Wireless Keyboards Easily Cracked

We first covered breaking the commodity 27MHz radios used in wireless keyboards, mice, and presenters when [Luis Miras] gave a talk at Black Hat. Since then, the people at Dreamlab have managed to crack the encryption on Microsoft’s Wireless Optical Desktop 1000 and 2000 products (and possibly more). Analyzing the protocol they found out that meta keys like shift and ALT are transmitted in cleartext. The “encryption” used on each regular keystroke involves XORing the key against a random one byte value determined during the initial sync with the receiver. So, if you sniff the handshake, you can decrypt the keystrokes. You really don’t have to though; there are only 256 possible encryption keys. Using a dictionary file you can check all possible keys and determine the correct one after only receiving 20-50 keystrokes. Their demo video shows them sniffing keystrokes from three different keyboards at the same time. Someone could potentially build a wireless keylogger that picks up every keystrokes from every keyboard in an office. You can read more about the attack in the whitepaper(pdf).

[via Midnight Research Labs]

  1. unsurprising, but nice work and cool demo

    obviously this could be fixed with better encryption… but in most cases why even bother?? just use a damn wire, its not the end of the world. you have to be close enough to read the screen anyways…

    i hate it when “tech journalists” and the like keep preaching about *everything* going wireless–they just don’t get it. wireless is not *better* than wired, it is simply a different method, with its own pros and cons… and shrinking micro-controllers, RF modules, and batteries will not soon make up for the inherent higher security risk, lower availability, and lower bandwidth you get when using wireless over a direct, wired link.

  2. Yeah I never really understood the wireless keyboard for you desktop thing. I know there are situations where they make sense but I think 90% of the people that have them never move their keyboard more then an inch.

    Wireless mice on the other hand are god’s gift to mankind.

  3. I don’t see many applictions for this since those 27mhz keyboards have dismal range, usually around 4-8 feet.
    Still neat that they did this and could possibly lead to some cool homebrew but nothing malicious to worry about here.

  4. @2 – that depends on your snooping gear. Recall all that fuss a few years back about reading monitors through hotel room walls? Of course, most people aren’t using wireless keyboards in travel environments, but you could snoop the next cube over if you wanted.

  5. I was wondering how wireless mice worked too. I have a Microsoft Wireless Optical Notebook Mouse 4000 and wondered what kind of frequency or protocol it used to connect to its USB adapter.

    I really think wireless keyboards are stupid…with a few exceptions. The only place I would really use one is in the living room…where you put the PC display on the TV and use the wireless mouse/keyboard from the couch. Your average desktop doesn’t need (and shouldn’t have) wireless peripherals (even mice) because it’s just a waste of batteries.

    For laptop PC’s, wireless MICE are nice, because they’re small and portable, don’t have to worry about a mess of cords on your lap. But since laptops have keyboards built in, there’s no need for a wireless keyboard there either.

  6. Psshhhh… This is old. I cracked a wireless keyboard just the other day. Sat on it, next thing I knew, CRACK!

    Am I missing something?

    NOTE: The above post makes use of a literary technique known as “sarcasm.” A literal interpretation of said post will result in a deep misunderstanding. The author of this post makes no guarantee of safety regarding this post. Side effects may include extreme confusion and shocked comments.

  7. people have known since the beginning of radio use that nothing wireless has the ability to be as secure as something hardwired, even with the most advanced encryption of the era (re: codebooks, enigma machine, purple)

    and yet we still seem to be surprised that wireless items can be listened to by another party.

    (to be a little less cynical, i will note that wifi is a gift from the gods)

  8. Something that quite a few people seem to be missing is that RF signals are easy to build really sensitive antennas for.
    Want to know the real danger of wireless keyboards? Imagine someone with an antenna pointed at a big office building. They could, literally, read every single keystroke, all day, every day, completely passively and untraceably. Directional antennas have given un-amplified WiFi communication up to 125 miles ( http://www.engadget.com/2005/07/31/unamplified-wifi-distance-record-set-at-125-miles/ )… granted, the signals from wireless keyboards are weaker, but we’re not talking only-next-door-cubicle range here.

    I’m only surprised it’s taken this long. I’m sure this isn’t the first, but come on. If someone actually noticed it as a possible security hole, it’d likely have been cracked a long time ago.
    On a side note, I wonder why there are soooo many spelling errors in the PDF… strange.

  9. not surprised at all–what i am surprised at is that it took so long for someone to bother to try breaking it. I would have tried if I didn’t think someone else already did it.

    what would be more interesting is cracking the encryption mode on some of the logitech keyboards–my old one had a mode where you’d press a special combination and then type a code displayed on the screen in the keyboard. To be honest, I eventually didn’t bother doing it and hoped that no one would bother intercepting my keyboard traffic–it was too unreliable, and ran down the batteries too much. I have a wired keyboard now.

  10. Meh, this is why I use a wired keyboard. Wired keyboard + wireless mouse = win. It isnt like im going to be dragging my keyboard around the house with me all day anyways. And im pretty sure nobody can figure out my password based on mouse clicks.

  11. So many people hating on the wireless keyboard. I use one at my everyday computer for a few reasons.

    1. I only have one desk on my room, and if I want to write on a notebook, or use the desk for some other purpose, I can just toss my keyboard on my bed.

    2. If I want to listen to music before I go to bed, I can put the keyboard over near my bed (its about 6 feet away) and I have all the multimedia keys on the keyboard.

    As for security, I dont really care if someone is sniffing this comment.

  12. @paul: exactly what i was thinking. having a wireless keyboard lets me move my keyboard when i need more desk space (and since I am in college, living in a cramped apartment, this is pretty often.) And I also use my keyboard to listen to control music/mythtv from across the room.

  13. Someone already mentioned it for monitors, but all electronic gear can be monitored remotely via the airwaves – including wired keyboards just as others have said: with the right listening gear.

  14. I use one occasionally too, even though I know the thing is horribly unsecure. I cracked open the receiver for mine and was disappointed to find a pitiful ~1/32 wavelength antenna in it. I replaced it with a 1/4 (or was it 1/8?) wave antenna and saw a vast improvement: It used to not work if the receiver was behind a glass of water; after the mod it worked outside my house.

    Could they not just pad the data or something? I assume that would make it so you would at least need the handshake. The easy solution for now is just to swap the chips out for a slightly different freq.

    Side note: The Aspell library for the Firefox spell checker does not include “unsecure.”

  15. I never used a wireless keyboard or mice, and never will. Wireless keyboards and mice and horrible things when you’re a big gamer, as I find happens in my wii the batteries die off right as I’m about to finish off a boss or in the middle of a huge battle. My Wii gives me a warming, wireless mouse/keyboard might but that doesn’t pause an online game!

    However, on-topic: I figured that it was a simple encryption on the wireless mice and keyboards, but only one byte salting?! that’s just sad, microsoft, just sad :'(

  16. Wireless keyboards aren’t that bad because the batteries last months. The downside is the range is pretty bad (a long wire would be better), and also they have no caps/num lock lights on. If they were the same price, I’d go wireless, but I wouldn’t pay a penny more.

    Wireless mice are best avoided. Although they are occasionally handy (ie. for passing the mouse to a co-worker to find something for you), they run out of batteries far too frequently.

    I have the same opinion of everything wireless – if the batteries last at least 6 months and there’s no other downside (bandwidth, reliability etc.), then great, but if they last less than that just make it wired.

  17. not to mention how easy it is to “lose” wireless devices. My mother-in-law constantly loses her wireless mouse because her grandkids (my kids) see that thing, grab it and walk off with it… :D

    How often do you lose the remote control? Case closed :P

  18. Gaming & Wireless mice: very iffy at best. If they claim no lag, they lie. There’s always some, and they’re never as accurate. I got one of the Logitech 517s, and I love it. Waaay better than any wireless mouse I’ve ever tried.

    As to the batteries running out… I’ve had a bluetooth mouse for my laptop for over a year now, and still haven’t swapped the batteries. Granted, I don’t use it all that much, but they’re not even down half-way. Under heavy use, I’d expect at least a couple months out of it. And, if you get one of the mice with a “dock” to charge in, charging it is as easy as sticking it there when you go to the bathroom.

  19. 2 years ago I was the IT Manager for a small company. The CEO insisted that we all use wireless equipment, even though I advised against it, and personally dislike most wireless hardware. We ended up with a couple Microsoft keyboards and Logitech keyboards. There was one particular problem that proved to be very troublesome. When the Microsoft wireless keyboard or mouse was used, the Logitech keyboard and mouse wouldn’t. This wouldn’t be that big a deal, except for the fact that they were about 30 feet away from each other.

    With that kind of range, it would have been easy for someone in another office, or even the lobby that shared a wall with our office, to snoop all the keyboard and mouse traffic from our company.

  20. I find it hard to believe the lag on wireless mice etc. is significant compared to the time taken to act on the input through all the windows layers and the game, as well as fairly significant delays in some display technologies. (ie. rendering time, frame buffers, vsync delays, buffers in lcd displays etc.) I recon there’s at least 4 frames of delay from rendering starting to the screen.

    I mean, even the USB and PCI busses together add a latency of ~20ms just to get to the CPU.

    More likely, I think gamers might be noticing the “maximum speed” effect on optical mice where if a mouse is moving more then a few m/s the optical sensor fails to pick it up and the mouse moves randomly.

    However, I’m no gamer, so could someone with experience explain the facts?

  21. I’m one of those damned right handed people so I dual wield a Logitech G-15 and MX 400. I’ve always found that when using my antique wireless logitech set, the batteries in the mouse would, without fail, die while I was trying to snipe someone, so that set now is on the media box for tv/music in the living room.

    @27, I believe the only step extra in bluetooth is a little more expanded encryption. Everyone has a bluetooth chip these days, so a free download of capture software and a quick decrypt… Hence the issues with wireless headset sniffing.

  22. Being a gamer, here are my observations with various wireless mice:
    cheap: In the worst, especially older ones, there’s literally lag. There is a perceptible, visible difference between your motion or clicking and the computer’s reaction. Added to that is that wireless mice are lower resolution/speed/quality than most similarly priced wired counterparts, and not only is there lag, but there are many more jumps, jiggles, and miscommunications that add to frustration.
    expensive: movement lag is gone, but there’s still a perceptible difference in reaction to clicks, which seems odd to me, but it’s usually there. Even a cheapo wired mouse will respond effectively instantly to a click, but I’ve yet to run across a wireless mouse that completely eliminates the click lag.

    My theory is that it takes more processing time to handle the click on the mouse, compile it into the next packet, decode it on the receiver, re-process it through the USB port, and go through the (often required for complete functionality) crappy 3rd party software than it takes for a wired mouse with no software, and less places for en/decoding.
    Some keyboards also have minor communication problems where your keystrokes won’t appear for a fraction of a second, and then 3 or 4 will happen all in a row. Mice sometimes suffer from similar problems, but it seems I regularly run across it in keyboards, and rarely in mice (except the cheapest). If that isn’t a literal definition of “lag”, I don’t know what is.

  23. The first I have learned That 27MHz is used in wireless devices. An interesting choice. Are the receivers desensitized by a nearby CB xcvr? How about when there is a near constant barrage of signals during the day as we head towards the solar sunspot maximum?

    I can see myself using these devices when I have to use the internet to view TV programs in the living room, when the “big Switch” eliminates my ability to receive broadcast TV. I’m in a deep fringe when it come to UHF reception.

  24. Wireless mice are now available with their own charging dock, so you don’t have to use batteries anymore.

    I drop my mouse on my dock every night before bed, and same with my Wiimotes. Bought a battery pack replacement that turns the Wiimotes into rechargeable controllers.

  25. Decoding the keystrokes someone makes is not that hard, similar to the tone matching game on the kids electronic spy safe, each key on your keyboard has a distinct sound that can recorded and later matched.

    I’m serious, listen to yourself type sometime and hear how every key sounds different, and a-lot I’m not just talking slightly different i mean a-lot different. This has been known since keyboards came out, and the easiest/hardest way to get a password!

    my $0.02

  26. You can’t generalize wireless keyboards being bad. I find a wireless keyboard at home a big plus, as sometimes I use my computer on a desk + monitor, while sometimes in a comfy chair front of a HDTV. Can just have one keyboard and move it wherever I need.

    If you want a long distance (10 meters) and stronger encryption then you’d go for more expensive bluetooth devices.

  27. The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They’ve outline four separate attack methods, some that work at a distance of as much as 65 feet from the target.

