Wireless keyboards have been around for several years. Afterdeveloping the first series of infrared devices, vendors have developedradio-based keyboards that run at 27 MHz.
Researchers Max Moser and Phillip Schroedel of Dreamlab Technologiesrecently released a report stating that various 27MHz keyboard devicesare prone to an information disclosure vulnerability due to weakencryption (BID 26693).These devices include Microsoft’s Wireless Optical Desktop 1000 and2000 models. The researchers also claimed that the 3000 and 4000 modelsas well as other 27MHz-based wireless laser desktop series may also bevulnerable, but this has not been confirmed.
The researchers managed to break the encryption on these devices.They claim that Microsoft uses an 8-bit XOR mechanism to encryptwireless keystroke data. This means that there are only 2^8 or 256possibilities for the encryption key, which can easily be brute forced.With a simple radio receiver, soundcard, and suitable software, Moserand Schroedel have managed to intercept wireless encrypted keystrokesand decrypt them. The experiment was conducted using an antenna thatcould intercept data from 10 meters away.
In other words, an attacker could construct a wireless keylogger tomonitor keystrokes on various wireless keyboards. Depending on thestrength of the receiving device, the attacker could potentially obtainsensitive information such as user-authentication credentials forcertain services or applications and most importantly, users’ creditcard information.
The researchers of this vulnerability will not release a proof ofconcept until they finish conducting their research. They areinvestigating other wireless products such as Logitech SecureConnect.After completing their research, Moser and Schroedel plan to releasetheir proof of concept that will demonstrate this issue and some of thepitfalls they ran into during their research. They plan to presenttheir findings at various educational venues and training sessions.
The researchers have contacted Microsoft regarding this issue, butthe vendor has not released any comments to date. This is quite aninteresting issue. Now that it’s been disclosed to the public, furtherresearch will almost certainly be done on other radio frequencies.
References: