December 5, 2007 1:22 PM PST

Researchers hack Microsoft wireless keyboards

The protocol for securing some of Microsoft's wireless keyboards has been cracked, opening up the possibility of keystroke logging, according to Swiss security company Dreamlab Technologies.

Researchers from the company have said they are also close to being able to use the hack to control affected computers remotely.

Microsoft's Wireless Optical Desktop 1000 and 2000 keyboards communicate by transmitting radio signals to the sound card in a user's computer. The data stream is encrypted using an exclusion-or (XOR) cipher, which is not strong enough to secure the communication, according to Dreamlab's senior security specialist, Max Moser.

"This is nothing like a crypto-algorithm," Moser told ZDNet UK, a CNET News.com sister site. "An exclusion-or binary is really a simple mathematical idea. You can crack the cipher by hand. You take two values, write both lines and look at the different digits. When either the top or the lower line is 1, you write 1. If both are 0, you write 0. For me, this is just obfuscation (rather than encryption)."

Microsoft's Mark Miller, said the company was investigating Dreamlab's claims. He said Microsoft was unaware of any attacks exploiting the claimed vulnerability or any customer impact.

"We will take steps to determine how customers can protect themselves should we confirm the vulnerability," Miller added.

Dreamlab started its cracking efforts six months ago. It first identified the radio frequency used by the keyboards. The company then used a piece of copper wire to intercept the signal, which is effective to a range of 10 meters, including through walls and floors. However, because the radio frequency is in the citizens' band--that is, it is used by CB radios--Moser said it would be possible to obtain radio equipment that could intercept the transmissions from up to 50 meters away. "Range is not a problem," said the security specialist.

But Moser said that, though he could log keystrokes, he hadn't yet been able to take control of a compromised computer remotely, because there were still some parts of the keyboards' protocol that were unknown to him. Because the protocol is proprietary to Microsoft, meaning the researchers do not have access to the source code, they decided to analyze the data on a binary level, rather than use reverse engineering.

"The real challenge was to understand the keyboard protocol," said Moser. "With 40 bytes per keystroke, it's difficult to understand which (byte) holds the data. From the binary stream, we built the data into meaningful sets and groups."

Moser then wrote a software tool that automatically sifted the data. Moser said he has not publicly released the tool because he does not want it to fall into the wrong hands. He added that he has informed Microsoft of his findings.

Each keyboard transmits its own identifier, so, if two or more keyboards are working in close proximity, the signals don't interfere with each other. While this means users are unlikely to find themselves typing on a neighbor's computer, it also allows intercepted signals to be hacked because each unique identifier can be used as a key.

It takes between 30 and 50 intercepted keystrokes to break the protocol. As exclusion-or is used as a cipher mechanism, even if the user changes the key by reconnecting the keyboard, it is easy to crack the code, said Moser.

Moser said that, to mitigate this possible attack vector, companies could invest in wired or Bluetooth keyboards.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
keystroke logging, wireless keyboard, protocol, radio frequency, researcher

13 comments

Join the conversation!
Add your comment
I wasn't really expecting wireless keyboards
to be encrypted. What's the use of encrypting something that can MAYBE send information 3-6 feet... the person trying to packet sniff or something similar would have to be sitting almost right next to you in order to do so.
Posted by Leria (585 comments )
Reply Link Flag
Not true...
Its called BASIC-SECURITY. For on thing, yes, such transmissions can be detected further than "...3-6 feet" (especially with a, purpose-built, directional-antenna... just like the ones "war-drivers" use, these days).

The simple fact is that such low-power radio-emissions can (and have), most-certainly, been detected, far, further than many ordinary devices can reliably operate (especially when the frequencies and data-specifics, of such devices, are commonly-known). And, again yes, that information is valuable to nefarious "Hackers" (I.E. black-hats). This is no different than say, "war-driving", or "packet-sniffing", outside of a business, or a residence (a common set of cracker-pastimes).

Microsoft (or for that matter, anyone, that produces devices that contains/transmits "private-data") does have to be watchful for such "security holes".

"Basic security practices" state that... if "data" ever -leaves the box- (for any reason), common sense, and years of experience, unequivocally-dictate that it be encased in relatively-strong encryption.

But, finally, I am surprised that anyone (in this day and age) doesnt know that, what a person actually "types", is one of the most valuable forms of "data" there is.
Posted by Gayle Edwards (262 comments )
Link Flag
With one Pringles' Can...
With one Pringles Can, suitably modified into a unidirectional antenna, you can use an 802.11 WiFi access point from up to a quarter-mile away (almost half a kilometer). This is in spite of 802.11 wireless access points being good for only about 100 meters.

To make matters worse, MSFT's wireless keyboards operate on CB frequencies, which means there are already rigs that are sensitive enough to really reach out and listen for weak signals. Even worse? Get up a modified CB linear transmitter, and I can simply pump out random noise from it at 100 watts, and promptly jam-up an entire office full of wireless keyboards... it would take a couple of days to replace them all with USB or PS/2 keyboards, which means I can pick a time which is crucial to that office (say, right before some product is released), and *poof* - you missed your deadline. I'd hate to have to ever explain that one to the stockholders...

Of course no one really thinks about it, but then someone does... and suddenly you need security against the new threat. Never underestimate the ingenuity of a security researcher... or of a determined hacker.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Six months?
Why would this company have a team of folks working on cracking this for six months? Obviously they're not selling the exploit, I wonder why this would be worth it for half a year of salary for this team, and they still have only begun the get anything useful.

Just curious why, interesting use of company resources, not that it wouldn't be fun...
Posted by KTLA_knew (385 comments )
Reply Link Flag
One change and... poof
So all it takes is a single file update pushed out and this team's work for half a year would have been lost. Perhaps they are looking to make money by writing their own third party security utility they will market toward wireless keyboard users.

First you create a demand (this article), then you create a product to meet it.
Posted by Vegaman_Dan (6683 comments )
Link Flag
It boggles my mind...
that companies are still using the old-fashioned, played out
dongle solution for wireless devices. Every Mac (and most
higher-end PCs) can be purchased with Bluetooth so why not
make more Bluetooth Wireless Keyboards and Mice?

I'm sick of having to purchase a notebook mouse if I want a
bluetooth mouse, and the only bluetooth keyboard options are
either the Apple ones (which don't have a num pad) or are overly
complex "Multimedia" keyboards that aren't going to work on
my Mac anyway.

For me, it comes down to not wanting to waste USB ports for
dongles. I'd rather use the built in Bluetooth to wirelessly
connect to my peripherals.
Posted by jelloburn (252 comments )
Reply Link Flag
I can help you
You want Bluetooth mice but only found the ones made by Apple? Probably because you only looked inside an Apple sotre... LOL

There are plenty of options out there, both from Microsoft and Logitech but also from other less known brand names.

<a class="jive-link-external" href="http://www.microsoft.com/hardware/mouseandkeyboard/ProductList.aspx?Type=Mouse&#38;AdditionalType=Trackball&#38;feature1=bluetooth" target="_newWindow">http://www.microsoft.com/hardware/mouseandkeyboard/ProductList.aspx?Type=Mouse&#38;AdditionalType=Trackball&#38;feature1=bluetooth</a>

<a class="jive-link-external" href="http://www.logitech.com/index.cfm/mice_pointers/mice/&#38;cl=roeu,en&#38;page=1&#38;filter=360&#38;sort=0" target="_newWindow">http://www.logitech.com/index.cfm/mice_pointers/mice/&#38;cl=roeu,en&#38;page=1&#38;filter=360&#38;sort=0</a>
Posted by aemarques (162 comments )
Link Flag
Silly Rabbit
Haven't you guys learned anything from the macboys? You're supposed to rant that "this doesn't count because it's not in the wild." Of course, that's not my sentiments. Whether it's in the hands of hackers or still locked up in a test lab somewhere, it's still a vulnerability and should be taken for what it's worth.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
That depends
That depends on whether or not it's exploited in the wild before it's
fixed, doesn't it? M$ doesn't have a great track record for fixing
security flaws before they're publicly exploited for 6 months.
Posted by Dalkorian (3000 comments )
Link Flag
Even sillier...
...this ain't really a software issue. All I need is a slightly modified CB-frequency amplifier and I don't need no programming to jam your keyboard into utter uselessness. It would take an EE (or radio hobbyist) about 30 minutes, a few electronics components, and a soldering iron.

As a benefit, the radio-borne intruder doesn't have to worry about firewalls or any inherent protection measures to overcome (unless you have one hell of a Faraday Cage built into the walls, floor, and ceiling...)

I figure 100W of jamming can be parked in a car out in the parking lot somewhere... it'd take a week before the FCC bothered looking into it, and almost as long to discover that you were being jammed, find a means (and the gear) to locate the source, and by then, well... the intruder would be gone. ;)

It's like comparing Apples to antennas. ;)

/P
Posted by Penguinisto (5042 comments )
Link Flag
What a coincidence...
Remember that press release a few weeks ago about how an XP SP1 system with an unsecured wireless router, no firewall or AV was hacked into? As I read it, I was thinking "They might as well have left the keyboard on the sidewalk.'

Looks like they did. :)
Posted by Jim Harmon (329 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.