Wireless Keyboards
With everything going wireless now, many people are cutting the cord and getting wireless keyboards and mice. However, not many people stop and think what might happen if these wireless peripherals are compromised. If say someone could spoof the identity of your keyboard and mouse then they could potentially take control of your computer. However, the manufacturers anticipated that so some minimal amount of encryption is put in place. It was recently found here that older Microsoft devices working on the 27Mhz band could be easily compromised. The encryption scheme used in these products XORs the keyboard status with a random byte, resulting in only 256 possible keys… It is easy to see that this could be exploited fairly easily.
Newer products utilizing Bluetooth are more secure but still have vulnerabilities. The frequency hopping used in Bluetooth in conjunction with the packet encryption using the E0 stream cipher provide a sense of security. Attacking the PIN used in pairing has shown to be an effective way of compromising the encryption used in Bluetooth…
Assets:
* Data being entered into the keyboard
* Control of the computer
* Fast response time
Adversaries:
* Identity thieves would love to get to all your passwords used online and credit card numbers entered while online shopping
* Friends, spouse, siblings would love to gain access to all of your private conversations/correspondence
Potential Weaknesses:
* Broadcast of signal to anyone in range
* Weak/non-existent encryption
* Wireless connectivity can be easily interfered with
Potential Defenses:
* Use stronger encryption scheme, but a balance must be maintained between usability, latency, and power constraints. Using a very strong cipher would definitely kill the batteries and slow down response time.
* Use lower transmit power to decrease the range of transmission.
Conclusion:
It’s clear that those older Microsoft keyboards the most secure, but compromises must be made between many factors in a wireless keyboard. Wireless technology is inherently less secure and has many vulnerabilities from the start. If you are terribly concerned with security use a wired keyboard
Comment by Fabian
March 10, 2008 @ 7:20 am
I always think that wireless keyboard might be the way in the future where we are no longer clutter with wires. However, any type encryption can never strong enough small wireless device because of the limited computational power. Therefore, although my future keyboard might be wireless, I will probably pick the one with low range transmission.
Comment by nekret
March 10, 2008 @ 9:43 am
I think it might also be worth mentioning that even wired devices can be vulnerable to eavesdropping. There has been a fairly sizable amount of research into acoustic attacks that reconstruct individual keystrokes (and more accurately dictionary words) from the sounds that are made by the keys being depressed and springing back up.
Comment by imv
March 10, 2008 @ 1:28 pm
You mention an adversary being able to take control of the computer via spoofing the device identity. A passive attack would be to simply listen to the signal and find out everything typed into the computer – email/passwords would be easy to recover.