Microsoft's wireless keyboard suffer from weak encryption and can be cracked in minutes, according to a pair of Swiss security researchers, giving hackers a way to snatch passwords and financial account information in real-time and from a distance.
Max Moser and Philipp Schrodel, of the Swiss security company Dreamlab Technologies AG, cracked the one-byte encryption key used by Microsoft's Optical Desktop 1000 and 2000 keyboards, Moser said, then eavesdropped on keystroke traffic using an inexpensive radio receiver and a few inches of copper wire. "All we need is about 30 characters," Moser said, referring to the number of keystrokes necessary for analysis, "and we can decipher the text."
Armed with a radio receiver that costs less than £40 and a copper-wire antenna, Moser and Schrodel were able to sniff out and pull in wireless signals between keyboards and computers from as far away as 33 feet. Walls and windows were no obstacle. "You could sit in a car across the street from an office," said Moser, "and point the antenna at a building on the other side of the street." With a longer antenna - perhaps hidden inside a larger vehicle, such as a truck - the range could be boosted to more than 130 feet.
Once the data packets transmitted from keyboard to computer have been pinched, it's a simple job to crack the code. Microsoft's wireless keyboards use a one-byte encryption key that provides only 256 possible key values for each keyboard and its associated receiver, the part that plugs into the PC. "We try every one of those for each keystroke, and then compare them to wordlist in combination with a weighted algorithm," said Moser. "It only takes about 30 keystrokes to recover the encryption key."
From there, anything typed on the hacked keyboard shows up in a separate window in the sniffer/decoder software the two researchers crafted. They were even able to grab keystrokes from multiple keyboards simultaneously, with each keyboard's results appearing in a separate window.
While Moser and Schrodel haven't wrapped up research on other wireless keyboards, they're in the middle of picking apart models from Logitech. Moser also suspects that it will be possible to hack other brands, since they all rely on the same 27MHz frequency to communicate.
Because it's impossible to update a wireless keyboard's firmware, and thus patch the encryption weakness, Moser said he and his colleague don't intend to release a proof-of-concept. They have, however, contacted Microsoft and received confirmation that the problem exists.
If the idea that a hacker can pull passwords out of thin air is worrying, Moser has something "even more evil", as he put it, in the wings.
"Right now we can read the keystrokes, but we are currently working on also injecting data. We should be able to inject to the keyboard what we want to type on the computer," said Moser. "That is even more evil."
An attacker could, Moser continued, send keystrokes that represent the Windows key, then the 'r' key to open Windows' Run command-line interface, then other keystrokes to launch Internet Explorer and download a malicious file from a malware-hosting site. "The user would notice the keystrokes, but you could wait until he stops typing and goes for a coffee. Or until after he leaves for the day if he keeps his computer on." Moser said they've also figured out a way to broadcast the rogue keystrokes, so that any wireless keyboard within range accepts the bogus data.
"Once we understood the signal - and this was not just about understanding the encryption, but about how the data was configured and transported, because it's completely proprietary - we were able to not only record the traffic, but also send it out again," said Moser.
Keyboards that communicate via Bluetooth are much more secure, Moser said, because the key must be sniffed at the moment when it's exchanged - in Bluetooth's case, that's when the keyboard is first paired with the receiver.
Symantec recommended that users consider tossing out wireless keyboards. "[Their] research also suggests that many other keyboards are likely to have the same level of weak encryption," said Symantec researcher Raymond Ball in a warning to customers of the company's DeepSight threat system. "Customers are advised to assess the need for any wireless input device used in a secure environment, not just keyboards. Although wireless input devices are convenient, they are rarely necessary."
The Moser and Schrodel research was completed with help from remote-exploit.org.
For more security news, reviews and tutorials, see Security Advisor