Hacker News new | past | comments | ask | show | jobs | submit login
Penetration testing wireless keyboards (diva-portal.org)
148 points by Breadmaker on Oct 8, 2022 | hide | past | favorite | 48 comments



And this is why the Google security folks don't let employees use wireless keyboards unless they're bluetooth, and above a certain bluetooth protocol version at that. Not that this analysis at any time conducted attacks on the bluetooth protocols - every single one of these keyboards had a secondary 2.4GHz dongle and just happily transmitted everything over that. I'd have liked to know whether they're trying to transmit to that dongle all the time or whether it turns off when the bluetooth connects!


Is there a public list of Google approved keyboards?


Summary of the results (page 137):

  Protocol   Sniffing   Injection
  Plexgear   Yes        Yes
  Rapoo      Yes        Yes
  Logitech   No         Yes
  Corsair    Yes        Yes
  iiglo      Yes        Yes
  Exibel     Yes        Yes
  Razer      No         No
Choice quotes from Chapter 6 (Discussion):

The results show that 9 out of 10 keyboards have at least some form of vulnerability. Out of all the keyboards, 8 of them were shown to contain new previously unknown vulnerabilities that could grant an attacker full control of the computer of the keyboard. The severity of these vulnerabilities in combination with how prevalent they are show that the usage of wireless keyboards should in no way be used in any situation where security, privacy, or integrity is of any concern whatsoever.

[...]

Out of all the keyboards, only one of them actually promised any form of encryption as part of the marketing of the keyboard and this is the Corsair K63 Wireless. The keyboard is marketed with 128-bit AES encryption but as the results of the penetration test show, this is not the case. The keyboard’s only obfuscation of the wireless transmission is a simple XOR of the payload with a static key that can potentially be reverse engineered automatically with some very simple calculations.

[...]

Razer BlackWidow V3 Pro was the only keyboard not shown to contain any vulnerability. As a result of this, it is deemed the most secure of the targeted keyboards but it could still be vulnerable to some unidentified vulnerability that requires more time and resources compared to the rest of the keyboards


> The keyboard is marketed with 128-bit AES encryption but as the results of the penetration test show, this is not the case. The keyboard’s only obfuscation of the wireless transmission is a simple XOR of the payload with a static key

This sounds like fraud to me.


> Fraud - the intentional use of deceit, a trick or some dishonest means to deprive another of his/her/its money, property or a legal right.

You don't 'accidentally' mistake weak XOR obfuscation with AES, so this is fraud. However whether that results in any tangible legal action is debatable. I have strong doubts given the corporatocratic nature of the corporate judicial outcomes in USA.

Are these sold online? Wire fraud is a common enhancement to a lot of criminal charges involving fraud taking place online or over phone.


I remember thinking that XOR with a password was awesome encryption. Then again, this was back in the BBS days, 3DES was the tits, and I was thirteen.


well, it kind of is... it just has the unfortunate requirements that your password be the same size as your data and never get reused.


The other aspect is reduced trust. Razer has more than just keyboards. I trust their laptops or headphones less now than I did before.


Do you mean Corsair?


Sorry, yeah.


I use quadruple rot13 for extra security.


Seems wireless keyboard vulnerabilities can also be problems accidentally...

Just a couple years ago, I was finalizing and testing some factory stations we'd built (incorporating industrial NUCs) before they'd be flown to Asia for installation in a production line.

Someone had ordered a name-brand wireless keyboard with USB dongle, and I'd said we probably don't want wireless keyboards nor their dongles in the factory, but I figured it was OK to use briefly for testing, since it's what we had handy.

Was getting phantom key events, which initially was alarming, because I'd had to get creative with some device drivers and the Linux input system. But then it also happened during BIOS/UEFI setup.

There was one other person in the shared tech/lab space at this time, so I go over and ask if they happen to be doing anything with RF... It turns out they were also using the same brand of wireless keyboard, which seemed to intermittently be barging-in or interfering with mine, in such a way to generate valid USB input device events.

When I brought it up with colleagues, we were all baffled, since presumably the name-brand would like to sell fleets of wireless keyboards to entire open-plan office building floors at a time, and would design it to work well for that use case. But it did indeed seem that activity on one keyboard was triggering events out the USB dongle on another.

(I won't mention the brand, since I didn't investigate rigorously, and write it up. We were crazy-busy, launching our startup's MVP. Fortunately, without the wireless keyboards, the stations were rock-solid for the entire year-plus deployment, against all odds.)


Unfortunately they only tested Logitechs unifying system, that's known to be broken (mentioned in the paper).

That's one of the reasons Logitech is moving to Logi Bolt, which is supposed to be very similar to BLE (but with a separate receiver). I'd be really interested to know if it's also as secure as BLE.


Do you know why, then, they went with their own, yet-another-new protocol, instead of just using BLE?

One hint may be that on my Macbook my Logitech mouse appears to have a higher latency (feeling more "spongy") when connected via Bluetooth instead of via the dongle.


Their keyboards also support BLE with the actual host. Using their dongle has the advantage of working as well as a wired device on a system that isn't yet booted as you are paired to the dongle not the host, and the dongle then acts as standard USB devices.

Putting a more complete Bluetooth host into their dongle would just change the edges of where it is incompatible with normal Bluetooth usage.


The hardware is great, but I can't bring myself to buy anything that requires running Logitech's software.

I've heard elsewhere Logitech devices are laggy on bluetooth. Why isn't this an issue for Apple and other manf?

I've moved from mech keyboards with O-ringed MX blues to pretty much using the Apple magic keyboard and trackpad anytime I'm at the desk. Sometimes I still reach for the clicky-claky, but integrated Touch-ID is so useful I've taken a liking to using the Apple magic keyboard (with touch id) and grown accustomed to the feel.


> The hardware is great, but I can't bring myself to buy anything that requires running Logitech's software.

This is why I like their G series mice, even though I'm not a gamer. You can configure them, and they'll remember the settings on their on-board memory. They're also supported by Piper on Linux, so you never have to touch the crappy Logitech software.

I also have one of their trackballs, and it's a pain having to make sure the software runs so that the sensitivity is the correct one. It does Unifying and BT, and I've actually been impressed with how well the latter works. I don't feel any difference between that and the Unifying dongle, be it on a current-gen Linux PC or on an old MBP.


This isn't applicable to the G-Series, but the MX Master and M720 (plus some other niche models) support smooth scrolling, which can only be enabled on Windows and macOS using their 300-or-something Electron app that nags you to sign in to their stupid cloud service. Of course the basic features (pointer/scrolling speed) can still be configured within the OS.


> Why isn't this an issue for Apple and other manf?

I wonder whether this is but people just don't notice because they can't directly compare.


I can compare with the built-in keyboard/trackpad for my laptop or with wired hardware. Which I assume all have zero latency. So I think I'd notice if there was significant latency on any of my bluetooth devices...


Answered my own question, so sharing it. I wanted to know if the Sculpt Ergo was vulnerable. (Seems not). (Also, this has been ~known since at least ~2016)> http://xahlee.info/kbd/Microsoft_wireless_keyboard_key_sniff...


So what are the choices for secure wireless keyboards? The only one I know of is the Apple Magic Keyboard with Lightning port, which uses Bluetooth (BLE rather than the classic one) and not some random home-baked protocol over 2.4GHz. It also sidesteps the vulnerable pairing step by asking you to plug in to pair.



Is there really any compelling use-case for a wireless keyboard outside of those few scenarios where it needs to be very mobile?


Don't ask my why (because I certainly don't agree personally) but most people I know prefer wireless anything if they can, because they can't stand cables.

But then I have a 32 channel mixer with cables everywhere in my office, so not the most unbiased cable-opinionator directly.


48 channel mixer here, plus a 16x16 MIDI interface (totally filled). I have cables.

And yet ... wireless keyboard and mouse ... because ... I dunno. Just seems right.


When you have a bunch of tethered bulky musical gear around, a wireless keyboard is really nice since you can move it around easily, stick it beside something, on a side table, etc. I'd argue it's more useful in that case than when you have an empty, clean desk, actually.


Since I take my laptop to and from work, but my keyboard stays at the office in my drawer, I find it not having to plug/unplug cables convenient.


I just recently replaced a cheap wired keyboard and mouse with a Logitech MX Mini keyboard and a MX Master 3 mouse.

My current WFH desk is not ideal and having a full sized keyboard with numeric keypad meant I couldn't center the keyboard for typing and have enough room to comfortably use the mouse.

I tried to find a ten key less wired keyboard that didn't have noisy mechanical switches. I can clearly hear my colleagues typing on theirs during Teams calls, which is very distracting.

I couldn't find a wired, small form factor keyboard, without mechanical switches. So I went the wireless route. I would have gone wired if I could find one that met my requirements.

Having used the Logitech for about a month, there are some pros and cons. I often like to use pencil and paper to diagram existing code to better think through how to change it. With the wired keyboard I was limited in where I could move the keyboard out of the way. Now I can move the wireless keyboard right off the desk.

I usually work with a work laptop open for Teams voice chat while primarily working via a virtual desktop connection on my personal PC. I haven't done it yet, but the work laptop recognises the wireless keyboard and mouse, so I could switch input between the laptop and PC at the press of a button. This means I wouldn't need to use the laptop keyboard or touchpad for input, freeing me to position the laptop for screen visibility and video chat.

The main cons so far are that the keyboard has lost the wireless connection to the USB dongle a couple of times. This can be temporarily worked around by (ironically) plugging in the USB cable used to charge it. Also the mouse seems to be laggy sometimes. Picking it up and repositioning it on the desk gets it working smoothly again.


Keychron K8 is a relatively cheap TKL mechanical keyboard with just enough useful features (windows/mac layout switch, bluetooth/wired switch, back light, hot-swappable keys, etc). Get the one with red switches if you don't like clicky buttons.

https://www.keychron.com/products/keychron-k8-tenkeyless-wir...


People like the way it looks.

Me, I like a wireless mouse, but a wired keyboard.


Managers think it looks nice.


Regrettably, this is in fact the truth (unfortunate you've been downvoted). A couple of years back I got into a bit of a tussle for not approving wireless keyboards at bank branches. And even after paying a third party pen-test shop to demonstrate they weren't particularly secure, the branch management folks fought for them claiming "it looks nicer", "cords make things look outdated" and "other banks do it so why can't we". Those were the only arguments for them.


I for one will not make a keyboard purchase based on how secure the underlying wireless mechanism is.

Goes without saying though they should all be 100% secure so credit to the author for investigating this


I got a Rapoo keyboard for free. Since I consider it a no-name brand I'm not at all surprised that it turns out to be insecure (perfectly matches my expectations), I'm rather surprised that the author even audited them and that they even attempted to secure the communication a little bit.

So my intuition that generic "2.4GHz" communication is insecure has mostly been proven right. Now what about Bluetooth keyboards? Can they be considered secure?


From my understanding, Bluetooth is vulnerable in the pairing process, but secure after that.


I didn’t expect to see a masters thesis from KTH on HN. I actually took a course with Roberto, one of the supervisors of this thesis, while I studied there. Small world.


KTH is pretty well known internationally!


I see that they discuss Logitech's protocol, does this cover "Bolt" devices? or is it only their "unifying receiver"?


In their testing they tested the Logitech MK270, which is a mouse and keyboard combo. It uses the Unifying Reciver.


I prefer wired everything, including keyboard, mouse, and headset. I simply don't have to worry about this.


I can understand wireless mouse and headset, but for a keyboard just having a detachable usb is fine incase you want to move it for cleaning underneath or something.


I don’t understand how wi-fi keyboard could possibly be a good idea


I am disappointed that QMK isn't included in the analysis.


It's a review of wireless keyboard communication protocols. I do not follow QMK development that closely. Have they implemented their own wireless protocol?


QMK is not wireless. There is ZMK, but that's bluetooth and should be safe.


kth is a great name for a university that teaches data science


Seems it's a bit older than the concept of "data science" (founded 1827, 195 years ago) and also just happens to also teach data science.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: