- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
27Mhz Wireless Keyboard Analysis Report aka "We Know What You Typed Last
Summer"
------------------------------------------------------------------------
SUMMARY
Using just a simple radio receiver, a soundcard and suitable software, the
remote-exploit.org members Max Moser & Philipp Schroedel have managed to
tap and decode the radio frequencies transmitted between the keyboard and
PC/notebook computer.
DETAILS
Summary:
Wireless keyboards have been distributed for years all over the globe.
After the initial infrared based keyboards, the vendors developed radio
frequency based models operating at 27Mhz. Logitech and Microsoft are two
major brands in this market area. Their products are sold in many consumer
electronic stores worldwide. After of analyzing wireless keyboard
communication, Dreamlab is able to understand their functionalities,
eavesdrop their traffic, crack the encryption key and decrypt the data
into clear text keystrokes. The keystokes from any analyzed keyboard
within the radio receiver's range can be sniffed at the same time.
The above statement is true and validated for Microsoft's Wireless Optical
Desktop 1000 & Wireless Optical Desktop 2000 products. Unfortunately we
could not validate it against all of the Microsoft models but according to
the product documentation and pictures available on the internet, the
attack might also work on the following models: Wireless Optical Desktop
3000, Wireless Optical Desktop 4000 as well as their 27Mhz based Wireless
Laser Desktop series.
Please note that this document contains information about the named
keyboards, other brand/products/models might differ. A detailed analysis
of Logitech models is still in progress and will be published when
available. We are aware that there is no quick fix for this hardware
design vulnerability so we decided not to release the proof of concept to
the public and we don't release the full protocol details at the moment,
but maybe after we finish the research on other brands and the new
solutions like Logitech's Secure Connect .
Radio Frequencies are shared media and should be considered to be shared.
We suggest to not use insecure communication channels for important
information without adequate levels of encryption. Dreamlab is willing to
demonstrate the attack on request and will publish a demonstration video
on their website. In addition, the researchers have created a presentation
about their work, the procedures used and the pitfalls they experienced
during the analysis. They will present their work at different events or
you can book them for individual educational presentations/trainings. This
will hopefully help researchers get into this very interesting topic of
analyzing unknown radio based data transmission.
ADDITIONAL INFORMATION
The information has been provided by <mailto:max.moser@gmail.com> Max
Moser.
The original article can be found at:
<http://www.remote-exploit.org/Press_Release_Dreamlab_Technologies_Wireless_Keyboard.pdf> http://www.remote-exploit.org/Press_Release_Dreamlab_Technologies_Wireless_Keyboard.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment