Security Vulnerabilities in Wireless Keyboards

Most of them are unencrypted, which makes them vulnerable to all sorts of attacks:

On Tuesday Bastille’s research team revealed a new set of wireless keyboard attacks they’re calling Keysniffer. The technique, which they’re planning to detail at the Defcon hacker conference in two weeks, allows any hacker with a $12 radio device to intercept the connection between any of eight wireless keyboards and a computer from 250 feet away. What’s more, it gives the hacker the ability to both type keystrokes on the victim machine and silently record the target’s typing.

This is a continuation of their previous work

More news articles. Here are lists of affected devices.

Tags: , , ,

Posted on August 1, 2016 at 3:07 PM39 Comments

Comments

Bill Stewart August 1, 2016 6:54 PM

I’ve been really annoyed that all of the low-cost wireless mice and full-sized keyboards use some proprietary radio link instead of Bluetooth. (Yes, I realize Bluetooth charges for a license, but that should be well under $5, and the difference in keyboard prices seems to be $30-50, while I’ve got Bluetooth tablet-sized keyboards that cost about $25-30.)

It’s not like Bluetooth is amazing computer security or performance, but at least it’s something, and more importantly for me, it doesn’t require an additional dongle to plug and unplug, which is a minor annoyance for my laptop and a lot more annoyance for the Raspberry Pi B that I’ve got. (And yeah, upgrading to the RPi3 which has more USB ports is only marginally more expensive than getting a powered USB hub.)

Love Bubble August 2, 2016 1:26 AM

indeed instead of arguing about it, just encourage everyone not to use
wireless usb stuff

what was the secure portable keyboard project – security being the objective – being crowdsourced due for release towards the end of the year?
someone mentioned it here recently. Apologies for being vague!
it had lots of great security features

required August 2, 2016 4:22 AM

Rather than unencrypted it seems most of them were unauthenticated, allowing third parties to inject keystrokes. Still bad. And still unable after all this years to understand how messing with dongle, batteries and such is an improvement over a piece of cable for a device that is sitting on your desk all its life.

Clive Robinson August 2, 2016 5:34 AM

This is a micro example of the much bigger issue that Software Defined Radio (SDR) is bringing to a Radio Regulatory Authority / Agency (RRA) near you. It’s effect is much like that which the Internet it’s self has brought to various Governmental Authorities / Agencies (GA).

There is a very fundemental conflict between Unrestricted Freedom and any kind of regulation be it benificial or detrimental to society.

Unrestricted Freedom of the sort espoused by “libitarians” has in the past caused “societal harm” in major ways. But suprisingly to some regulation is actually derived from extream libitarian behaviour in that one party seeks to impose it’s “freedom” on all others. Thus after a little thought freedom can be seen as a spectrum that has a balance point, and that “freedom” must come with “responsibility” to minimise harms to others. The question then falls to how the responsability of equitability is achieved, and those who will not be self responsible need to be constrained from excess.

In the past individuals have in effect been restrained by circumstances in part by the “no man is an island” principle extended to the control of resources. In the case of radio equipment very few had sufficient mastery of the technology to have unlimited freedom, the costs were to high due to scarcity etc. Thus it took little effort to apply controls by an agency to the masses and the few who had the mastery could be reasonably constrained by minimal application of “guard labour” in the form of over reaching sanctions.

But technology has advanced and as I point out from time to time it is not just agnostic to use, but inventory cost where possible encorages the broadening of scope/function/range of any component, thus the cost of technology falls.

Thus the RRAs have woken up to find that almost over night the technology has slipped beyond their old control / regulatory methods. That the agnostic nature of the now universally available technology with minimal or no mastery required means, that “unrestricted liberty” is currently beyond their RRAs, abilities to restrict. Thus the world is becoming a goldfish bowl for those with the will to make it so, and with the inventory costs having made the cost barrier as little as a “burger and beer”, there is not much stopping them other than not knowing what is possible…

The price of a Digital Television USB dongle is as little as $10 the software,such as GNUradio on Linux is Freely available at the cost of a download or magazine with cover mounted DVD. The hard part is knowing how to use the “plug and play” nature of GNUradio, which is where the mastery is now required. But, those with mastery are happy to “give back to the community” for their own reasons. Thus the mastery needed is realy one of finding and copying which frustrating as it can sometimes be is realy quite minimal and a bright preteen can readily acomplish.

In this case researchers have given the community the knowledge of the vunerabilities, this the horse has “left the building” and has it’s freedom. The question is who will use it for good or bad?

The real issue however is that of the blinkered nature of engineers and those who dictate what they do. Engineers dislike security mechanisms as it makes their job much harder, which means increased costs. Managers hate what they see as unwarented “costs” as they cut profit etc etc. The result as always is a “race for the bottom” with the only way to stop it being “regulation”.

As I’ve pointed out regulation is a form of libertarian behaviour, that if used correctly increases liberty for many more at a limited cost to a very few, thus can achive greater equibility. Which supprising to some actually alows greater inovation that reverses the race for the bottom and gives rise more often than not to real flourishing markets.

Drone August 2, 2016 7:01 AM

Thank goodness we now have (mostly) open, inexpensive yet powerful Software Defined Radio (SDR) tools so we can investigate and expose just how lazy and/or incompetent some manufacturers are in protecting our data.

The result will be improved security, and the attrition of companies that refuse to improve. In the end, more secure products do cost a bit more at purchase time, but the overall savings brought on by the added security far outweighs this increase.

As usual, our corrupt Big Bloated Government will try to regulate-away this ground levelling new SDR-aided freedom – but as usual, they will fail. Hope is abundant…

DanHenry August 2, 2016 7:44 AM

Clive Robinson – You know so little about libertarianism that you don’t even spell the word correctly.
The central tenant of libertarianism is the Non Aggression Principle (NAP). Actual libertarians aren’t looking to “impose” anything on anyone, not even freedom.
Perhaps you are thinking of something closer to anarchy?

Dan August 2, 2016 9:00 AM

@Jonathan Wilson

I can appreciate the security risk of a wireless keyboard which is why I’ve never used one but I really can’t see any problems with wireless mice (I use a wireless mouse).

Surely the worst case scenario would be an attacker could see the movement pattern of your mouse!

Care to elaborate?

ianf August 2, 2016 9:13 AM

@ DanHenry,

please, show some maturity. Clive Robinson is, obviously, somewhat of a dyslectic, or some other -lectic, so #whatyouregonnadoaboutit? He’s a SAGE for Pete’s sake (Pete’s no longer with us), learn to live with it.

As for your apparently bottomless faith in the saintly principles of (correctly spelled) Libertarianism, they’d hold water if only its hardcore believers lived up to their ideals. But, from my peripheral vantage point, libertarians also oppose imposition of any taxes, because the roads have already been built, etc., and everyone should maintain their own stretch of the infrastructure on a consciously voluntary basis. Am I also ignorant of the Libertarian principles in practice, or have I more or less nailed it down?

Former Lib August 2, 2016 9:57 AM

Libertarianism is like communism. Great in theory, works if everyone buys into its precepts and fails miserably in practice. It is completely incompatible with capitalism.

Most “job killing regulations” stem from someone (usually more than one) actually getting killed.

Clive Robinson August 2, 2016 10:01 AM

@ DanHenry,

You know so little about libertarianism that you don’t even spell the word correctly.

Whilst you have me on the spelling (due to a disability) you fail to state what sort of Libertarian philosophy you are referencing.

Which is important, as aside from a few commonalities it’s essentially an umbrella term covering all manner of joys/sins. For instance one of the first usages was for what many would consider a form of communism, which I suspect is not the philosophy you are thinking of. Others espouse personal title to resources whilst others espouse the opposite etc.

However the commonalities are principaly to uphold a definition of liberty, by maximizing autonomy, and freedom to chose without refrence to others views by the primacy of individual judgment (which my comment above is based on). Further some but by no means all emphasize freedom of politics and association (authoritarianism and guard labour issues).

As for you comment that “The central tenant of libertarianism is the Non Aggression Principle (NAP).” actually it’s not, it’s from the “Johnny come latelies” of “right-libertarianism” held by a few in the US where it originated almost as a child of the sixties counter culture. Many of whom believe, not in NAP for their actions but the action of Governments –guard labour etc–, which is a “do as I say not as I do” attitude, that can be seen in much of US right of center politics in which introspection and reason appear to be minor consideration compared to “who pays the piper”. You can see this clearly demonstrated by examining the money flows fron the Koch brothers and the fact their actual behaviours have been subject to action under various pieces of legislation,

http://www.exposethebastards.com/who_are_the_koch_brothers

They certainly have a very one way view on NAP don’t they?

ianf August 2, 2016 10:13 AM

@ Dan

Surely the worst case scenario would be an attacker could see the movement patterns [plural] of your wireless mouse!

This is strictly theoretical, mind, but, by building up a TIME-STAMPED mouse move patterns database, and correlating it with other stolen data, the attacker first could find out the type of ops one is doing at recurring times, inside what apps, then recreate and model it offline, and finally mount an attack at a time when the data says you are absent/ not there, therefore no one should be watching the elaborate solo mouse tango on the screen.

An app launched, login supplied, a couple of clicks at known coordinates, and there’s an easy USD10M on its way to a numbered Cayman Islands bank account that will cease to exist 10 minutes after the money has been withdrawn. And all that because USPTO wouldn’t let Walt Disney patent the generic name of his meal-ticket ‘toon character! (shame on us).

r August 2, 2016 11:34 AM

@ianf,

What would be nice, following your lead then – is a better mousetrap not some rudimentary HID.

How about a mouse with a fingerprint scanner built into the buttons?

Bluetooth HID /w/ additional biometrics ftw.

Logical Technology August 2, 2016 12:26 PM

I’m surfin with a Y-ROO19 (walmart standard) plank cuz even though I think the whole industry is flood of insecurity by design, I couldn’t imagine logitech would risk their public image reputation over such obvious stupidities as is the subject at hand here today. Anybody care to burst my ignorant presumptuous bubble?

ianf August 2, 2016 5:41 PM

@ rrrrrrrrr, Dan,

What does a wireless mouse send out? A series of coördinates + Idle/ MouseDown/ MouseStillDown/ MouseUp events. Plus perhaps the state of a second button.

A simple way of transparently hardening it would be to define a time gap signifying each consecutive phase of movement (say delay > 1 second) and, at the beginning of each have the mouse-server s/w pick at random one of 4 sides of the 2D space that it moves in as being the “up.” Then ladle out the coördinate pairs in relation to the chosen direction. The receiving s/w automagically transposes the “wrong turned” paths into default screen-up-is-up ones. Any uninvited listener would end up with a list of points that are way too haphazard to untangle WITHOUT having the right paired random generator value.

Which reminded me of: couple of years ago, while doing some analog doc. maintenance at a usually empty satellite office (nothing to do with space) of a hmm… global consultancy, I came across a novel verifiable login method. There were a few “fob keys” lying around, with company logo and a 12? blinking digits alphanumerical DAY:HH:MM:SS LCD display, LiOn powered and with >10 year shelf life. By squeezing the plastic in a specific way, the 9 num digits changed into a random code.

This was input to validate one’s login handle on the office’s standby terminal. The remote server compared it against a list of own generated codes, then responded with a request to enter local HH:MM off the telephone speaking clock, or other so-so-trustworthy time source so it could update its own synchro with thevlocal fobkey’s. Then it periodically asked for reentering the code during the session. Anyone under duress could just input the “arrested value” again, and lose the connection.

I quite liked the ease of it, no passwords to remember, but understood that it was usable ONLY in situ (in a round the clock well-guarded business hotel) from company’s in advance primed terminals, no phone-ins or similar.

David Oftedal August 3, 2016 4:07 AM

Logical Technology:

Logitech previously advertised their keyboards as being encrypted by AES-128, but have later removed that claim from their pages, and now only mention that there’s a secure mode that can be activated by running a special piece of Windows software after installation.

In other words, the default mode is very likely to be insecure mode, and the keyboards are probably happily broadcasting your keystrokes far and wide.

Richard H August 3, 2016 10:19 AM

@DanHenry #MuphrysLaw

“The central tenant of libertarianism”

Is he the one who lives in the penthouse suite?

Logical Technology August 3, 2016 11:47 AM

@David Oftedal

I’ll pay you $100 USD if you can help me demonstrate the insecurity of my own technology to myself. I’m guessing you can’t easily, so I’ll continue operating as if my wireless kb has exactly that much security assurance. I’m actually quite skeptical that logitech is as bas as you suspect, though I certainly understand your suspicions in the context of how utterly stupid so many other companies are and have been and continue to get away with even three years after Snowden.

Alex August 3, 2016 11:52 AM

@inaf
“What does a wireless mouse send out? A series of coördinates + Idle/ MouseDown/ MouseStillDown/ MouseUp events. Plus perhaps the state of a second button. ”

What about the radio that receives the mouses signals? How vulnerable is that software?
You’re focusing on the mouse, think about compromising the Rx radio instead.

Dan August 3, 2016 5:38 PM

@ianf

I appreciate that the coordinates would be sent/intercepted but realistically that’s of very little use to an adversary. TEMPEST-style interception would be the best if somebody was that adamant on finding out what you were up to.

A wireless mouse is detectable at a very short distance and I can’t see any real security danger in and of itself. A wireless keyboard on the other hand is definitely not a good idea.

Your idea of transparently hardening the mouse is a good one and I see no reason why developers couldn’t implement such a method.

@Alex

I can’t see an operating system granting high-level privileges to a mouse radio controller. The worst that could happen is if somebody intercepted your signal and started to move your mouse about. Hopefully you’d have enough time to unplug it. When the computer is unoccupied, lock the screen.

Rebecca Hadron August 3, 2016 9:36 PM

RE: wireless mouse insecurity

one attack is to tell the wireless port it’s not a mouse but in fact it is a keyboard,and said ‘keyboard’ is magically entering the correct series of keystrokes that direct the browser to a malicious website: download payload: voila!
such attacks have been demonstrated at defcon and or blackhat

r August 3, 2016 9:48 PM

@Dan, @Alex,

I think the point Alex was trying to make was there may be radio attacks capable of taking over the baseband processor, at which point it may be possible to renegotiate the type of device it identifies as over usb?

???

Rebecca Hadron August 3, 2016 9:52 PM

@ianf

yes I am ‘still’ here, and thank you for thinking of me and wishing to reply to my comments. you and I both it is difficult to keep up with reading everything let alone replying
i failed to correctly articulate ‘last time’ my affirmative to your question of ‘should i reply to you’ and then I let it slide. Why?
mostly because it’s hardly of relevance to the many people reading
. Someone suggested 250,000 readers – unsure how they came up with that – but it’s important to realise beyond the Waels and Clives and Tyrs and Thoths and R’s and You’s , there are many other readers not posting but soaking up the knowledge.
When any of the aforementioned write something, it contributes meaningfully for everyone, not just the person it is addressed to. Regardless of whether we can relate to it or even fully comprehend it. The post has potential value.
You on the other hand contribute, mostly, to the noise. Occasionally you have a meaningful contribution – when it’s not dressed up as intellectual elitism. The rest of the time it’s critical, rude and unconstructive one up man ship. Even for humour value it’s uncomprehensible or simply not funny.
So, it doesn’t selflessly serve the forum and people in general.
So, I don’t mind if you don’t reply because not only is it not going to serve the forum it isn’t going to even serve me. It will only serve you. Your unique kind of dysfunctional therapy. I don’t dislike you and I acknowledge your experience and intelligence. But most of the time your posts are rubbish, as you say in England. About 25% of the time you say something that is written in a way people can understand and potentially benefit from. May-be work on improving those stats non?
Much love xo Beck

Figureitout August 3, 2016 11:05 PM

Rebecca Hadron RE: ianf
You on the other hand contribute, mostly, to the noise.
–Yeah that’s why I would simply not respond at a certain point. Gets too worthless.

OT
–If anyone knows of “Air Mouse&keyboard” wireless keyboards (cheap but have worked well so far for me), I haven’t analyzed them and I feel like for the price it’s unencrypted sh*tshow again.

Cordkeeper August 4, 2016 10:36 AM

Wireless this, wireless that, what the hell is this drooling obsession with everything possible having to be wireless? Might someone’s baby suddenly crawl between your keyboard and tower, or mouse and tower, and suffer the tragic horror of needless infant strangulation? Is it the ever-looming danger that you might yield to some overwhelming urge to moonwalk across your desk, thus tripping on one of those evil cords, bashing your head in on the floor and showering your horrified co-workers with skull fragments?

Inordinate complexity? Have a nice trip.

its me August 4, 2016 1:39 PM

I don’t understand people here saying wireless keyboards are crazy useless stuff.
I want to get rid of dozen of wires around my PC.
Sometimes I want to move my keyboard (or mouse) to my lap, or other desk, or far from the screen, or whatever.
Think about Raspberries connected to TV 5-6 meters away from your chair, or smart TV alike devices.
They exist because of something. There are suitable likes and scenarios for wireless keyboards and mice.
Please, stop bullshiting and bring ideas to solve or mitigate this secutity issue! That fits more the content of this blog (or so I think).

Regards.

Cordkeeper August 4, 2016 5:43 PM

@its me

I didn’t say they were crazy or useless. They may be quite convenient.

But convenience always comes at a cost, whether at the “convenience” store, or taking the same route back on a patrol, or writing a password on a post-it, or yada-yada-yada.

I’m simply saying that there’s a SIMPLE way to solve/mitigate this particular security issue, FOR THOSE WHO CHOOSE TO DO SO.

I knew guys who hung frags and smoke on their webgear who thought that taping the spoons down was stupid. What are the odds of something snagging a pin, huh? And almost all of them were right.

Almost.

ianf August 4, 2016 6:24 PM

      [Replies in a somewhat asynchro-time order, but the grand design will reveal itself.]

    @ rrrrrrrrrrShe’s got you and I confused, honestly.

    Addressed to me, delivered to me, now you want to claim the rant for yourself? NEVER. Mine alone to disassemble with blowtorch and tweezers (pace Marcellus Wallace). When I’m ready.

    @ Danintercepted wireless mouse coordinates would be of little use to an adversary.

    Quite, but that wasn’t the point. Remember, in this forum we deal with Prevention of Imaginary Threat Vectors, so the blackhats reading this know we could be onto them (uncertainty a bigger stress factor than countermeasures against certainty).

    A [BT] mouse signal is detectable at a very short distance and I can’t see any real security danger in and of itself.

    The only such remote attack that I know of, and against a wired mouse at that, happened in this fashion: the perp rented a room across the street from a provincial bank’s office, with a clear line of sight to a station. He then broke in without leaving a trace, and installed a terminal monitoring device in the guise of a room climate control box under the table, presumably with a modem phoning home to his lair. Then he set out to watch through binoculars how transactions are conducted, and after a while attempted to make an unauthorized transfer by remotely controlling the mouse when the clerk temporarily left the table. Only someone eagle-eyed there noticed the onscreen mouse moves, and yanked the power cord to the tower before the operation could be completed. I do not recall if I read about it, or seen it on some CyberCrime TV Special or other, but I clearly remember a picture of the h/w setup.

    Clive Robinson once wrote of some similar “climate control box,” complete with a URL, that he claimed could have been used to pinhole-photograph women clerks’ undies under the table. Given Brits’ repressed attitude to anything sexual, and absence of Daily Mail’s etc outcry that’d have ensued had it happened, I found it preposterous however (I made an attempt to find the post here, but no combination of keywords that I can think of delivers the hit).

    @ Alex […] “You’re focusing on the mouse, think about compromising the Rx radio instead.

    I supplied a theoretical attack method. If you’d like to improve upon it, write a better scenario. You elected to give me thinking instructions instead. I happen to be of an age, and in a (mental and actual) state, where I only accept summons if they’re served to me by a pair of spooks in black fedoras. Then, depending on the quality of the substrate it was printed on, I may either XXSoft-wipe my bottom with it, or carefully fold, spindle and mutilate it.

    Why @ Figureitout would simply not respond at a certain point [to my alleged noise]. Gets too worthless.

    Was that payback for my once congratulating you on your competence, as defined by knowing the extent of your incompetence? No one is competent in all disciplines, so it goes without saying that generally we are incompetent in all but the specific areas of our sitzfleisch-acquired expertise. That’s how my father put it to me once and forever.

    Only this then awoke some persecution complex(?) within you, because, AND DESPITE my subsequent clarification of non-offensive intent, you took it (and apparently chewed on it until today) as my questioning your professional HW/SW competence (where I gladly admit my amateur status).

      Why would I, or anyone else for that matter, do that in a forum we’ve just met, was not a factor that you considered. But mere whiff of “incompetence” in your presence, THAT WAS A SERIOUS MATTER. I don’t remember addressing you ever again after that, thus your needing to deploy that too worthless to respond non-response, but maybe you have better recall.

    Well, guess what, I researched it more, and there are versions of the same adage attributed to both Socrates and Confucius (I’d go with the latter). Only my father told me his version well before Wikipedia, and I had no reason to assume that a rephrasing of that Confucian wisdom, “Real Knowledge Is To Know The Extent of One’s Ignorance,” could EVER be taken as an overt attack. But you go on, and nurse the perceived slight, I’m sure Nurse Rebecca will try to alleviate your pain.

    #FTR full cross-linked exchange:
    ianf • October 5, 2015 5:33 AM
    Figureitout • October 6, 2015 12:55 AM
    ianf • October 8, 2015 4:15 PM

    Clive Robinson August 4, 2016 10:35 PM

    @ its me,

    Please, stop bullshiting and bring ideas to solve or mitigate this secutity issue!

    We know how to solve the issue, not just baddly as some code cutters and real “bullshiting” marketing types have tried to do, but properly which is much much harder.

    Thus the arguments here are more about the incompetence and or lies of the code cutters / bullshiters.

    The problem is that doing it “properly” is way way more,

    1, Expensive,
    2, Heavy,
    3, Power thirsty.

    So appart from a few “.mil” types there is probably no market for it.

    However it should be noted that even conventional keyboards with wires are very far from being secure. As I’ve mentioned several times before back in the 1980’s I experimented with “illuminating” electronic items with EM radiation so it became “cross modulated” with information within the electronics.

    Due to the long wire, keyboards are quite susceptible to this kind of covert attack, especially as they take little or no action to suppress the harmonics caused by the non-linrar effects of the “protection diodes”. So the keyboard lead radiates amplitude modulated harmonics of the illuminating frequency. If you pick a frequency that the wavelength is around 6% greater than the effective lead length then the radiation is especially pronounced.

    Some students at the UK’s Cambridge labs repeated the experiments and Prof Ross J. Anderson wrote about it in his book on security engineering (which you can download so have no excuse for not reading it 😉

    But there are issues with having many keyboards in the same approximate location. Thus you need a way to be selective about which keyboard you get information from. There is a “known” way based on the work of a researcher called Leon Theremin who designed the “Great Seal Bug”[1] which Peter Wright investigated when working for MI5 and wrote up about in his book “Spycatcher”[2]. He called it “the thing” and I started developing some more interesting varients in the late 80’s and still do as the basic idea has some significant flaws[3]. However we know as a result of the Ed Snowden revelations and the subsequent release of the NSA “TAO catalogue” that they likewise use the Theramin idea (but nowhere near as advanced as the way I do…).

    [1] https://en.m.wikipedia.org/wiki/The_Thing_(listening_device)

    [2] Peter Wright originaly worked for Marconi and had amassed a considerable pension right there. He was enticed across to MI5 and part of the deal was that his pension right would move with him. When he retired this did not happen and Margaret Thatcher became involved and in her usuall “might is right” mentality and killed the negotiations. It was to regain this lost pension value that Peter Wright claimed he wrote his book. It caused “Mad Maggie” considerable mental distress and the resulting kick back was as vicious as it was futile and badly damaged her reputation which no doubt Peter Wright eventually felt delighted about.

    [3] The problem with the “thing” is it responds to harmonicaly related illumination frequencies almost as well as it does the designed illuninating frequency. Thus it is fairly easily found with near microwave “tracking generator” scanning equipment, which was how the Great Seal Bug was supposedly found. There are some small technical changes you can make that stops this problem such that a “tracking generator” frequency scan will not activate the bug. It’s interesting to note that the devices in the TAO catalogue do not have such precautionary modifications. It will be interesting to find out “if and when” they do catch up.

    @ ianf,

    Clive Robinson once wrote of some similar “climate control box,” complete with a URL…

    To refresh your memory, so you can search again more fruitfully, and “fact check” as good journalists once did[1]

    The story was about another UK newspaper that had changed over to “hot desking”. But in that draconian way of some employers it assumed that some journalists would somehow cheat the system, by logging in then wandering off. So they fitted a box from some psycho company under the desks, that detected by the use of EM radiation if somebody was sitting in the seat or not.

    [1] According to “Private Eye” the well known and respected journalist at that newspaper who alerted the other journalists has had his employment terminated… Psyhco Managment at it’s best…

    Wael August 5, 2016 2:12 AM

    @Clive Robinson,

    It’s interesting to note that the devices in the TAO catalogue do not have such precautionary modifications

    Because they serve a different function for a different target perhaps?

    ianf August 5, 2016 4:31 AM

    @ Clive Robinson
                                 attempts to “refresh my memory… so I can search for his SourceMat again more fruitfully…

    Free refreshments, how kind, I never said no to that… you must be in a particularly expansive socialist-nutritional mood today. That said, I can but note, that that your 680 characters reply to my 453ch one did not include a granular URL.

    “[…] the well known “hot-desking-whistleblower” journalist had his employment terminated…

    Yes, the Psycho Management did him a favour.

    [=303 characters]

    Figureitout August 5, 2016 7:25 PM

    ianf
    –No I didn’t really care about your opinion, maybe if you had something legitimate to rag on some of the toyish designs I’ve thrown up here (no attacks or someone would want to brag about it). Simply applying the encryption method I’ve laid out (wonder how many mice/keyboards use the exact chip I used), just chained symmetric ciphers (there would be a cost in generating secure keys for each TX/RX pair) would be a big improvement (you need to get all your data packets together, applying encryption is a “systemic change” so you have to grasp the whole system). Came from the troll-bait you typically dish out to people, egging them on and such; and the obnoxious speculative narrating.

    its me (again) September 1, 2016 3:58 PM

    Hi everyone.

    Maybe I wrote my last comment with a bit of anger. Sorry for that.
    Some of you say “I did not say…”. Right, you didn’t. But someone did.

    What happens is that I don’t see of point of saying the solution of wireless stuff problem is stop using wireless stuff. It’s like saying “stop using smarthphones, they are insecure”. I really expect something more constructive here.

    Anyways, wireful keyboards have been proved to be insecure, too.
    So I guess the solution is stop using keyboards at all 🙂

    Regards.

    Clive Robinson September 1, 2016 5:23 PM

    @ its me (again),

    Anyways, wireful keyboards have been proved to be insecure, too. So I guess the solution is stop using keyboards at all 🙂

    The simple answers are “yes and yes”, which has been said from around the early 1980’s onwards. When it was shown publicaly that the electrical current in “key scanning” circuits alowed keys pressed to be identified by cross modulation onto an RF illumination signal and a Direct Conversion reciever with it’s output shown on an oscilloscope.

    Whilst “key randomization” might be OK for security door locks, it does not work for the normal alphanumeric keyboards…

    Keyboards –like passwords– are just one of those issues… that Terry Pratchett would have described as “an embugerance”.

    But the same is true for nearly all Human to Computer Input Interfaces.

    The solution is to use the appropriate TEMPEST / EmSec precautions (think true energy-gapping SCIF) where the threat level is sufficient.

    And that realy is the point, your solution should like all defensive measures should be just sufficient to deter those who would otherwise attack you. A teenage girl probably only needs a simple lock on her diary to deter her brother, unless of course he works for a SigInt agency, then she might find that AES FDE on her laptop is insufficient 😉

    ab praeceptis September 1, 2016 5:53 PM

    Clive Robinson

    (Maybe funny) sidenote: Some time ago we had a somewhat similar problem in an industrial scenario. It wasn’t about a keyboard but a about a (not very) remote small feeder station that was serially linked.

    Basically the same problem and here, too, the cable was the part one was worried about.

    And like with a keyboard, one could actually use some properties of the scenario, such as proximity, full control (most of all legally), etc.

    We solved it by a pseudo-OTP approach and occasional manual recycling.

    A similar approach would certainly be among the mechanisms I’d think about when dealing with keyboard eavesdropping, too. Basically coming down to saying that it might not be achievable, at least not within a realistic budget boundary) to defend against eavesdropping in all its variants) some of which we might not even know yet), so let’s not care about it too much and rather let’s make sure that what they eavesdrop is worthless for them (“good luck predicting or guessing a mathematically sound pseudo-OTP”).
    Moreover stretching the domain (from, say, 50 keys + a few states, to the full 256 bits) and then xoring that gives one another advantage, namely quite considerably lowering their success probability in that those two domains (the original data and the pseudo-OTP data) are complexity multiplicative.

    Sometimes it’s just smarter to not defend against an attack but to poison the result for the attacker.

    Leave a comment

    Login

    Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

    Sidebar photo of Bruce Schneier by Joe MacInnis.