSM. You'd have a hard time selling 900 MHz gadgets here.

Re:Gimme a break

[Fordiman]

True enough, but it makes me wonder about how tight the encryption is on other brands of keyboard. I use a Logitech wireless myself, and I know a guy at work that uses one of those tiny Apple wireless boards. It also makes me wonder about those wireless security input panels they use to enter the building alarm shut-off codes where I work. If I can show a successful exploit, maybe I can push a little reform.

Re:Gimme a break

It also makes you suck at Tremulous, not good man, bluetooth FTL.

Re:Gimme a break

[arivanov]

US versions operate on 900.

EU versions operate nearly universally on 2.4. I wrote this pissed off coming back from a shop looking for guess what - a keyboard with decent crypto layer. 5 wireless wankoffs, all with an wankoff encryption and all tossing all over the 2.4 band. 1 MSFT, 1 Logitech, 3 Chinese nonames. All 2.4

Re:Gimme a break

[pD-brane]

Sensationalizing this sort of story hurts nobody and might actually spread awareness.

On Slashdot?

Re:Gimme a break

[swillden]

OK, instead of broadcasting in the clear, the keyboard gets a little encryption algorithm to prevent anyone from listening in. Some blowhard then takes it upon himself to crack the gradeschool encryption, and trumpets it far and wide as a "security breach".

Given how trivial it would be to implement good encryption, the "blowhard" is right. The makers of the keyboard have done their customers a real disservice by implementing something crappy, because most customers will assume that it's good, and because it would have taken such little additional effort to meet that obvious assumption. In fact, it might well have taken *less* effort to use existing, proven ciphers and protocols than to construct something homegrown and weak.

Anyone concerned about security doesn't use a wireless keyboard....Durrrr

Or uses a bluetooth wireless keyboard and chooses a long PIN. The only successful attack to date against bluetooth is a brute-force search of the PIN keyspace. That may change, but given that serious cryptographers were both involved in the design and have since reviewed it pretty thoroughly, it's not likely.

Re:Gimme a break

[justthinkit]

Not sure why this is modded Troll.

It appears that QuantumG's ex- got mod points today...

Re:Gimme a break

[eldepeche]

Apple wireless keyboards use bluetooth, which is considerably more secure than the keyboard described in TFA.

Re:Gimme a break

[swillden]

BTW, there is a way to use wireless keyboards and have good security. Use bluetooth devices that support long, configurable PINs, and choose PINs that are 12+ digits long, randomly-generated. I believe there are a few devices on the market that use 128-bit PINs, randomly generated on every reassociation, and automatically reassociate when the keyboard is placed on the charging stand. Those seem ideal -- highly secure and very easy to reassociate.

I don't have any specific brands or models to suggest, though, so some research would be required.

Re:Gimme a break

[a_nonamiss]

First off, your hostile response was an unnecessary reply to a thoughtful post. Clearly, the GP had thought out what he wanted to say, and while you may personally disagree with his philosophy, your personal insult to him doesn't contribute anything positive to this discussion.

Secondly, I work in a field which requires a lot of attention to security. While it may not be important to you, it IS the focus of this discussion and the article. Your post of "Well, security isn't important to me, so you're an idiot." is very shallow and shows a true lack of understanding as to why it's important. My customers are non-profit government agencies. They are required by law to have a high level of security, yet they do not have the budget to hire a high-end security specialist. Articles like these which point out said security flaws are invaluable. Many of my customers probably don't realize that these devices are insecure. (Note, I am NOT a security consultant. It's not my job to audit my thousands of customers to make sure they are up to code. I help out where I can, but I don't visit all of them every day.)

Finally, if you're going to make a belligerent post, make sure you know what you're talking about. There are MANY 2.4GHz wireless keyboard/mouse solutions that don't use Bluetooth. Most of these don't follow any rules and don't play nice with BT and WiFi. The GP post was dead-on in that respect, and I'm sure there are plenty of knowledgeable slashdot readers that could back that up. Yes, in the US there are 900MHz devices out there, but the GP wasn't talking about them, he was talking about the ones that are cheaply made and don't play nice with well-designed protocols. The airwaves are public domain, so when a cheaply made and poorly designed device starts blaring out interference, it's our right to be annoyed. Yes, the 2.4GHz spectrum is unregulated. (at least, in the US) Of course, I'm not required by law to be quiet during a movie, but I'm still an asshat if I don't.

Re:Gimme a break

[Schraegstrichpunkt]

The only successful attack to date against bluetooth is a brute-force search of the PIN keyspace.

No. According to Wikipedia, the best attack against the E0 cipher used by Bluetooth is one that requires "the first 24 bits of 2^{23.8} frames and 2^{38} computations to recover the key." That means 14,605,415 frames, or about 7.3 million key-down/key-up message pairs. To put that into perspective, the machine I've been typing on right now has had about 213,000 keypresses in the last 4 days, so in less than 4-6 months, my key would be compromised. I'm a programmer; An employee working in data entry would likely have pressed many more keys in the same time period.

There are other generic attacks that apply to Bluetooth keyboards, such as the timing attack on keyboard-interactive SSH authentication by Song, Wagner, and Tian. One particularly good way to thwart this attack is to send either real or dummy frames at a constant rate. Unfortunately, this would either destroy interactivity for things like games, or (more likely) increase the average number of frames sent per minute, which would decrease battery life and make it easier for an attacker to get the 2^{23.8} frames he needs for the first attack.

Re:Gimme a break

[Bearhouse]

Sadly, it was "all of them, plus my accounting records".

Time to whip out the trusty boot CD (yes, I do carry it with me everywhere - sad, I know), with security tools on it...I stopped counting after 150 infected files.

This is major problem highlighted by another poster - plenty of otherwise really smart people, (doctors, lawyers) are being forced into installing complex systems that they just don't understand properly...

Re:Gimme a break

[iamhassi]

"Anyone concerned about security doesn't use a wireless keyboard....Durrrr"

Except it's getting to the point that you can't even buy a wired keyboard. Check out circuit city, of the 57 keyboards they offer, 25 are wireless or bluetooth, and most of the wired keyboards are the cheap crappy kind. It also doesn't help when some of them act like "up to 100 ft. range with no line-of-sight limitations" is a good thing, as if anyone needs to type something while the screen's in another room.

They should come with warnings on the label like cigarettes, or stores should put up warnings in front of the wireless keyboards.

I suppose I'm lucky I still have a few of the old Lite-On IR compact keyboards with built-in thumb mouse for HTPCs. Works great from across the room and the keyboard doesn't need to be pointed directly at the receiver for it to work, but at least being IR it still requires line-of-sight. They stopped making them a few years back when RF took off and now they're extremely rare. I bought 20 of them in '03 for less than $20 each and sold most of them in '05 for $60+ each.

I'm actually in the market for a new keyboard so I'm glad this was brought up, I'll definitely focus on wired keyboards.

Re:Gimme a break

[elrous0]

I would also add that the two guys in the picture could have easily been aliens, disguised as humans for the purposes of luring in unsuspecting women to become breeders on their human ranches.

Re:Gimme a break

[DanielJosphXhan]

Because... they're French?

Re:Gimme a break

[Hatta]

If they tried to push that agenda, I'd have my personal lawyer draw up a contract for the owners to sign absolving me of all responsibility for any break-ins that might happen and guaranteeing me a position with the company after any breach (or a VERY large golden parachute clause so I would have a lot of time to find a new position).

Or they'd just find someone else to install the wireless network.

Re:Gimme a break

[NMerriam]

To put that into perspective, the machine I've been typing on right now has had about 213,000 keypresses in the last 4 days, so in less than 4-6 months, my key would be compromised.

I believe (and may be mistaken) that one of the security features of bluetooth is that it periodically creates a new keypair between attached devices, precisely to avoid this kind of long-term monitoring.

Re:Gimme a break

[afroborg]

I have heard tell that some bluetooth keyboards randomly reset the PIN each time you place them on the charger. Unless you type a heck of a lot on one battery charge I would think that would pretty much invalidate all of the currently known hacks wouldn't it?

Re:Gimme a break

[pclminion]

I am the head of IT for a large dental practice and we use wireless keyboards and mice in all of our operatories, at our front desk area, and in a couple of other areas -- because the owners wanted it that way, over my objections. They sign the paychecks so after I made sure they understood my objections, I gave them what they asked for.

That was an incredibly stupid thing to post. You are just doing what your bosses told you, but that does not help the fact that you have just admitted to being a direct accessory, and in fact a facilitator, to SERIOUS HIPAA violations. Your workplace should be shut down immediately. I hope you don't end up being held criminally responsible.

Re:Gimme a break

[Plunky]

Yes in general its false. Even with my very old 1.0b spec device I never had any trouble with mouse and keyboard running at once, but I do find that if the piconet gets congested (eg I'm also on dialup through the phone) then sometimes the mouse connection is degraded somehow and the pointer gets a bit jerky.

Re:Gimme a break

[Plunky]

Thats not automatic, you (the software managing the link) would have to request that the controller generate a new key but it is possible to do. I guess it depends on which bluetooth stack you are running if that happens automatically or not.

Re:Gimme a break

[fallen1]

but that does not help the fact that you have just admitted to being a direct accessory, and in fact a facilitator, to SERIOUS HIPAA violations. Your workplace should be shut down immediately. I hope you don't end up being held criminally responsible.

LOL! That's a nice post you have there. Trolls 'r us, I presume? I have done the research already, thanks for your concern though. I have committed _NO_ HIPAA violations whatsoever due to the fact wireless keyboards are protected by encryption that I reasonably believed (and still believe) prevents all but the most serious of offenders from obtaining information regarding our patients. The problem is (and this applies to ALL businesses) is that if someone is serious enough about wanting information from this business/practice, or any other medical/dental/healthcare practice, then they are probably going to get it one way or another. HIPAA requires me to make a "best effort" to secure our data against unauthorized access based on certain standards and I have done - and continue - to do so. Wireless keyboards are encrypted, we have no wireless network to access, server room door is locked and secure, paper files are secured, etc, etc, so on, and so forth. My objections to wireless mice and keyboards I mentioned above was based on the extremely miniscule and remote chance someone might break the signal. As in, I was being _paranoid_ about setting up the new network. Again, after I talked with the owners and discussed the relevant issues of wireless keyboards and mice (HIPAA included) they decided it would violate no rules either and that I was being paranoid. Maybe I should have gone into deeper information in my post above but I didn't think it was necessary. Sheesh.

I see that there is plenty fear-mongering that is going on in the United States and the rest of the supposedly "free" world these days and you've just added more to it. I am by no means dumb enough to let my boss override my objections if it was going to violate the law in any way. Not to mention that if any person I work for asks me to break the law knowingly, I will be out of there before the conversation is finished and my lawyer will have my sworn statement as to why I left so my ass is covered. Please go troll in someone else's yard, umm-kay?

Re:Gimme a break

[fallen1]

Thanks for the information, I will do some research into the subject.

Plus, as I replied to the troll further down this conversation thread, I believe that current wireless keyboards still offer enough protection to prevent all but the most single-minded and serious intruders from accessing the data. HIPAA requires a "best effort" and we have to meet certain standards and I have done this - and will continue to do so. As a matter of fact, I'll be passing this information along to the owners so that they can re-evaluate the situation - and I strongly suggest others in my situation do so as well. Even though I believe current wireless keyboards live up to HIPAA standards doesn't mean I should not cover my ass by simply doing my job and letting the owners know of current issues, right?

Sorry for the mini-rant and thanks again for the information!

Re:Gimme a break

[Have+Brain+Will+Rent]

The problem is not the user it's the device/manufacturer. I know this is /. but could the user bashing stop just for a bit? This is the same attitude that blames naive users for not liking Linux... after all everything is documented somewhere and they should know all that command line stuff anyhow right? Wireless keyboards are more than just a convenience, but even if that's all they were that is justification enough. Don't criticise the users, just make the damn keyboards work safely. Sheesh.

Re:Gimme a break

[Hellkitten]

Any cordless (bluetooth or other) keyboard will introduce lag as the keypress will have to be encoded (using bluetooth or another protocol) sent, received and decoded. Now the quality of the encoding and decoding bits might vary, so you can probably get both good and bad bluetooth keyboard/receiver sets. Just as you can get good and bad non-bluetooth. Now a custom radio protocol could probably reduce the overhead bluetooth will have simply because it has to support a lot of different types of devices, but bluetooth is a standard so bluetooth chips and implementations will probably have a bigger market and bigger competition than non-standard keyboard radio chips. So I would expect the bluetooth to bits (now already or eventually) be better and/or cheaper than the alternatives.

Re:Gimme a break

Not sure why this is modded Troll. It's only a bit of flaming wrapped around the basic truth
That part is why. It's marked as trolling because it is, even if it does say something true.

Re:Gimme a break

[dioxide]

so will a huge fine from the people behind HIPAA.
actually, im not sure that dental falls under the HIPAA rules, but most any place that holds medical records should.

Re:Gimme a break

[cyber-vandal]

Hostile reponses, accusations of being an idiot, belligerence - yep it's another normal day on slashdot.

Re:Gimme a break

[swillden]

No. According to Wikipedia, the best attack against the E0 cipher used by Bluetooth is one that requires "the first 24 bits of 2^{23.8} frames and 2^{38} computations to recover the key."

Interesting. I had missed that one. That's clearly an issue if the attacker can eavesdrop for a long period of time.

Unfortunately, this would either destroy interactivity for things like games, or (more likely) increase the average number of frames sent per minute, which would decrease battery life and make it easier for an attacker to get the 2^{23.8} frames he needs for the first attack.

Unless the dummy frames contained random data. Assuming the receiver knew to ignore frames that decrypted to an invalid structure (which further assumes there is sufficient structure to check), this would actually be a fairly effective way to defeat the statistical attack as well, since the attacker wouldn't know which frames are real and which are dummy. A moot point, of course, since devices don't actually do this, but interesting.

Re:Gimme a break

[Dr.+Evil]

I've started using Hurricane Katrina's advisories as an example of how to explain this to management:

http://en.wikipedia.org/wiki/National_Weather_Service_bulletin_for_New_Orleans_region

E.g.

...DEVASTATING LAWSUITS EXPECTED...

..UNPROTECTED WIRELESS NETWORKS... A MOST DUMB IDEA WITH UNPRECEDENTED EXPOSURE OF SENSITIVE DATA... RIVALING THE STUPIDITY OF MARTHA STEWART WITH NO POTENTIAL FOR PROFIT

MOST OF THE BUILDINGS IN THE AREA WILL HAVE OPEN ACCESS TO ALL PATIENT DATA. ONCE EXPOSED, PATIENT DATA MAY BE RECORDED AND HAVE LONG TERM LAWSUIT POTENTIAL. THIS MAY GO BEYOND NEGLIGENCE AND MAY INVOKE GROSS NEGLIGENCE LEADING TO NOT MERELY CORPORATE, BUT PERSONAL LIABILITY.

YOU WILL HAVE TO SELL YOUR PORSCHE TO PAY YOUR LAWYERS. YOUR DAUGHTER WILL NOT HAVE BRACES. YOU WILL EITHER BE LIVING FROM A CARDBOARD BOX OR YOU WILL GO TO JAIL.

You get the idea...

La la, now I'm going to write up lots of stuff to get past the lameless filter. Lameness filters, while they might be lame, get us past the ascii goatse trolls. Alhtough I woudl think that the ecode tag could let us get past the whole uppercase lameness thing. Now I'm going to repeat this a few times. La la, now I'm going to write up lots of stuff to get past the lameless filter. Lameness filters, while they might be lame, get us past the ascii goatse trolls. Alhtough I woudl think that the ecode tag could let us get past the whole uppercase lameness thing. Now I'm going to repeat this a few times. La la, now I'm going to write up lots of stuff to get past the lameless filter. Lameness filters, while they might be lame, get us past the ascii goatse trolls. Alhtough I woudl think that the ecode tag could let us get past the whole uppercase lameness thing. Now I'm going to repeat this a few times.

Re:Gimme a break

[Fordiman]

Danke for that. You've saved me the trouble of pre-googling an exploit before implementation.

Re:Gimme a break

[Drenaran]

Not just the uniformed are vulnerable - if it wasn't for my love of my Logitech G15 I would have bought a wireless keyboard long ago for my main PC (not to mention that I've never thought twice about typing my passwords into the computers I've used at various work places over a wireless keyboard, thinking I was in the clear because as Admin I knew the system was secure). I keep my email/chats secured inside of a triple encrypted partion requiring a random char password in the 15-20 char range. My master password list is similarly encrypted with the added bonus that it is kept on a flash with BartPE to boot from and further requires a keyfile+password to gain access. And then stored in a safe. Then there are the multiple layers of protection/filtering both hardware and software on my internet connection, sandboxed to hell browser restriction (fancy things like java/flash/etc. only enabled on an as needed basis), and various other approaches. God forbid I ever use a wireless network for anything more than wiki'ing some pop culture reference that has missed me by a few yards.

Yet, not once, NOT ONCE, has wireless keyboard security even crossed my mind.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Just Mess with the Listener!

That's why I use ^H in my passwords ;)

Re:Just Mess with the Listener!

[Glonoinha]

He uses a sound card as part of the decryption mechanism - use a ^G instead (so he can hear it go 'ding').

Re:Just Mess with the Listener!

[CastrTroy]

We built a simulator of a vital signs monitor in Rational Rose RealTime in university as a class assignment. Somebody got the idea of sending ^G (I think \a in C) to the console every time the heart beat to add realism to the simulator. We had lots of fun with that project.

Shocked

[MrNemesis]

After reading the analysis of the "encryption", I'm utterly flabbergasted that they've been able to get away with it for so long - this sounds like something that hasn't been cracked purely by laziness, because with only 256 possible combinations you could practically decode it in real time in your head.

Any news on other manufacturers? I'm particularly concerned about Cherry (the only wireless keyboard I own, soon to be replaced with a bluetooth Logitech) for my HTPC.

P.S. for the nay-sayers - yes, I too have endless problems with the range of wireless keyboards but I dare say a proper antennae (as opposed to the tiny ones used in the standard receiver) you could probably get a clear signal from up to 10-15m away (25MHz = ~11.5m wavelength, no? ~5m aerial is easy enough to conceal). That's easily enough to snoop someone's keypresses from outside, even off-property.

As an aside, I'm aware that Bluetooth is an open standard, hence probably peer reviewed, hence probably having an association/encryption method that wasn't dreamt up by a crackhead. Can anyone here speak on its relative resilience in its current form, notwithstanding all of the vulns there've been in shoddy stack implementation?

Re:Shocked

it also has in its favor high speed frequency hopping.

Re:Shocked

[teh+kurisu]

The summary ended sort of ominously, didn't it? "Bluetooth, it seems, is safe for the moment."

I feel relatively safe with my bluetooth Logitech keyboard (which I wouldn't give up for the world), but my worry is that the bluetooth implementation is not necessarily up to scratch. My particular keyboard is designed to be used with the USB dongle that came in the box, and Logitech don't officially support the keyboard's use with other bluetooth devices, which makes me wonder why (although it will work with my Apple laptop's built-in bluetooth receiver for basic functions).

Re:Shocked

[fmobus]

I might (and wantto) be wrong, but all "non-interactive" bluetooth devices I've seen use the same factory-set password, namely "0000". Can anyone explain me why this isn't exploitable?

Re:Shocked

[goofy183]

That is just the pairing code. So if you switched your device into pairing mode anyone could pair with it. The encryption is based on a different, randomly generated, key: http://en.wikipedia.org/wiki/Bluetooth#Security

Re:Shocked

Bluetooth uses frequency hopping. Even if the communication is not encrypted at all, it is nowadays technically extremely difficult (I'd rather say impossible) to follow such hopping in order to sniff the communication among bluetooth devices.

Re:Shocked

[Jeff+DeMaagd]

I think the class II bluetooth receivers are good for 30 meters. I had a mouse + class II receiver and I was able to still scroll the computer from 20 meters away, through three walls and it still worked fine.

Re:Shocked

[Dragonslicer]

My particular keyboard is designed to be used with the USB dongle that came in the box, and Logitech don't officially support the keyboard's use with other bluetooth devices, which makes me wonder why (although it will work with my Apple laptop's built-in bluetooth receiver for basic functions). I got sick of all of the problems I had with Logitech's software on Windows, and the Bluetooth adapter that came with the keyboard/mouse wasn't supported by Windows natively at the time, so I bought a store-brand adapter at CompUSA for $30 and never had a problem after that. The only problems I've had lately are, I think, more on the Kubuntu side of the connection.

Re:Shocked

[richard.cs]

this sounds like something that hasn't been cracked purely by laziness, because with only 256 possible combinations you could practically decode it in real time in your head.

I was thinking pretty much the same thing. In the article it says "256 key combination can be brute forced even with very slow computers today." when "any idiot with half an hour and a pencil" would perhaps be more appropriate.

Re:Shocked

[CastrTroy]

Blue tooth seems kind of finicky as for which devices work with which receivers. I know there's a few receivers that don't work with with the WiiMote. I think it has something to do with some companies (either the device or receiver manufacturers) not making everything according to the specs, or there may just be ambiguity in the specs. Most BlueTooth devices should work with most receivers, but I could understand why Logitech would write in the manual that their keyboard may not work with all receivers. With the millions of different receivers on the market, it's impossible to test on all of them, and even if they follow the standard exactly, there's always going to be some receiver that doesn't work.

Re:Shocked

[gabebear]

According to Wikipedia, the best current attack against 128bit keyed BlueTooth takes the first 24bits of 2^23.8 packets. Packets are 2745 bits long so the attacker would have to monitor over 4.66GB of data transfer from your keyboard.

Re:Shocked

[cnettel]

But, obviously, you should have two packets (down and up) for every keypress. If that means padding, then so be it. 8 million keypresses is quite reassuring anyway.

Re:Shocked

I use a wireless mouse / pointer mouse and an onscreen keyboard for my HTPC as there is there is little typing required.

Re:Shocked

[swillden]

That is just the pairing code. So if you switched your device into pairing mode anyone could pair with it. The encryption is based on a different, randomly generated, key: http://en.wikipedia.org/wiki/Bluetooth#Security

True, but an attacker who knows the pairing code (PIN), and can eavesdrop on the pairing conversation can recover the key. An attacker who doesn't know the PIN and can eavesdrop on the pairing conversation can perform a brute force search to recover both PIN and key. Devices that care about security don't use default or fixed PINs and allow you to set a PIN that is long enough to make brute force infeasible.

Re:Shocked

[Plunky]

True, but an attacker who knows the pairing code (PIN), and can eavesdrop on the pairing conversation can recover the key. An attacker who doesn't know the PIN and can eavesdrop on the pairing conversation can perform a brute force search to recover both PIN and key. Devices that care about security don't use default or fixed PINs and allow you to set a PIN that is long enough to make brute force infeasible.

I would be interested to know if, for example, you pair with a device with a fixed PIN, then regenerate the key a few times does that disassociate the PIN from the key far enough that knowing the PIN (even if it were basic 0000) would no longer be of any use?

Re:Shocked

Bluetooth has been beyond its last legs for years now; here's a 2005 attack that forces devices to pair then uses the captured pairing packets in an *offline* attack on the PIN. I'd be very wary of trusting confidential data to even bluetooth keyboards. Maybe for an HTPC or something it's ok...

http://www.schneier.com/blog/archives/2005/06/attack_on_the_b_1.html

Re:Shocked

They don't support the keyboard with other bluetooth adapters because bluetooth has absolutely zero support in Windows. And the quality of drivers with various dongles varies too much, since they are all either buying them from a 3rd party or writing them from scratch.

Why?

[BlueParrot]

Why did they even bother encrypting it? I mean seriously, with a cipher this weak what's the point of even implementing it? It is actually harder to pick up the signal than it is to break the cipher...

Re:Why?

[will_die]

Primary purpose of the encryption is to make sure that you are getting the input from another device. Not sure I would even call it encryption more like channel selection.

Re:Why?

[randomaxe]

It's a matter of increasing the effort required to listen in.

Think about where you live for a moment. If you don't have a security system on your house or apartment, anyone can break into your home, take whatever they want, and be gone before anyone notices. So, if you don't have a security system, why even bother closing your windows or locking your doors?

Because doing so increases the effort that it requires for one to gain entry. If you don't lock the door, anyone can just wander by, try the knob, and be in your house. If you lock the door, anyone can wander by and try the knob, but most of them will keep moving when they find it locked. The ones who will get in and steal your stuff are the ones who really want to get in, and who are willing to make the effort to kick open a door or break a window.

Similarly, encrypting the communications, even with a poor cipher, is better than nothing at all. The only people who can listen in on what you're doing are the ones who really want to. If it were totally unsecured, it would take far less effort to pick up what your keyboard is sending. Neighbor who just happens to own a computer with a compatible dongle, perhaps? You may not be the type of person who would try to decrypt a stranger's communications, but if they just started showing up on your screen, wouldn't you be tempted to read, even just a little?

This weak cipher may not be enough to keep out anyone who really wants to see what you're doing, but it's certainly enough to prevent accidental intrusions.

Re:Why?

[BlueParrot]

Similarly, encrypting the communications, even with a poor cipher, is better than nothing at all.

"Poor" cipher really doesn't cover this one. WEP is a poor cipher because it can be broken with readily available hardware and known algorithms. However, this "cipher" is so weak that I could crack it using pen and paper, doing the arithmetic in my head, in real time ... Compressing the data stream with gzip would offer stronger protection. It is the computer equivalent of painting your doorknob the same colour as the door and hope nobody will see it. If this qualifies as encryption then I encrypted my CDs yesterday when I ripped them to FLAC. I mean do you seriously believe that somebody would go through the trouble of setting up a radio reciever, look at the data through a soundcard, and then be deterred by an 8bit substitution? If you tape down the lid of the shoebox that contains your money, can you call that a lock? If I park my car facing towards the house so a car thief has to know how to reverse in order to steal it ? Yes, this "encryption" is THAT pathetic. My handwriting is harder to decode (maybe I should patent it ).

Re:Why?

[BlueParrot]

So you're saying Microsoft didn't consider the possibility that somebody would use 255 of their keyboards in one office? Or that they thought keyboards interfering in 1 out of 65025 cases was acceptable standards ? Well I guess if there was ONE company that would do that ...

Re:Why?

[will_die]

Couple that with the short range theses things have and unless the people are crowded in like an Atlantic slave ship you are not going to have a problem. Provided you have not gone and increased the antenna.
Besides how many business are using theses for widespread use? We have a couple around the offices I have worked in but they are mainly in conference room and places like that.

I'll never trust those things

[WibbleOnMars]

Wireless keyboards? Pah, I'll never trust 'em.

A few years ago, the company I was working at decided to upgrade a few favoured individuals with a wireless keyboard/mouse combo. There was no good reason for them to have it, other than looking cool, but they got it anyway.

The first one was installed, and was a great success. The user loved being able to move their keyboard and mouse without, uh, being limited by a cable. They didn't actually move it, but they liked the fact that they could. Or maybe it was the fact that their desk didn't have any wires cluttering it up. Whatever it was, they loved it.

So the second one was installed, on a desk maybe ten metres away from the first.

It was a disaster. The two sets of devices conflicted with each other. Basically, the first one to switch on in the morning got control of both computers. When the second one was turned on, it found the devices on the other desk instead of its own ones, and then anything the first user did was echoed on the second machine as well.

It didn't take the engineering team long to fix the problem -- the two sets of devices were set to the same ID -- but it did nothing to inspire confidence. What that incident tells me is that if I want to hack these devices, all I need is a computer with a compatible receiver with the same ID, and hide it somewhere in range of their desk.

Things may have improved since then, but frankly I don't see the need for these devices to be wireless (especially on a desktop computer); no matter how good they make them, they'll still be an open security hole because the signals will always be available outside of your control.

This applies to any wireless device. But some wireless devices are more useful than others. For example, a mobile phone is a good use of wireless technology because it provides significant usability improvement over a wired phone. But for me a device like a wireless keyboard really doesn't provide enough of an improvement over a wired one to justify the security implications from using it.

Re:I'll never trust those things

[XavidX]

Its true.

The only use for a wireless keyboard is for example using your media center from your sofa. Or in home environment where you want your desk to look "pretty". So in this case the keyboard hacker has to worry about breaking down my front door first.

Wireless keybords at work? I dunno.

There was no good reason for them to have it, other than looking cool, but they got it anyway.
as said above -- maybe to be cool. What are we in high school

Re:I'll never trust those things

This applies to any wireless device.

Eh? Let's see you crack a WPA network with a decent password. Really, just because certain encryption algorithms are entirely stupid, doesn't mean the concept is flawed. I don't give a damn about anyone who might read my encrypted bits. Barring major advancements in quantum computing, the current well-established algorithms are secure, period.

Re:I'll never trust those things

[asc99c]

Try being left handed (or working with others who are)! I've got wireless keyboard / mouse because almost everyone who ever sits at my desk to help with something for a couple of minutes can just move the mouse over to the right instead of complaining at me :)

There's half a dozen wireless keyboards operating OK in my current office room, which is probably about ten metres long. They're mostly things people have brought in from home as we also just get standard wired stuff by default. Maybe this helps as none are the exact same model, although most are Logitech.

Perhaps the ideal compromise would be wired keyboard and wireless mouse. But I think there's easier ways to hack into a computer than trying to receive the signals from a wireless keyboard.

Re:I'll never trust those things

[Pascoea]

I was waiting for someone to make the comment about a tinfoil hat, you guys took too long so I have to do it myself.
a wireless keyboard really doesn't provide enough of an improvement over a wired one to justify the security implications from using it.

Come on! There aren't people beating down your doors to find out your password for slashdot! And there are far easier ways to get your financial information. Take the old adage about outrunning a bear, you don't have to run faster then the bear, you just have to run faster then 1 other person. If you go out of your way to make sure your financial information is well protected, shredding your mail, paying attention to where your credit card is used online, chances are you are not going to get your information stolen. Its the dumb person next door that is going to loose his.

If you work in a business environment where you share private information, I think the 10-foot range you get with a STANDARD wireless mouse and keyboard is the least of your problems. What is more likely? That you have a rouge agent in your office that is going to get their keyboard hacked? Or that the dolt sitting behind that computer is going to download that latest and greatest toolbar for IE?

Call me an optimist, but everybody is not out to get you.

While I agree with you, there are a lot of instances where a wireless keyboard/mouse is overkill. It gets annoying having someone call me in to their office first thing in the morning because they can't log into their computer, only to find they haven't replaced their batteries in 6 months.

I do believe there are many instances where they are useful. Just remember, that even though your employees aren't always the smartest people in the world, they are still more productive whey they are happy. If all I have to "risk" is using a wireless keyboard to accomplish that, then I have had a good day. my 2c -Adam

Re:I'll never trust those things

[CastrTroy]

That's why I use a trackball. You don't have to worry about cables so much when you don't move the pointing device around so much.

Re:I'll never trust those things

[gabebear]

Let's see you crack a WPA network with a decent password

How many people use good passwords? Wireless for Wireless's sake is stupid.

Re:I'll never trust those things

[Prof.Phreak]

When the second one was turned on, it found the devices on the other desk instead of its own ones

But imagine all the fun you can have by... say swapping a buncha keyboards/mice after hours. If they're all the same make/model, it's great. Walk by 10 cubicles, pickup their mice, shuffle'em, replace them where they were before.

This is even better than setting their wallpaper to be a screenshot of their screen!

Re:I'll never trust those things

[Culture20]

The problem is that the people most likely to get a wireless keyboard in an office setting are the people with enough clout to tell IT to "install it or pack up your things". They are also the people that industrial espionage types want to snoop (VPs, Pres, CIO, CFO, etc).

Re:I'll never trust those things

[zippthorne]

Obviously, you're not the type to get fussy about cables strewn all over your desk. Also, you probably don't switch mouse side frequently for variety, or you would see that the idea of a wireless keyboard is a good one: You can type on top of the desk, on your lap, under the desk, switch mouse side frequently, and move the keyboard out of the way for when you need the desk for something to do with actual paper.

You can do all of those things with a wired keyboard, but you've got to deal with twisting up the cable or your mouse will be useless. And depending on how you run the cable, you can't do all of those things at the same time. If you're fussy about the cable, you won't do those things very often at all, since anywhere but the default position tends to look messy.

So how's that repetitive stress injury workin' out for you?

Re:I'll never trust those things

[ndixon]

I've never used a wireless keyboard (never seen the point) but I was once given a wireless mouse at work (I think I was supposed to be grateful): it didn't offer any noticable improvement, but the batteries ran out every six weeks, and I'd have to resort to using MouseKeys until I could find a corded mouse or new batteries.

When I did desktop support about 10 years ago, we had a user desperate to have a "cordless" mouse, because a cord made the mouse harder to move around; after one week with a wireless mouse, she was complaining it was too heavy (batteries again), and wanted her old one back.

Wireless keyboards have encryption?

[WegianWarrior]

You learn something every day I guess... since my otherwise decent wireless keyboard lose reception from one end of my coach to the other - ie I have to sit on the left side of the coach to use it - I figured that putting in even rudimentarty encryption would be kinda pointless from a security point of view (short range - evesdropper would have to sit in my livingroom). And judging by the article, encryption is empoyed more to associate a keyboard with a reciver thanas a measure of security.

In a high security enviroment I could see the need. Even if the intuitive guess would be that a wired keyboard might be safer, this is not necesarry the case; the unshileded wire used on most keyboards acts an an antenna (see TEMPEST on Wikipedia). I've seen demonstrations where the keystrokes have been picked up by sensitive antennas 50m away thru a normal wall. A highly encrypted wireless keyboard might be safer; I'm not sure if such a product even exists today. A simpler option might be to place the computer and keyboard in a faraday cage...

Re:Wireless keyboards have encryption?

Patenting Faraday Cubicle now bbl.

Re:Wireless keyboards have encryption?

[HouseArrest420]

Even if the intuitive guess would be that a wired keyboard might be safer, this is not necesarry the case; the unshileded wire used on most keyboards acts an an antenna QFT

You're the first response I've read here that has been anti wired (or at least nuetral to both) and for a legit reason!! The rest of these fanboys are shouting about wireless sucks beause its unencrypted, forgetting this small detail which would allow you to "hack" into a wired keyboard at a larger distance.....given of course you have a decent line of site lol.

For ANY security measure, or lack there of, there is ALWAYS a way in. The only issue in gaining access is where you look and how hard you've looked.

Re:Wireless keyboards have encryption?

Unless you live on a bus, I think you mean *couch*.

It's interesting that you question the security of a wired connection, I would imagine that a bluetooth keyboard would give some protection against a hardware keylogger being installed on system since the decryption would be done in software.

No encryption mybe?

[Maavin]

Could be that the "encryption" is just a way to handle multiple keyboards in one reception range...

Re:No encryption mybe?

[Lisandro]

You! You with your "common sense"! We don't like your kind here!

Re:No encryption mybe?

[BlueParrot]

Could be that the "encryption" is just a way to handle multiple keyboards in one reception range...

So what happens when somebody has 257 of these keyboards in one office ?

Re:No encryption mybe?

[Lisandro]

So what happens when somebody has 257 of these keyboards in one office ?

256 keyboard within range of one receiver? I'd say lack of air from the crowd.

Re:No encryption mybe?

[Maavin]

I know this is meant to be funny, but I doubt you could get 257 keyboards in reception range of one receiver, even if you stack as dense as you could... The interesting question here is: "Which key can I use for my connection?" when multiple keyboards are in range. Is there some kind of handshake protocol, or just "lucky guesses"?

Encryption is weak, signal is weak

[fozzmeister]

In my case, it can travel about 50cm before it becomes patchy and untypable. So I'm not particularly concerned about this :-)

Re:Encryption is weak, signal is weak

[ultrafunkula]

This is because the receiver that comes with most wireless keyboards is rubbish. That doesn't mean that somebody with a decent receiver couldn't be listening to your keyboard traffic from further than 50cm. Maybe you should be a bit concerned....

MOD PARENT UP

This is probably the only person here with some friggin' brains. Mods take note.

That's all?

All that's needed is a simple radio receiver, sound card, and a brute-force attack on the 8-bit encryption used

I would think it would also be handy to have a motherboard, processor, hard drive, some sata cables, power supply, fans, maybe a case, a keyboard, mouse, monitor, an operating system, etc.

On the other hand, E.T. could have done it with a Speak 'N Spell, a saw blade, and an unbrella.

Re:That's all?

[mwilliamson]

directional antenna --> high gain preamp --> receiver -(I.F. via soundcard...it's probably narrow enough)-> laptop --> linux --> gnuradio --> .wav file --> profit???

Re:That's all?

[the_humeister]

E.T.? His name is Clebore...

Antenna Crack?

[smittyoneeach]

Listen, Jack:
Smooth your face
Bounce signal back
Lower power
Avoids attack
Burma Shave

It is exploitable

[DingerX]

For example, Carwhisperer lets you capture and transmit audio to any Handsfree or BT headset using 0000 or 1234 as the password.

BT Keyboards often have a pairing mode (okay, some have a default of 0000), where the user has to put the keyboard into discoverable mode, and type in the code.

Still, everything is vulnerable, given enough resources.

Bluetooth safe?

[SharpFang]

Yeah, right.

Bluebag Project can crack any bluetooth device in some 6 hours. The current form of it has a potential to increase the speed 8 times (currently it uses 8 dongles to scan possible 64 channels in paralell. If you use 64 bluetooth dongles to scan one channel each, you gain a lot of speed).

Re:Bluetooth safe?

[Torne]

Bluebag Project can crack any bluetooth device in some 6 hours. The current form of it has a potential to increase the speed 8 times (currently it uses 8 dongles to scan possible 64 channels in paralell. If you use 64 bluetooth dongles to scan one channel each, you gain a lot of speed).

The article you reference has absolutely nothing to do with cracking Bluetooth as far as I can see, though it does mention several security flaws in implementations in the introduction. It's talking about going around trying to propagate malware over Bluetooth file transfer by automatically scanning for devices and sending them files. This doesn't require a pairing association and doesn't require breaking anything - the devices they found were all discoverable and configured to respond to any random device that tries to talk to them - and on any sane device the user would have to accept the malware explicitly ;)

I'm not aware of any success in actually cracking communication between two already-paired Bluetooth devices, though there are some theoretical weaknesses that would allow you to eavesdrop if you were present and listening *during* the initial pairing process. Your Bluetooth keyboard/mouse only need to be paired once unless you move them to a different machine, so as long as you weren't being eavesdropped during setup, you should, for now, be secure.

Re:Bluetooth safe?

[SharpFang]

Yep, I didn't find any detailed materials on their project online.
The authors held a lecture here in Cracow on Confidence 2007 though and talked about the second mode of operation too.

You can go with the bag around some airport or just down a street and send out your data to all open devices, infecting them with malware or such. But you can just as well place it outside a building of given company, say, in your car trunk, and let it brute force the devices in the building. The authors didn't admit to anything illegal but they implied some very interesting possiblities that sounded a whole lot like talking from experience.

Some points from the lecture:
- if you have the device key, you're in, no questions asked. In 'discovery mode' you ask for the key and the device may deny it to you. in 'stealth' mode no questions are asked, you have the key, you're in, you don't - try again.
- there's no penalty, no fallback time, no delay upon using wrong key. You can brute force them as fast as bluetooth goes. You can use all of the 64 channels in paralell to try cracking them (64 tries at once). Wrong frequencies are quietly ignored.
- If you know the key of given device once, you have it forever. Most "good" devices "forget" the key, so they need confirmation in discovery mode and having the key re-sent upon reconnection. But you can just as well store the key for later use.
- the mentioned 6 hours are if you need to crack the whole key. Actually, a large part of it is a device type ID. If you narrow your search, say, to Bluetooth dongles, and exclude all the earphones, keyboards, phones etc, you drastically shorten the cracking time.
- there are still all the standard "next level" protections, like the computer may restrict bluetooth-available resources, but devices like PDAs, phones, keyboards etc are wide open.

Re:Bluetooth safe?

[swillden]

Bluebag Project can crack any bluetooth device in some 6 hours.

Only with a weak or non-changeable PIN. Use a long pin (12+ digits) and you're pretty safe.

Re:Bluetooth safe?

[Torne]

OK, that's a different class of attack than described in the paper entirely, but that's *still* not the ability to intercept an existing paired connection. The attack you describe is to be able to connect to a device, regardless of it being discoverable or it wanting to talk to you - which is bad, but will not work on a keyboard/mouse that is already paired with a host, as they don't support multiple associations and will just ignore anyone but their pairing partner until the user hits the button on the bottom again. When two devices that are already paired (e.g. your PC and your keyboard/mouse) connect, they establish a session key using data that was already sent over the air and stored at pairing-time. If you were not privy to the pairing between the two devices, you cannot crack this to read the data unless a fundamental weakness in the encryption algorithm in use is discovered.

So, for Bluetooth profiles which require pairing (audio, input devices, networking - but not OBEX or similar) this attack will only work if the device is unpaired or supports multiple pairings, and only if you know the pairing key (which for a lot of input/audio devices is 0000, sadly). As far as I know it won't work on my Bluetooth mouse unless you are listening at the time I hit the 'make connection' button, as there's not much of a conceivable avenue for attack there - unless you have a citation?

Re:Bluetooth safe?

[SharpFang]

AFAIK - no. Man In The Middle would be possible (if difficult) at the moment of pairing. You could also try to hack the keyboard controller itself, or use vulnerablities of the PC with bluetooth plugged in and active (the dongle must be working to allow the keyboard to connect) depending on what besides keyboard the PC allows. I'm also not sure you can't try coupling with the PC acting as its keyboard while the real keyboard is off (then you don't snoop but you have actual access.)

These are all guesses on my side though. I don't know if any actual work was done in this direction. BlueBag was about coupling with other devices, what you can do with this connection was barely hinted.

Re:Bluetooth safe?

[SharpFang]

...unless you know the type of the device you're trying to crack.

A large part of the key is manufacturer ID and some product metadata of very low enthropy. Cracking the PIN was described as relatively easy, and upon narrowing the search to one type of devices, the time of break-in drops drastically.

Re:Bluetooth safe?

[swillden]

...unless you know the type of the device you're trying to crack.

A large part of the key is manufacturer ID and some product metadata of very low enthropy. Cracking the PIN was described as relatively easy, and upon narrowing the search to one type of devices, the time of break-in drops drastically.

This isn't correct, by my reading of this paper. The metadata in question (BD_ADDR) is not "part of the key", it's an input to a cryptographic process. It provides little entropy, but that's okay because the entropy is provided by a pair of random numbers and the PIN.

If the PIN is good, the process appears to be quite secure.

Re:Bluetooth safe?

[Torne]

AFAIK - no. Man In The Middle would be possible (if difficult) at the moment of pairing.

That would be what I implied, yes, when I said "If you were not privy to the pairing between the two devices".

You could also try to hack the keyboard controller itself

Bluetooth HID controllers are very simple, and pretty standardised, so this is possible but very unlikely.

or use vulnerablities of the PC with bluetooth plugged in and active (the dongle must be working to allow the keyboard to connect) depending on what besides keyboard the PC allows.

This kind of thing is always possible, but it's nothing to do with compromising the privacy of the keyboard's connection.

I'm also not sure you can't try coupling with the PC acting as its keyboard while the real keyboard is off (then you don't snoop but you have actual access.)

The PC's bluetooth stack would have to be very broken indeed to allow this - HID devices would not normally be allowed to initiate pairing.

These are all guesses on my side though. I don't know if any actual work was done in this direction.

Stop guessing, then? ;) I'm *not* guessing...

wired keyboards

[Joseph_Daniel_Zukige]

also produce RFI

Hack a Day . Com

[Shadow_139]

HackaDay ran an article on this a few days ago that went into some detail: http://www.hackaday.com/2007/12/02/wireless-keyboards-easily-cracked/ [QUote] e first covered breaking the commodity 27MHz radios used in wireless keyboards, mice, and presenters when [Luis Miras] gave a talk at Black Hat. Since then, the people at Dreamlab have managed to crack the encryption on Microsoft's Wireless Optical Desktop 1000 and 2000 products (and possibly more). Analyzing the protocol they found out that meta keys like shift and ALT are transmitted in cleartext. The "encryption" used on each regular keystroke involves XORing the key against a random one byte value determined during the initial sync with the receiver. So, if you sniff the handshake, you can decrypt the keystrokes. You really don't have to though; there are only 256 possible encryption keys. Using a dictionary file you can check all possible keys and determine the correct one after only receiving 20-50 keystrokes. Their demo video shows them sniffing keystrokes from three different keyboards at the same time. Someone could potentially build a wireless keylogger that picks up every keystrokes from every keyboard in an office. You can read more about the attack in the whitepaper(pdf). [/QUOTE] Link to Video (for lazy /.er's) - http://www.remote-exploit.org/max/automated.html Link to Whitepaper (for all the people who post RTFA) - http://www.dreamlab.net/download/articles/27_Mhz_keyboard_insecurities.pdf

Relative resilience? Why has no one bothered?

[Joseph_Daniel_Zukige]

My memory is that it is already cracked. No links at the moment.

Why has no one bothered cracking the non-bluetooth wireless?

Wired keyboards put out RFI. My guess is that the perception that no one has bothered is probably a misperception.

(Real) UWB is probably the only way to be reasonably secure without wires (and shielding).

secure wireless?

[Joseph_Daniel_Zukige]

One of the UWB camps based its "modulation" on what is probably the only secure wireless encryption technique in existence. Yes, iNTEL killed it.

With your ID info all over everywhere

[Grampaw+Willie]

With our ID's info all over everywhere why would anyone worry about wireless keyboards

Gimmie a break

let's get a safe a lock up our sensitive paperwork

let's get a shredder and take care our sensitive garbage

let's check into PrivacyGuard and take care ourselves where we can

whether cryptography can be cracked or not ain't the game. the game is to get decent security measures into play where it is needed and that includes cryptography as appropriate.

99.9% of what we need to do is to defeat dumb crooks who just take advantage of our dumb mistakes and laziness.

"Bluetooth, it seems, is safe for the moment."

[Jack+Sombra]

You sure about that? http://www.newscientist.com/article/dn7461.html

What's next

Someone will crack the encryption of the XBox360 or PS3 wireless controllers and steal your micro?

Re:What's next

[Creepy]

um, yeah...

I can imagine it now - XBox Live has issued a hotfix for insecure wireless controllers. This patch contains the Microsoft patented double ROT13 "cleartext" encoding and is mandatory for all users.

In other news, Sony announced today that they have agreed to license Microsoft's exclusive technology for use in their PS3 controllers and settled the multi-billion dollar lawsuit filed against them earlier this year.

Re:What's next

[MLS100]

Too late, I've already sniffed out your top secret cheat codes.

UUDDLRLRBAS is now mine, miiiiiiine.

Muahahaha.... *flys away on giant bat*

Why bother breaking encryption at all?

[SCHecklerX]

Just get the same model keyboard, plug in the receiver, and fire up your favorite text editor? Granted, I'm not up on my wireless keyboard technology, but this would work with the old one that I have, that is also the model the CIO uses in his presentations to the company. Scary.

Faraday cage around my cubical

I installed a faraday cage around my cubical so I don't have to worry about any of this nonsense. Its pretty cool except it looks like I work in a penal institute.

Beware the ad

[AlpineR]

Wow, that article page has a really annoying ad on it. I moved my mouse up toward the back button and... where the hell did the cursor go? Oh, the security guy in the Intel Centrino ad grabbed it and stomped on it. Clever.

Shame on Intel, The Register, and Camino for developing, printing, and rendering such malware.

Wireless kbd on standard pc...

[Nicolas+Pillot]

Just a simple question, which might sound stupid :

Aside from the two examples i found in the comments (media centers, dentist), though i guess a cabled mouse could be a pain, and wireless mice are sometimes more comfortable, i still wonder about the need for wireless KEYBOARDS.

Clearly, many, *many*, MANY people bought a wireless keyboard, put it on their desk, drop the base 10cm away from it, and plug the usb cable from the base into their *fixed* home workstation, which never ever moves.

They also have a comfortable chair with wheels, that never ever moves further than 1m. And when it moves, and you do sit on it, you usually don't (ie, never) bring your kdb with you on our trip.

So, i ask once again : apart from the above 2 example why would a standard user use a wireless keyboard at home ?

Re:Wireless kbd on standard pc...

[cuby]

I don't have a TV... well... I have a TV card in the desktop. I move between the pufs, chairs and sofa with my wireless stuff to control the PC (yes, it is in the leaving room). It's indispensable.

As said in another post, wired keyboards emit some radiation that can be piked up... More over, any ethernet or phone cable with bad shielding does the same. If anyone wants to get paranoid there are a lot of reasons everywhere.

what is the deal?

[deftones_325]

Ok, enlighten me... you need to see the monitor when you're typing ( for the most part ), so exactly why do you need to be able to roam around with your keyboard, or be able to type outside from a float toy in the pool? I get the "uncluttered and cool look" but other than that? Do some of your offices actually put these on the budget?

In a similar vein

[Jeff1946]

Remember reading how after the second WW the British secret service listened to French diplomatic messages by tapping into the power line feeding the code machine in the French embassy. Each input keystroke generated a slightly different static pulse which allowed them to eavesdrop on what was being input.

Sound card as modem

In amateur (ham) radio, we use soundcards along with the proper software to send and receive digital data.

Wireless ANYTHING is free game for ANY CIA/KGB etc

[syn1kk]

Once you start broadcasting stuff wirelessly it radiates outward and it may only be strong enough at a small range of say 10 feet away with the ORIGINAL included antenna --> however using a GOOD directional antenna + amplifiers + filters --> that same tiny signal will be strong enough from 100 to 1000 feet away! ----- The sound card is basically being used for it's onboard hardware. Any soundcard has a good A/D IC onboard that does 44.1KHz or 88KHz sampling. That means with a soundcard you can easily listen in on high data rate signals with your soundcard. Then to get the actual bits from the signal you run a software demodulator / receiver.

Simpsons

[bonkeydcow]

Don't you watch the simpsons? Bluetooth is the most insecure device(s) known to man.

LEA Usage

[SnatchMan]

I saw a demo of this by Max a couple of weeks ago when I was in Europe. One of the first things that came to mind was developing a PoE (http://www.arxceo.com/) or USB-powered (http://www.yoggie.com/) Linux-based device to sell to law enforcement agencies to gather keystrokes to ascertain encryption keys without tipping the suspect.

8-bit?!

[jinxidoru]

All that I want to know is this, who the hell thought 8-bit encryption was sufficient?! You wouldn't even have to use a computer to brute-force this. You could do it by hand. Truly remarkable!

I thought they were all BT.

[ChrisA90278]

Being an Apple user I just assumed all wireless keyboards and mice used Bluetooth. Al the wireless stuff I've seen is all BT. But I just checked and wow, those cheep PCs really do use some cheaper kind of radio link. Anything to save 50 cents.

How many bits?

[Alsee]

8-bit encryption is 2-bit encryption.

-

Yes, but a CB antenna will probably work okay.

[Radon360]

Quite correct about the antenna size, though a CB whip will probably do the trick. Also, 27MHz isn't so line-of-sight dependent as the 2.4GHz stuff. It penetrates walls a bit easier.

That's why a soundcard

[tepples]

That's why you use a DAQ board instead of an oscilliscope. What is a sound card other than the most affordable DAQ board that can sample at 48 kHz?

Re:That's why a soundcard

[DeadChobi]

The soundcard can also sample multiple simultaneous channels. But the real reason to use a DAQ board is that you can make DC measurements, and it also has many more channels than most computer sound cards. It's also nice to have a sample rate in the hundreds of KHz range instead of just in the 48 kHz range, since it gives you a much larger bandwidth where you're guarenteed not to have any aliasing.

Distance

[ats-tech]

What is the distance that the transmitted signal would be readable? Did I miss that in TFA?

At one point, you stop needing the Faraday cage

[tepples]

i think if you where goign to put your self and your target in a Faraday Cage You use the Faraday cage to help develop the attack. Then once it works in the lab, you design revised hardware that doesn't need a Faraday cage.

Relevant to My Interests

[TheoMurpse]

I live in an apartment complex and this particular hacking technique is quite relevant go mGREETINGS. MY NAME IS MUTAX31337. HAHAHAHAHAHAHAHAHA. APARTMENT 169R IS TEH GHEY lollolololllol

This was only for select Microsoft Keyboards

[DeadChobi]

The crack described in the article was only for select models of Microsoft keyboards. It doesn't affect every single keyboard in existence, especially since there is no standard. Other manufacturers may use more powerful encryption than Microsoft.

The Slashdot article is very misleading.

Wireless mouse prank

[incog8723]

A very devilish plot just sprang to mind.

Picture a friend with a wireless mouse who is just staring at his download meter. In binocular distance of the screen, and with an appropriate transmitter antenna, use your mouse to open MSPaint on his machine.

I hate wireless keyboards for 2 reasons,

[Boomer_Zz]

this, and batteries.

That's my assumption, too, BUT...

[PCM2]

Could be that the "encryption" is just a way to handle multiple keyboards in one reception range...

That's pretty much my assumption, too, but if you pull up the control panel on my Logitech wireless keyboard (that's right, I use one -- come an' get me, copper!), select the "Keyboard" pane, and click the icon that looks like a "wireless thing", you see this:

Your keyboard is not secured.

To securely encrypt your keyboard so your keystrokes cannot be detected by any other computer, click the Secure button.

Maybe the marketing folks got hold of this particular feature and gave it a more saleable spin.

(Incidentally, that's correct ... there is a "security" feature on my keyboard, but it doesn't bother to let you know that the connection has been reset to insecure until you go and check the control panel yourself. I have no idea when the almost-meaningless encryption got shut off, but I'll click it back on now.)

Why wasting time decrypting...

[ctrl-alt-canc]

...the keystrokes, when there is more fun in encrypting them ?!? Just imagine this:

1. grab one of those powerful (and somewhere illegal) CB radio, and connect it to an antenna
2. interface the radio to a PC equipped with a software capable of encrypting a sequence of keystrokes according to the standard used by those lame wireless keyboards
3. set the trasmitting frequency as needed (wireless keyboards use the CB band)
4. select an 8 bit key to use for encryption
5. transmit the sequence e command format c: y
6. repeat steps 4) and 5) changhing the encryption key
7. ....
8. profit!

I hope they will come out with better wireless keyboards...it is one of the finest examples of "design by stupidity" I ever met.

Encryption broken

[HTH+NE1]

Wait, so if they can break the encryption and see what I'm typing, does that also mean they can spoof my keyboard and welcome datacomp inject keystrokes into my computer?

On the other hand....

[DrYak]

Most of Logitech Wireless material either uses Bluetooth or their so called "2.4GHz" (= WirelessUSB by Cypress Semiconductor) which is NOT the same 27Mhz technology as the authors have cracked.
(The article is wrong bout that point claiming that lots of Logitech devices use it. They used it in the past, but they have moved to 2.4Ghz for quite some time).

So even if your wireless keyboard has a good range, it doesn't mean that it'll be crackable as easily by a potential spy in the next room.

nice

[jmickle]

im really just testing comments for an email interaction i just had with bob