Eavesdropping on a wireless keyboard (2013) (opens in new tab)

(windytan.com)

96 pointstrucious11y ago16 comments

16 comments

Reminds me of an episode of Due South (the tv series about a Canadian mountie working as a detective in Chicago) in which he correctly works out a password from just the sound of someone typing it.

Turns out this is not so far-fetched after all:

"If you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed."

https://freedom-to-tinker.com/blog/felten/acoustic-snooping-...

dominicgs11y ago

There was a great talk at Defcon in 2009 about sniffing keystrokes with voltmeters and lasers. It's worth watching the video[1] if you're interested in this audio technique.

The first part of their presentation uses a novel method to pick up PS/2 keystrokes from a system's ground connection. This presentation was what lead me to design the PS/2 tap[2] to sniff keystrokes with my sound card.

[1] https://www.youtube.com/watch?v=9zq9DQAbWmU [2] https://github.com/dominicgs/PS2_tap

kabdib11y ago

The problem is that the company who's saying "Trust us, we have 128 bit encryption in our product" isn't giving you enough information to make an informed decision about how secure the device really is.

Choosing a keyboard because the box says "128 bit encryption" doesn't help if the manufacturer bakes in the same key on every device. Or a predictable key. Or really, any static session key even if it varies by device serial number or something like that. And a marketing or advertising guy doesn't know this, they just see a checkbox they can stick on the artwork. "Just get that 128 bit stuff in there so we aren't lying" is the most likely scenario for something like a keyboard, where competition is tough and margins are wafer thin.

Personally I'd use copper if I was at all worried, because the likelihood of some random firmware engineer getting a security protocol right is pretty slim.

dan_bk11y ago

> Some time ago, I needed to find a new wireless keyboard. With the level of digital paranoia that I have, my main priority was security.

If my main priority was security, then I would never even think about wireless (network, keyboard, etc.).

dnautics11y ago

do you think a wired keyboard might emit tappable rf? Should users take care to not have coils in their wires? Do solenoided keyboards (with the flexy chord coils) also pose a transmission risk?

kpreid11y ago

The cable is the least likely part to be the source of the problem. The data lines are inside a shield, and in USB they are balanced (“D+” and “D-”). Both of these act to prevent radiation of the signals.

If a keyboard radiates it is likely to be either from the unshielded, unbalanced matrix wires going to the keyswitches, or leakage from the controller going onto the outside of the shield. (I think the latter could be reduced by using (more/bigger) decoupling capacitors, i.e. shorting out the RF.)

Coiling a wire does not generally make it a more effective antenna; it may or may not make it less effective depending on the circumstances. (The reason some antennas are coiled is to get the same length of conductor into a smaller space.)

csmattryder11y ago

So how far can you go and still eavesdrop on the signal? I haven't the first clue regarding signals, but I guess you'd have to plant a bug on the underside of the desk as opposed to a radar dish on the other side of the wall?

But yeah, another post from windytan that's left me amazed. If you're uninitiated, this is the same woman that figured out how to read from bus timetable display radio signals [1].

I'll stick to my USB wired keyboard for now, though, until encrypted wireless keyboards come down from £70-100.

[1]: http://www.windytan.com/2013/11/decoding-radio-controlled-bu...

chmars11y ago

… or get a wireless keyboard with Bluetooth – it should be safe enough.

sp33211y ago

If you get an Ubertooth http://ubertooth.sourceforge.net/ you can sniff bluetooth as well. If you use the default PIN (0000 or 1234) then it's possible to decrypt the signal. Here's an overview of how feasible decryption is: http://css.csail.mit.edu/6.858/2012/projects/echai-bendorff-...

Also, Bluetooth LE provides no eavesdropping protection. If an attacker can capture the pairing frames, they may be able to determine the "long-term key". Here's the NIST guidance paper on Bluetooth security: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133

The attack surface can be minimized if the keyboard manufacturer implements crypto properly, requires encryption at the protocol level, uses a long and complex PIN, etc. The manufacturer with the best reputation right now is Microsoft. They got burned pretty hard when their propriety wireless encryption was hacked back in 2007, and it looks like their bluetooth keyboards are doing everything right.

3 more replies

higherpurpose11y ago

This is why Apple's iBeacon was never going to be a viable method of payment, unlike NFC. The range on Bluetooth is just too long to safely do something like payments with it.

drdaeman11y ago

The range of Internet is incomparably greater, but we still somehow manage to perform payments over that in a reasonably secure manner.

We just have to establish the secure channel and securely authenticate peers to each other. The medium over which this is made is mostly irrelevant.

aoxfordca11y ago

If you don't have consent, this would be one of the RARE instances of a Title I violation under the ECPA.

j / k navigate · click thread line to collapse