Security firm cracks encryption for Microsoft's wireless keyboards

Heise Security ^ | 12-1-2007 | Heise Security

[zeugma]

Security firm cracks encryption for Microsoft's wireless keyboards

Dreamlab Technologies AG says it has found a way to sniff the data traffic between Microsoft's wireless keyboards and their base stations, which communicate with each other on the 27 MHz band. In the method they discovered, unauthorized parties are reportedly able to record and decrypt all keystrokes from such keyboards. The decoding was demonstrated using data traffic from the Wireless Optical Desktop 1000 and 2000. The security firm says that other keyboards that Microsoft sells, such as the Wireless Optical Desktop 3000 and 4000, encrypt and transmit data using the same procedure, so that they are also probably unsafe. Keyboards that use Bluetooth for communication are not vulnerable.

Max Moser and Philipp Schrödel say that decryption was very easy because the devices use a simple XOR mechanism for encryption and the keys are only one byte long. They claim that even a PDA with a slow ARM-CPU would have derived the combination quickly. Aside from not using such keyboards, there is no workaround. Microsoft has yet to react to the Swiss firm's announcement.

[zeugma]

I really don't mean to laugh, but a one byte XOR? OMG how incredibly lame.

[zeugma]

You should enjoy this. Too funny.

[eyedigress]

No different than pulling a ribbon from the trash 25 years ago.

[Nathan Zachary]

Micro-trash- The nations #1 landfill problem.

[Blue Highway]

so how does this affect joe six pack using one of these wireless keyboards and a hacker online 1000 miles away? Not sure I understand the way someone would de code the encryption over the internet, or is this article demonstrating this scenario in an office environment where every cubicle sits a Microsoft WirelessDesktop 1000 and while cubicle worker Tom is busily typing to a love interest that is not his wife, cubical worker Jim with a little too much time on his hands can follow Tom’s every keystroke?

[kalee]

ping

[Blue Highway]

And if in the above example, what program/software is Jim using to accomplish this security breach?

[jiggyboy]

Well they’re no good for classrooms whether or not there’s a security issue. When IBM came out with it’s ill-fated “PC Jr.” back in 1983 or so, schools nationwide soon found that the kids loved pointing the keyboard at somebody else’s computer and typing away.

[Poser]

I guess I should care, but I don’t. An $8 keyboard will do the job nicely. If you want iron clad security, don’t use a wireless device.

[zeugma]

I guess I should care, but I don’t. An $8 keyboard will do the job nicely. If you want iron clad security, don’t use a wireless device.

If you're not going to bother to do better than a one byte XOR, you shouldn't be calling it "encrypted". People who don't know better might think that a company like Microsoft, with all their billions of dollars could do better than your average ten year old when it comes to "encrypting" data.

[zeugma]

so how does this affect joe six pack using one of these wireless keyboards and a hacker online 1000 miles away? Not sure I
understand the way someone would de code the encryption over the internet, or is this article demonstrating this scenario in an office environment where every cubicle sits a Microsoft WirelessDesktop 1000 and while cubicle worker Tom is busily typing to a love interest that is not his wife, cubical worker Jim with a little too much time on his hands can follow Tom’s every keystroke?

It's not an internet attack, so that's not relevant.  Consider a corporate environment where someone might have such a keyboard, and have all of their passwords floating through the air to anyone who cared to listen. You might want to keep in mind that the vast majority of "hacking" takes place by insiders, not evildoers on the other side of the firewalls.

The real key IMO is that this is being sold as a device that "encrypts" the data channel. Put simply, it's false advertizing at best.

 

[DB]

Key strokes could be lifted in other situations like apartments that are close together. Passwords for bank accounts, Email accounts, network access etc can then be stolen by the neighborhood geek.

[Just Lori]

I still have a PC Jr. =)

[microgood]

Actually if I had to pay $5 more for a super encrypted wireless keyboard, I would not do it.

[Skibane]

so how does this affect joe six pack using one of these wireless keyboards and a hacker online 1000 miles away?

The article also mentions that the keyboard communicates on the "27 MHz band", which is also where the old CB (Citizen's Band) is located. So, if the skip is just right (and you have your keyboard connected to a big ol' afterburner and a really big set of ears), I guess it MIGHT be possible for a hacker located on the other side of the continent to hear you...

[antinomian]

So, if the skip is just right (and you have your keyboard connected to a big ol' afterburner and a really big set of ears), I guess it MIGHT be possible for a hacker located on the other side of the continent to hear you...

Yeah, but only if you have a single-sideband keyboard.

[ShadowAce]

[ShadowAce]

Actually if I had to pay $5 more for a super encrypted wireless keyboard, I would not do it.

I have never, and will never, buy a wireless keyboard or mouse.

[KoRn]

"so how does this affect joe six pack using one of these wireless keyboards"

How about when joe six pack is sitting there typing away managing his bank account online or purchasing something from a web site while 'hacker-x' is sitting outside of joe's house capturing everything. Of course this already goes on for those poor lost souls who continue to not use WPA PSK wireless access points.

[rabscuttle385]

I really don't mean to laugh, but a one byte XOR? OMG how incredibly lame.

Remember back in the days of Windows NT, when all you had to do was change one registry key to turn Workstation into Server?

Some of the folks at Microsoft come up with great products. Unfortunately, most of the folks there do not.

[tubebender]

I listened to some DX guy tell his listener that his antenna was nothing more than several metal coat hangers daisy chained together and hung on his wife’s clothes line. Listening to skip was how I spent many a night at our cabin where TV was nonexistent. BTW my CB handle was Tubebender...

[Blue Highway]

Ok thanks for explaining. But still to me this sounds like back in the 80's when you could listen to your neighbors on certain FM radio frequencies if they were using an old 25 mhz cordless phone. Point being, you'd have nothing better to do that sit by idlely for hours hearing about grandma's famous lime jello and fruit cake. I would think the same thing applies here. What are the odds hacker "X" (cubicle worker "Jim") times it perfectly when cublicle worker "Tom" just so happens to log on to pay his credit card? What if "Tom" NEVER winds up typing anything personal related and Hacker "X" (Still "Jim")has spent 3 weeks trying to intercept a vague keystroke that could be a password, or maybe it's his dog's name, that never happens. My point being I doubt people are sitting around wasting their time in the hopes they will hit the mother lode.

You guys still never said how this is even possible. Heck I have a few wireless keyboards (1 is as Desktop 1000 model, and a few other generic ones (which I'd assume have less reason to be encrypted than a Microsoft keyboard)) I can't even get the same reciever to identify both keyboards, so how if I can't do something that simple, be able to lift keystrokes out of the air? Is one of my keyboards hooked up to my computer going to suddenly begin "phantom" typing as someone in the vicinity starts typing on their Microsoft keyboard?

[Blue Highway]

I went to their site and saw the video presentation of keystroke capturing. It is interesting, but still looks like you’d need to have some high end machinery to intercept these keystrokes and some kind of hexidecimal converter or ascII converter. Like I said this isn’t something the averager Joe is going to stumble into a conversation and know what’s going on.

[zeugma]

Actually if I had to pay $5 more for a super encrypted wireless keyboard, I would not do it.

I understand and respect that. The real problem is that for those who do care about data security and are willing and able to pay extra for it. They shouldn't be getting ripped off by a company as big as Microsoft, who obviously has the resources to do it right.

[Golden Eagle]

You’ll just have to understand. There’s about three or four guys on this site who feel the need to create new threads bashing Microsoft almost every single day for whatever they can find. One of the others was trying to bash them yesterday for a possible encryption issue that Microsoft employees actually deserved credit for bringing to light. In other words, don’t expect rational discussion.

[N3WBI3]

so how does this affect joe six pack using one of these wireless keyboards and a hacker online 1000 miles away?

I does not... Now when Joe goes into work at the storefront call center, bank, insurance company, .... and a hacker can park 10-20 feet away from his window cubicle I think oyu see the bigger problem.

[N3WBI3]

Anything that listens on the same kind of transmission medium (blue tooth, ir, em) whatever can be used to snoop and decrypt...

[N3WBI3]

Microsoft, with all their billions of dollars could do better than your average ten year old when it comes to "encrypting" data.

Shhhh Were trying to work here!

[N3WBI3]

OMG Even you cant defend MS advertising a 1 byte xor as ‘encryption’...

[tarheelswamprat]

Passwords for bank accounts, Email accounts, network access etc can then be stolen by the neighborhood geek.

Yes, but in my neighborhood we know who the little varmint is, and where he lives... /grin

[rabscuttle385]

That’s Bruce Schneier’s book, isn’t it?

[martin gibson]

Passwords for bank accounts, Email accounts, network access etc can then be stolen by the neighborhood geek...

here at our data center we have one who would do it in a heartbeat. HINT: he is the one with body oder, dandruff, thick glasses and the "unorthodox" haircut...

[Blue Highway]

I does not... Now when Joe goes into work at the storefront call center, bank, insurance company, .... and a hacker can park 10-20 feet away from his window cubicle I think oyu see the bigger problem.

I do see the threat. I also see this hacker if he/she is outside an office window in a parked car/surveillance van with all these contraptions would get picked up for loitering or trespassing very quickly by a suspicious security team. Would the hackers risk getting caught not knowing how long they'd have to wait on site to get a password that is meaningful even?

If we want to take this one step further, how would the hacker even know the victim was using a wireless microsoft keyboard? I think if they were hackers, they'd be able to spend less time in a less vulnerable position (waiting outside a building suspiciously, waiting for who knows how long (if it happens at all) before a password or some kind of personal info they could use) hacking info CC web servers for same information.

[fso301]

I have one of these but the keyboard and mouse won’t work more than 10 feet from the base station under optimum conditions. In reality, I have to keep the base within 18 inches of the keyboard and mouse.

[Blue Highway]

Anything that listens on the same kind of transmission medium (blue tooth, ir, em) whatever can be used to snoop and decrypt...

give me an example please.

[Blue Highway]

I have one of these but the keyboard and mouse won’t work more than 10 feet from the base station under optimum conditions. In reality, I have to keep the base within 18 inches of the keyboard and mouse.

That is one of my points exactly. If it's struggling to get reception 18 inches from your reciever so you can type, how the hell is some dope in a van suspiciously parked outside your home or office going to do much better in picking up your keystrokes? I don't buy it.

[Blue Highway]

It would be a funny skit though with said van outside with hacker inside trying to intercept the keystrokes. And then frustrated as he is not getting reception, gets out of the van and goes up to the house and knocks on the door. Homeowner answers and hacker identifies himself as someone that is good with computers and he wants to help them as he noticed they were struggling with their wireless keyboard reception. Homeowner is blown away as how could this random guy know that was exactly the problem he was having so he lets him fiddle around, but the punch line is when hacker cleverly says, “why don’t you move your computer closer to this window so I can, cough cough, I mean so YOU can get better reception.”

[Golden Eagle]

What are you talking about, where are these products even advertised as “encrypted” at all? Not that I can see on their website, in fact in my experience almost no one advertises wireless keyboards as encrypted, which is one of the reasons we ban all of them by default.

http://www.microsoft.com/hardware

[N3WBI3]

Yea,

And with allot of work the kids in the MS security department will eventually make heads or tails of it..

[N3WBI3]

I do see the threat. I also see this hacker if he/she is outside an office window in a parked car/surveillance van with all these contraptions would get picked up for loitering or trespassing very quickly by a suspicious security team.

You don't get it... He does not have to be in the car, he does not have to be sitting at a computer. Are you telling me that someone sitting in a car at a plaza 'reading the paper while they wait for a fired' is going to get arrested?

Hell he could just leave a listener going in the car and go food shopping.

[N3WBI3]

Im not oo familiar with the MS keyboards but sounds like they are using radio frequency so any fm receiver can be used. If it were blue tooth and blue tooth capable computer could listen.

[N3WBI3]

I stand corrected on their advertising but they still should have seriously made it harder to break than that..

[Blue Highway]

Ok maybe I am misunderstanding the technology of a listener or decrypter. Please explain how they work. I know about keyloggers (the small little adapter you plug the keyboard into (for wired keyboards) that hold maybe 1mb of keystrokes but after that they purge the beginning of the one long string of characters. Example would be

DearsirormadamIamwritingthis2onions3bananasdawndishdetergentwww.bankofamerica.comwww.discovercard.comwww.freerepublic.com

I would think if you are talking about a scanner that listens to that frequency band, how is it able to interpret data instead of sound waves? Even if it can interpret data, how is it able to store it to decipher the actual characters?

[DB]

Well actually what happens is some kid sets his computer up to listen to that frequency with a hacked receiver. It listens all the time and records whatever it finds. The kid then goes through what it found quickly with his computer seeing if anything useful came through, such as your password for Amazon or PayPal, or credit card number complete with name, expiration date and CCV number from an online transaction, etc.

Kids (and others) do exactly that with WiFi networks. They’ve created and distributed software just for snooping. Their computers do all the work. Encryption is often not enabled or set to the defaults and is easily monitored - and is.

[DB]

The only thing you need is a modified keyboard receiver (or a home brew one) and a computer.

After receiving the raw data the computer does the rest by simple software that eventually becomes widely distributed on the Web.

[Blue Highway]

ok thanks, that was the answer I was looking for. It is still not items one can readily get themselves though. The homebrew idea is possible, but it can’t be a simple modification, or is it?

[N3WBI3]

Here is the quick and dirty...

That keyboard is sending out instructions to the base station via a non directional digital signal. The only thing I need Is something capable of seeing that signal attached to something capable of recording it and I can walk away and let it sniff for a few hours... Take it home and do the decryption there.

Its like the way you crack a WEP protected network involves only listening to the network, if you have a computer with wireless you can leave it running under a blanket in the back of your car for 8 hours while you work. You do the dirty work later on at home with the logs and get the pass phrase there. The next day you have access to all the wep encrypted nets within range of your car.

By sniffing blue tooth you can hold as much data as you please (with the size of your storage being the only limiting factor). You could tkae the key log and just look for certain strings like ###-##-#### or even ######### and sip of a few hundred chars on either side.

“how is it able to interpret data instead of sound waves?”

Depends on the signal but dont ever underestimate what a geek can do with an oscilloscope..

“Even if it can interpret data, how is it able to store it to decipher the actual characters?”

Thats why the simplicity of a one byte xor is so bad! pass any huge file of ones and zeros through a patter matcher and you’ll quickly find the byte used and immediately be able to turn it all to acsii..

After reading this argument I would *never* use a MS wireless KB.. (maybe at work because we are shielded and even then I dont think so)

[N3WBI3]

Even if you’re using WEP only youre not very safe, you have go go at least with WPA..

[Blue Highway]

Thanks, I was wanting the techno geek answer you gave, I appreciate it. A lot of that stuff is way over my head and I guess I under estimate some of the technology out there to do this kind of dirty work.

[DB]

In all likelihood it is simple. Once someone publishes the frequency, data rate and modulation method it becomes pretty straight forward. Even more likely once someone finds something that is easy to modify, and that is pretty likely, they will publish it on the Web giving anyone interested access with step by step instructions.

I’m an electrical engineer. This isn’t difficult. By far the biggest difficulty for people wanting to do these things is the encryption. In this case the “encryption” is non existent.