Luis Miras presented “Other Wireless: New ways of being Pwned”. Instead of common con topics like Bluetooth or WiFi, this dealt with the cheap radios used in wireless keyboards, mice, and things like the wireless remote pictured above. These RX/TX pairs are found in 27MHz, 900MHz, and 2.4GHz versions. The devices all use the same main components: a microcontroller, an EEPROM for storing the serial number, and the transmitter. The dongle is nearly the same only with a receiver.
Luis began reversing a Kensington Wireless Presenter by first visiting the FCC website. All radio devices have to be evaluated by them. Just type in the FCC number on the bottom of the device and in some cases you might even get a full schematic. He could then grab datasheets for the radios. By adding your own microcontroller you can send arbitrary key presses to the dongle or you could tap the RX side and easily create a sniffer. To reverse the protocol though you’ll need an oscilloscope or even better a logic analyzer.
He demoed a replay attack: sending the page up command repeatedly. Unfortunately the hacked wireless presenter doesn’t have a full keycode space so you can’t send it arbitrary keystrokes. Luis still needs to break the wireless keyboard encryption scheme in order to create a useful key sniffer though.