Slashdot Mirror
Wireless Keyboard "Encryption" Cracked
squidinkcalligraphy writes "While everyone is going on about wireless network security, it seems few have considered that increasingly common wireless keyboards can be vulnerable to eavesdropping. Particularly when the encryption is pitifully weak. All that's needed is a simple radio receiver, sound card, and a brute-force attack on the 8-bit encryption used. Passwords galore! Bluetooth, it seems, is safe for the moment."
That idea came up when this item was posted to Hack A Day The reason for the limited reception range is that receivers use pathetically small, internal antennas: Mine was about 1/32 wavelength. With a full wave antenna or directional antenna, you can easily pick them up from outside a building. After I added a lager (1/4 or 1/8 wave) antenna to my receiver, I could type with my keyboard outside the house.
My wireless logitech keyboard works from the next room over, although a bit unreliably. It's the basic, white, model with no fancy function keys or anything. I don't think they make it anymore.
So you might need to worry about it in say, an office or school environment.
If you build it, nerds will come. Soylentnews.org
That is just the pairing code. So if you switched your device into pairing mode anyone could pair with it. The encryption is based on a different, randomly generated, key: http://en.wikipedia.org/wiki/Bluetooth#Security
A sound card is a cheap alternative to a digital and more importantly, recordable oscilloscope. By plugging the radio into the sound card, it allowed them to record the individual bit's being sent by the device to be analysed using a waveform viewer. If you were using a normal oscilloscope for that purpose the data flashes on the screen so fast it's impossible to be useful in any way, except possibly to read the carrier frequency of the signal, which is something your sound card would probably have alot of trouble doing because they're generally too slow.
Who need's speling and grammar?
Yeah, right.
Bluebag Project can crack any bluetooth device in some 6 hours. The current form of it has a potential to increase the speed 8 times (currently it uses 8 dongles to scan possible 64 channels in paralell. If you use 64 bluetooth dongles to scan one channel each, you gain a lot of speed).
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
HackaDay ran an article on this a few days ago that went into some detail: http://www.hackaday.com/2007/12/02/wireless-keyboards-easily-cracked/ [QUote] e first covered breaking the commodity 27MHz radios used in wireless keyboards, mice, and presenters when [Luis Miras] gave a talk at Black Hat. Since then, the people at Dreamlab have managed to crack the encryption on Microsoft's Wireless Optical Desktop 1000 and 2000 products (and possibly more). Analyzing the protocol they found out that meta keys like shift and ALT are transmitted in cleartext. The "encryption" used on each regular keystroke involves XORing the key against a random one byte value determined during the initial sync with the receiver. So, if you sniff the handshake, you can decrypt the keystrokes. You really don't have to though; there are only 256 possible encryption keys. Using a dictionary file you can check all possible keys and determine the correct one after only receiving 20-50 keystrokes. Their demo video shows them sniffing keystrokes from three different keyboards at the same time. Someone could potentially build a wireless keylogger that picks up every keystrokes from every keyboard in an office. You can read more about the attack in the whitepaper(pdf). [/QUOTE] Link to Video (for lazy /.er's) - http://www.remote-exploit.org/max/automated.html
Link to Whitepaper (for all the people who post RTFA) - http://www.dreamlab.net/download/articles/27_Mhz_keyboard_insecurities.pdf
"Work is the curse of the drinking classes." -Oscar Wilde
According to Wikipedia, the best current attack against 128bit keyed BlueTooth takes the first 24bits of 2^23.8 packets. Packets are 2745 bits long so the attacker would have to monitor over 4.66GB of data transfer from your keyboard.
Relax, man. Dude's being an asshat. You're right; it's perfectly logical to assume the use of an integrated USB/PCI/generic radio-to-PCM device for intercepting a radio signal - with one little exception that can be rationalized away as hardware hacking:
Your basic radio-to-PCM device doesn't have a sufficiently flexible tuner to reach below the 85MHz FM lower limit into the depths of 27MHz. An analog FM tuner can be easily hacked to do this, but you'd basically have to rip out the capacitor DAC that a fully digital device would have.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
US versions operate on 900.
EU versions operate nearly universally on 2.4. I wrote this pissed off coming back from a shop looking for guess what - a keyboard with decent crypto layer. 5 wireless wankoffs, all with an wankoff encryption and all tossing all over the 2.4 band. 1 MSFT, 1 Logitech, 3 Chinese nonames. All 2.4
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
BTW, there is a way to use wireless keyboards and have good security. Use bluetooth devices that support long, configurable PINs, and choose PINs that are 12+ digits long, randomly-generated. I believe there are a few devices on the market that use 128-bit PINs, randomly generated on every reassociation, and automatically reassociate when the keyboard is placed on the charging stand. Those seem ideal -- highly secure and very easy to reassociate.
I don't have any specific brands or models to suggest, though, so some research would be required.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The crack described in the article was only for select models of Microsoft keyboards. It doesn't affect every single keyboard in existence, especially since there is no standard. Other manufacturers may use more powerful encryption than Microsoft.
The Slashdot article is very misleading.
SRSLY.