The most frustrating thing when reading about keyboard vendors implementing such insecure protocols is knowing that the nRF24LE1 chip Microsoft uses has all it needs for security: hardware accelerated support for AES, as well as a hardware random number generator [1]. Some comments here suggest using public/private crypto as a fix, but it would not even be necessary. During manufacturing they could simply generate a unique secret AES key for each keyboard/dongle pair, store it in the 1536-byte non-volatile area of the chips, have the hardware RNG on the keyboard generate the IV when a wireless session begins, and use AES in CTR mode. Heck you could even afford to reserve a few bytes in each packet to store the counter in plaintext for automatic resynchronization when packets are lost, since the nRF24 radios support big enough packets (32 bytes). There are absolutely zero technical reasons not to implement security. It does not significantly increase power consumption. It does not bloat the code that much.
(I know all this because I have done a lot of work with the nRF24LE1. It is cheap: $4 for a fully assembled module on eBay [2]. It "supports" Bluetooth by bit-banging it [3]. And code for the builtin 8051 core can be compiled by the open source compiler sdcc. These are reasons why I selected this chip for my DIY home automation system.)
In fact the nRF24 radios are so popular that the vast majority of non-Bluetooth wireless keyboards use them. And I guarantee you that even though they use different protocols, they are almost certainly just as insecure as these Microsoft keyboards. The only reason vendors do not implement secure protocols is because customers do not know or care about security. The very few vendors who do such as [4] sell keyboards for hundreds of dollars... there is again zero reasons why it would cost that much given that it could be done with a standard nRF24LE1 :-(
Edit #1: a colleague of mine opened up the Matias Secure Pro keyboard and confirmed it uses an nRF24LE1.
Edit #2: @cortesoft: The way I would support this "one dongle many devices" feature is by doing the key generation during pairing (sometimes done by pressing a small switch under the keyboard) instead of during manufacturing. The only window of attack would be if an active attacker was present during pairing and pretended to be the dongle. It would still be significantly more secure than current keyboard protocols.
It's a free market, and the vendor has all the incentives to maximize the money-in minus the money-out. If reducing the money-out means selling cheap junk that anyone could crack with a $7 microcontroller, so be it.
If you have a unique key embedded in each keyboard/dongle pair, you would lose the ability to do this. In addition, if you lost the dongle, you would be SOL.
I think more people will care about the convenience instead of the security.
Ideally, you could have both; what if the keyboard had a USB slot that you plug in a dongle to pair it? You could have it generate a random key whenever a dongle is plugged in, to prevent someone plugging in their dongle to your keyboard (it would only pair with one dongle at a time).
> If you have a unique key embedded in each keyboard/dongle pair, you would lose the ability to do this. In addition, if you lost the dongle, you would be SOL.
I'm not sure I understand why? If public/private key cryptography were used then each dongle & keyboard would contain a private key. The dongle then contains a store for up to X public keys.
The pairing procedure starts due to a physical button press on the two devices, they find each other and exchange public keys. All future communication is then encrypted & signed using the private keys these devices hold. The attack described in venaoy's edit still applies though, an active attacker present during pairing may pretend to be an access point & keyboard, overpowering the original access point and acting as a sort of relay. The link would however break if this relay were to leave the vicinity.
The comment I was replying to stated that each pair would have an AES key generated for them at manufacture, and that is the key they would use to communicate together.
After I posted my reply, the comment was edited to mention this sort of public key exchange you describe happening with a button push. My comment does not apply to this sort of functionality. It would work great, with only the concern you mentioned about a relay attacker. I was only saying having a symmetric key generated at manufacture wouldn't allow for dongle changing and/or dongle consolidation.
Logitech 2.4 GHz keyboards use 128-bit AES symmetric encryption.
As I understand it, the encryptiion key is generated at the time of pairing in both the the keyboard and the receiver independently, and thus never transmitted wirelessly.
This is accomplished by having a secret algorithm that is encoded in both devices and produces the key based on some random input data that is shared between the devices at the time of pairing.
> If you have a unique key embedded in each keyboard/dongle pair, you would lose the ability to do this. In addition, if you lost the dongle, you would be SOL.
What about initializing the key during pairing? See parent's edit
Yes, initializing the key during pairing would work great.
I posted my reply before the parent's edit. I don't think this is an intractable problem; my suggestion of a physical connection for pairing or even a remote pairing with a button press would work fine. My ONLY point was that hard coding a symmetric key into the keyboard/dongle pair and then using that key for all communication wouldn't be practical.
(I know all this because I have done a lot of work with the nRF24LE1. It is cheap: $4 for a fully assembled module on eBay [2]. It "supports" Bluetooth by bit-banging it [3]. And code for the builtin 8051 core can be compiled by the open source compiler sdcc. These are reasons why I selected this chip for my DIY home automation system.)
In fact the nRF24 radios are so popular that the vast majority of non-Bluetooth wireless keyboards use them. And I guarantee you that even though they use different protocols, they are almost certainly just as insecure as these Microsoft keyboards. The only reason vendors do not implement secure protocols is because customers do not know or care about security. The very few vendors who do such as [4] sell keyboards for hundreds of dollars... there is again zero reasons why it would cost that much given that it could be done with a standard nRF24LE1 :-(
[1] http://www.keil.com/dd/docs/datashts/nordic/nrf24le1_ds_v1_1...
[2] The $1 chip Sammy is talking about is another variant: the nRF24L01 which is just the bare radio without the 8051 core
[3] http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetoot...
[4] http://matias.ca/securepro/pc/ ($170!)
Edit #1: a colleague of mine opened up the Matias Secure Pro keyboard and confirmed it uses an nRF24LE1.
Edit #2: @cortesoft: The way I would support this "one dongle many devices" feature is by doing the key generation during pairing (sometimes done by pressing a small switch under the keyboard) instead of during manufacturing. The only window of attack would be if an active attacker was present during pairing and pretended to be the dongle. It would still be significantly more secure than current keyboard protocols.