Mad, Beautiful Ideas
Unsurprising Insecurities: Wireless Keyboards
By on December 5th 2007

A team at Dreamlab has uncovered a serious vulnerability in Microsoft’s (and quite possible Logitech’s) Wireless Keyboards that operate with 27 Mhz Technology. There has already been some discussion on this topic at Slashdot and Bruce Schneier’s Blog.

This is yet another example of a company developing a proprietary encryption method, which hasn’t been heavily scrutinized by the cryptographic community. While I doubt that Microsoft is considering a 1-byte XOR to be anything but obfuscation, it becomes necessary to ask what the point is. The data is still transferred over the radio, and the rest of the unencrypted protocol makes it terribly easy to filter out who is typing what. The whitepaper published by the team has a good description of the basic protocol (though they’ve left out the details), but they were able to typically figure out the XOR key within 20-50 characters being typed by the target. My old Palm Pilots could easily crack this code in very little time.

I imagine it would be fairly trivial to build a small 27Mhz receiver which could be attached to a Palm Pilot, dropped in a pocket and walked through an office where these sorts of Wireless keyboards where in use, and could glean an amazing amount of information, including the possibility of login credentials.

The real problem I see is that this isn’t exactly an unknown possibility. Sega’s Phantasy Star Online Episode’s I & II game for Nintendo’s Gamecube included a warning in the manual about not entering credit card information for online play into the game using a Wavebird controller, because of the possibility that it could be sniffed by someone else who had a gamecube, the game, and a wavebird receiver tuned to the correct channel. Even Neal Stephenson, in Cryptonomicon talks about van Eck phreaking, which is specific to video displays, but the same principles apply.

It is simply irresponsible of Microsoft to not acknowledge to their users that the use of their Wireless keyboards is insecure, and could be sniffed for private information. All electronics are going to emit some RF signals that can be picked up with the correct equipment, including my wired keyboard. The difference is that an attacker would have to get their signal device within a few inches of my wired keyboard to sniff it, while a 27-Mhz keyboard will be sniffable within several dozen feet, possibly more if the antenna has good gain and their is a good noise reducer in the system.

Admittedly, wireless peripherals are convenient. I even use a wireless mouse from Microsoft at home (which no doubt operates at 27-Mhz), but I believe that scanning Mouse traffic is far less useful than keyboard traffic. So, what’s the answer? As of yet, Bluetooth is still the best answer. It’s yet to be unbroken, and it’s encryption is reasonable. That certainly doesn’t mean that Bluetooth is perfect, and doesn’t have it’s share of problems. It’s still a much better answer to the wireless device question at this time, however.

So, before you drop money on that brand new wireless keyboard, ask yourself how important it is for you to keep your keystrokes private.