Black Hat 2007 Other Wireless


Luis Miras presented “Other Wireless: New ways of being Pwned”. Instead of common con topics like Bluetooth or WiFi, this dealt with the cheap radios used in wireless keyboards, mice, and things like the wireless remote pictured above. These RX/TX pairs are found in 27MHz, 900MHz, and 2.4GHz versions. The devices all use the same main components: a microcontroller, an EEPROM for storing the serial number, and the transmitter. The dongle is nearly the same only with a receiver.

Luis began reversing a Kensington Wireless Presenter by first visiting the FCC website. All radio devices have to be evaluated by them. Just type in the FCC number on the bottom of the device and in some cases you might even get a full schematic. He could then grab datasheets for the radios. By adding your own microcontroller you can send arbitrary key presses to the dongle or you could tap the RX side and easily create a sniffer. To reverse the protocol though you’ll need an oscilloscope or even better a logic analyzer.

He demoed a replay attack: sending the page up command repeatedly. Unfortunately the hacked wireless presenter doesn’t have a full keycode space so you can’t send it arbitrary keystrokes. Luis still needs to break the wireless keyboard encryption scheme in order to create a useful key sniffer though.

Comments

  1. yan says:

    I am just waiting until you guys update on the RDS-TMC talk. It’s almost over and it was great, relevant stuff.

  2. phnx says:

    I’ve been interested in this for a bit actually. I’d like to make a hand held transmitter to control WinAMP via my LogiTech Wireless KB/Mouse. Anyone have any ideas?

  3. Chris Hart says:

    2> If you are wanting to control it through your wireless keyboard, use keys z-b. They match with the 5 main control buttons.

    If you are wanting to use something like a tv remote, look at the winlirc project.

  4. petebow4 says:

    Well as mentioned the speaker has not cracked the actual wireless encryption scheme for the keyboard. But you could get a RF transmitter and receiver and hook it up to a microcontroller that would mimic the keypress on a keyboard. You’d need a scope to figure out the signal being sent when a certain key is pressed on the keyboard. But if you could figure out the signal and recreate it, the microcontroller could tap into the TX device and send the signal to the receiver. You wouldn’t actually have cracked the encryption scheme, but you would be able to send signals on your own.

  5. knvb1123 says:

    Is any of this Blackhat available as video files online? I’d love to watch but I’m only a student and can’t afford to go.

  6. Eliot says:

    I didn’t get to the RDS-TMC talk (I was waiting for the new shirts to be delivered). Was it good? It looks like they’re doing it at Defcon too so I’ll try to catch it there.

  7. phnx says:

    Yeah, pretty much figured I’d need tools I have no idea how to use, much less afford, to more of less clone the signal…

    My KB has media buttons on it already… And I am wanting something like a tv remote, but radio in place of infrared, IR needs line of sight unless you can bounce it around. My Logitechs have quite the range, 25+ feet through a couple of walls and a floor. More or less anywhere in the house… My Creative SB Audigy2 and both of my ATI TV capture cards came with remotes, but all three are IR… I keep expecting to see someone (hack or corp.) make a radio media remote.

    Am I missing something? Radio seems to work fine for the KBandMouse, don’t see how a media remote could be an exception…

  8. Spadefinger says:

    Try http://www.gyration.com . I have a 100+ foot range media center remote that works great.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,050 other followers