Schneier on Security
A blog covering security and security technology.
« MI5 Sounds Alarm on Internet Spying from China |
| Freakonomics Q&A »
December 5, 2007
Microsoft's Wireless Keyboard Encryption Cracked
News, press release, and white paper.
Posted on December 5, 2007 at 6:43 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I wonder wether a 1 byte XOR has anything to do with encryption. ;)
It's hard to see what the point of a wireless keyboard is anyway. I can just about see the point of a wireless mouse (though I've never felt the slightest need for one) as the lead can occasionally get in the way while one is pushing it about. But a wireless keyboard? About as much use as a remote control for an electric toothbrush.
Wireless keyboards are convenient when you're on the sofa using the TV as a monitor.
Damn, there goes my dream of a pristine, cable-free ultra-modern minimalist desktop.
I'm just gobsmacked that after all the negative publicity that Microsoft has received over it's security protocols and algorithms, that it could honestly have accepted such a simple protocol...
I know they are dealing with pretty minimal processing power in the peripherals, but if they can handle the current hard wired protocols you would think that they should be able to handle something a little more complex - like a two byte XOR? ;-)
I could do a rewrite of that Pete Seeger lyric: "When will they ever learn?" but I would be violating copyright :-(
What I am wondering is how something so obvious his got past Microsoft's Security Development Lifecycle (SDL) ? In the book (Howard, Lipner), chapter 20 talks about minimum encryption. If standard crypto cannot be used, it has to be revised by the security team. A single byte XOR would have raised a flag... wouldn't it ?
My bet : expect a line like "We never said that the keyboard data was encrypted. Haven't you read the fine print ?"
I think the main reason why it is so simple is that it is a 'one way' protocol, they could not do any handshaking to exchange a key. But agreed, even a fixed key with a periodic (say every 8 characters) sync pattern would have been better than an XOR.
@igloo: I think parody is a valid reason to justify fair use (but IANAL).
What is the realistic range that the interception can be carried out from?
If it's unlikely to be easily detected out with the walls of your house then the risk is pretty small. The converse is also true however.
Your actually wrong, it works very well through floors and walls. And i did not use any special antenna, just copper wire. In addition i dont think that it is done (The XOR) for distinguish between keyboards because you got enough identification bytes left that they use to differ identical models. Anyway, the strangest part is, that the TI transmitter chip could be used for two way communication, as far as i understand the datasheets. So they could have done better key exchanges stuff etc.
"Keyboards that use Bluetooth for communication are not vulnerable."
Olaf wasn't wrong. He asked a question. Then he said "*IF* it's unlikely to be easily detected...then the risk is pretty small." which is true.
I bought a wireless keyboard for use on my MythTV box. They're welcome to sniff all they want and see me pressing -> to skip commercials (assuming auto-skip didn't work). But it's not a Microsoft. I don't know if it has encryption and I don't care much either.
I've sometimes wished to have one in the bedroom when I'm watching some video before bedtime, and I want to skip commercials there, where I'm just watching the MPGs on the Windows box off the Myth box over the network and autoskip doesn't work. It'd be nice to ctrl-> VLC to skip.
ISTM that a key exchange could happen at initial handshake time. All wireless devices I've used have a "connect" button on them. At the time you press that, the remote device could generate a random number (perhaps seeded by the number of milliseconds you held down the "connect" button, and send that as part of the initial handshake.
It would still be vulnerable to someone who was sniffing when you did the initial handshake, but would be safe for anyone arriving after that.
For conventional office set ups - yes, wires are fine, if ugly.
For how I like to use my home computer (usually with my legs tossed over one arm of an over stuffed chair with my head on the other, or sitting crosslegged on the floor or an ottoman, or just about any position ending "with the keyboard on my lap") additional wires to the mess already in place would be a tremendous hassle. And were, before my purchase of a wireless keyboard and mouse.
Jacques Mattheij, why the assumption that it is one way? Rather, that is must be one-way. BT certainly supports two-way communications. At the time of the pairing, the devices could exchange additional key data if they wanted to.
To assure total interop, maybe its a feature when you install their software only, and by default its just a keyboard, but you can secure it if you try.
"What is the realistic range that the interception can be carried out from?"
Unfortunatly a very very long way depending on circumstances.
The usuall answer is you lose 17dB in the near field at the aerial and then it drops as a square law in the far field untill it falls below the noise floor at -174 dBm for a one Hz bandwidth.
In reality at 27MHz it depends more on the amount of suitable conductors that act as transmission lines and other sources of in band interferance.
It has been known for old style Cordless Phones using 27MHz and 10mW to be sufficiently audible for recording purposes at upto 19KM where the signal has coupled into power lines etc and the interferance levels have been very low (i.e. out in the country side).
Although the effective radiated power of the keyboard and mouse devices is quite low, the receiver aerial is usually very inefficient. Also the noise floor at the computer is quite high due to electrical noise and a realy realy cheep receiver and data demodulator design. Which usually makes the effective range of the keyboard to computer under 30-50ft.
However an evesdropper with a decent reciever and demodulator setup might well give you a 40dB improvment in reception range (about 10 times that of the working distance of the keyboard to computer).
Then if they used a decent aerial as well you could possibly multiply that up to a couple of hundred times the range of the keyboard to computer and could easily be looking at 1 to 2KM in low interferance enviroments.
So well outside of even quite a large home's grounds is going to be quite easily done. And if there are powerlines over the house or a nice low cost three strand wire fence running close by the house then the range could be approching the 19Km of the old Cordless Phones.
Well, this thread has enhanced my knowledge of the positions people use their computers in. Maybe someone should do the computer equivalent of a sex manual ...
I'd be much more interested in the next step - hacking up a transmitter to inject your own keystrokes, once you've sniffed the session key. Maybe it's time to dig out that spare wireless keyboard I have kicking around.
re Stephen :
i thought that too until I got one (bundled with a wireless mouse - which is what i wanted). They're actually really handy. Not having to bother with the length of the cord has been very handy.
And being able to put the keyboard up on a shelf away from my 3yr old has been useful too while he's watching a wubbcast (toddler online video)
One way comms? They must be two way, as are normal keyboards. How do you think the LEDs are turned on? One of them can be done locally in the keyboard (numlock I think) but they are all controlled by he computer once the OS has booted. Look at "man setleds" on Linux, and I guess there are similar programs for Windows.
> How do you think the LEDs are
> turned on?
Wow, I never thought about that. I guess certain websites could do it. Works for me.
LOL, I sat there thinking to myself "Err, I've never seen a website do it, and surely any browser worth its security salt wouldn't let a website fiddle with your keyboard LEDs..." Duh.
The LEDs on my wireless setup are on the receiver FWIW.
@Olaf: "The converse is also true however."
I don't mean to be pedantic, but I'm really not sure what you're trying to say. The converse of your previous statement is:
"If the risk is pretty small then it's unlikely to be easily detected out [of] the walls of your house"
I've never seen a wireless keyboard with the traditional caps-lock, num-lock, etc. LED's. I'm sure some probably exist, but they don't appear to be common.
Microsoft encryption cracked?
Just the other day I seem to remember an eminent cryptologist recommending Microsoft encryption to "[How] to Secure Your Computer, Disks, and Portable Drives".
I must be thinking of a different Microsoft....
BitLocker isn't "Microsoft encryption", it's a Microsoft product. Let me remind you:
Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible.
"Microsoft encryption" is an oxymoron. Just like "IT security".
"Well, this thread has enhanced my knowledge of the positions people use their computers in. Maybe someone should do the computer equivalent of a sex manual ..."
Sort of a Computa Sutra?
Exchanging a key would be simple, at least once the user installs their drivers and turns on encryption.
When the user installs the software, they would be prompted to press the link-up button twice in a row, then enter some text on the screen.
If successful, the user would be prompted to confirm by pressing a specific key, if anything went wrong (most likely user error), the keyboard would fall back to unencrypted status.
In other words, just because the keyboard's radio transmitter is one-way, doesn't mean we don't have two way communication.
"""Encryption particulars: ... AES-128-CBC ... AES-CBC... 256-bit AES-CBC ... ."""
OK, so it's fully buzzword-compliant.
Doesn't mean it's not broken though.
They might have picked a poor IV (http://www.schneier.com/blog/archives/2005/01/microsoft_rc4_f.html) or implemented a bad random number generator (http://www.net-security.org/news.php?id=15463) or made any number of other mistakes (again) that render the actual encryption meaningless.
so weak encryption in ms wireless keyboard/mouse matters how?
FWIW my wireless KB has it's LED lights on it directly - but LED status can get out of sync if I hit caps/num/scroll-lock while out of range.
"I think the main reason why it is so simple is that it is a 'one way' protocol, they could not do any handshaking to exchange a key."
Yes, that excuse has been used before with wireless devices.
I think all such devices should have a small USB port, which can be used to connect just once (ideally) to the computer, for the purposes of proper key generation and exchange.
After that, secure wirelessness can prevail.
An attacker have access to everything you type, including password/ passphrase
Got here from a google search - 'wireless keyboard security'. My keyboard and mouse are still wired. I've seen that keyboard have been considered insecure all the way back to 2001 in a number of articles.
What I am looking for, after searching a bit, is a page on how robust the bluetooth encryption is. Specifically, does it handle known plaintext well? That's the biggest concern, after the strength of the algorithm and key choices, as far as I know.
Of course, 'www.' might be the most common plaintext assumption, and does get you a quarter of the key for 128 bits.
Mostly, that's paranoia, in 99.++ of situations, but that's what computer security is, people calling you paranoid.
Very interesting read through though, lots of stuff to think about.
A good overview of Bluetooth security can be found at:
Generally speaking, attacks on the encryption algorithm are the least of your worries; rather, there have been numerous attacks based on implementation errors.
The cryptographic algorithms are actually believed to be good. The problem with them is that they are bootstrapped from PINs which are often quite short. These can be brute-forced if the attacker eavesdrops on the initial pairing process, or can induce the user to re-initialise the connection.
A 4 digit PIN can be brute-forced in 63 milliseconds. Many implementations do not support anything longer, and few support the > 15 digits that would be required for fair to moderate security.
Finally, many devices (notably including most mice) have a short, unchangeable PIN. This is often either blank, 0000 or 1234, and even if it isn't it can be looked up easily. Such devices have essentially no security.
Thanks! I rolled back around to this subject and there was your answer. I appreciate the information.
Thank you everyone for the great insight. You have confirmed my suspicions about wireless security. Personally, I hardwire everything. I have no problems with punching holes in walls, routing wire through the Attic etcetera. A little spackle and fresh paint and you never will know it is there.
If you could only get rid of the user, security would not be an issue. People just don't care or are so intellectually undernourished from a computer standpoint, they swim to the left of the bell curve. Don't believe me? Just take your Wi-Fi out for a ride and see how many internet connections you can make in an hour. Password protection? Almost a joke. In 2006 I attended a basic computer security seminar. The head IT security gal said that 70% of the computer users keep their passwords written down within 6 feet of their computers. My first reaction was no-way. I did a quick survey at were I worked and it turned out she was wrong. It was more like 85%
Great Blogging – I really appreciate the input.
I have Miglia Diva 2.1 speakers on my desk. Why bring that up? Well, when they are on I have to move my mouse/keyboard receiver unit (not bluetooth) quite close to the mouse pad for it to receive the keyboard and mouse signals. When off, I can move it to about 60cm away from the keyboard and mouse.
I built a receiver unit to check how far I could get information from the keyboard and mouse - the answer is that at best it works at a maximum of 80cm. After that the signal is totally broken up. As no one can get that close to my pc to install a eaves-dropping device, I sleep quite well even with only xor256 encryption. Hell, at those distance plain text is ok for me.
BTW - bluetooth encryption is also fully broken, so you guys don't be so smug! Ah, I hear you cry, why don't we build devices to use WPA2 encryption for wireless. Answer: WPA2 is LESS secure that WPA - that's right LESS SECURE!!! IT TAKES LESS TIME TO CRACK A WPA2 KEY THAN A WPA KEY. WPA2 has a flaw in its specification that makes the encryption more vulneralble. Go read some security sites for the very long and mathmatical explaination.
We work in security, so these things are important to us. So here are my recommendations
1. Wireless Keyboard and Mouse (not bluetooth) are LESS likely to leak information that a WIRED keyboard and mouse. Wired keyboards do not use encryption, but they have a very nice cable that acts as an aerial and transmits data up to 40meters through a couple of walls.
Why less likely? Because non-bluetooth wireless keyboards have have such a short transmission distance.
2. Do not use a bluetooth keyboard if you are worried about security - it transmits too far (10M plus at least 20M leakage with a good receiving antenna) and the encryption is broken. Think carefully, bad encryption over 80cm or broken 'good' encryption over 20 Meters or more! (65 feet or more in old money).
I love bluejacking - it was made harder recently, but its still not that hard. Got a couple of dates with a French girl by bluejacking her phone in a line at heathrow airport. Blue-snarfing is much harder now, but get me within 10M of the US president and I'll have all of his phone address book in 48 seconds.
3. Don't use wifi for anything important. Use proper high quality shielded cabling for your LAN - earth the shielding cables to prevent leakage.
4. Where you do use wifi use WPA rather than WPA2, change the key often, and use a very very long key!!! WPA is less broken than WPA2 - the same long key on WPA will take longer to discover than WPA2 - but it is still reasonably simple.
5. Build a faraday cage around your whole office. The best stuff for this looks a bit like the mesh at front of a microwave oven. I'm not kidding! Many secure offices are sealed from stray radio signals this way. Think CTU on steroids. BTW, does anyone else find it odd that CTU in the series 24 is harded against radio wave emission and nuclear attack, but mobile phones still work inside?!?! Safety Hint: Don't stand next to a CTU mobile phone unless you want your kidneys cooked.
6. Buy some Miglia Diva 2.1 speakers - they absorb radio waves better than a lead lined casket. ;-)
7. Finally, stop being so paranoid. Nobody gives a damn about your sisters wedding or new second cousin's baby's name. They don't really care about your bank details enough to build a receiver to pick up you password because most of the time you are NOT talking to your bank. It's much easier to steal bank details from your unshreaded rubbish. Oh, and shredding does not help either - it takes longer to put back together, but not long enough to deter a thief. Remember, shreaders are designed to allow governments operatives to reassemble your private detals. There are 'secure shreaders' that are only available to governments.
Instead shread then burn paper, don't just shread. Burning paper without shreading it is actually better for the environment - keeps you warm and only releases what the tree took in. Shreaders are much worse for the environment - think oil, plastic, electricity.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.