Black Hat 2007 Other Wireless

Luis Miras presented “Other Wireless: New ways of being Pwned”. Instead of common con topics like Bluetooth or WiFi, this dealt with the cheap radios used in wireless keyboards, mice, and things like the wireless remote pictured above. These RX/TX pairs are found in 27MHz, 900MHz, and 2.4GHz versions. The devices all use the same main components: a microcontroller, an EEPROM for storing the serial number, and the transmitter. The dongle is nearly the same only with a receiver.

Luis began reversing a Kensington Wireless Presenter by first visiting the FCC website. All radio devices have to be evaluated by them. Just type in the FCC number on the bottom of the device and in some cases you might even get a full schematic. He could then grab datasheets for the radios. By adding your own microcontroller you can send arbitrary key presses to the dongle or you could tap the RX side and easily create a sniffer. To reverse the protocol though you’ll need an oscilloscope or even better a logic analyzer.

He demoed a replay attack: sending the page up command repeatedly. Unfortunately the hacked wireless presenter doesn’t have a full keycode space so you can’t send it arbitrary keystrokes. Luis still needs to break the wireless keyboard encryption scheme in order to create a useful key sniffer though.

8 thoughts on “Black Hat 2007 Other Wireless

  1. 2> If you are wanting to control it through your wireless keyboard, use keys z-b. They match with the 5 main control buttons.

    If you are wanting to use something like a tv remote, look at the winlirc project.

  2. Well as mentioned the speaker has not cracked the actual wireless encryption scheme for the keyboard. But you could get a RF transmitter and receiver and hook it up to a microcontroller that would mimic the keypress on a keyboard. You’d need a scope to figure out the signal being sent when a certain key is pressed on the keyboard. But if you could figure out the signal and recreate it, the microcontroller could tap into the TX device and send the signal to the receiver. You wouldn’t actually have cracked the encryption scheme, but you would be able to send signals on your own.

  3. Yeah, pretty much figured I’d need tools I have no idea how to use, much less afford, to more of less clone the signal…

    My KB has media buttons on it already… And I am wanting something like a tv remote, but radio in place of infrared, IR needs line of sight unless you can bounce it around. My Logitechs have quite the range, 25+ feet through a couple of walls and a floor. More or less anywhere in the house… My Creative SB Audigy2 and both of my ATI TV capture cards came with remotes, but all three are IR… I keep expecting to see someone (hack or corp.) make a radio media remote.

    Am I missing something? Radio seems to work fine for the KBandMouse, don’t see how a media remote could be an exception…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.