June 12th, 2009

Researchers demo wireless keyboard sniffer for Microsoft 27Mhz keyboards

Posted by Dancho Danchev @ 10:28 am

Categories: Botnets, Malware, Microsoft, Passwords, Privacy, Research, Wireless

Tags: Wireless Keyboard, Logitech, Microsoft Corp., Wireless, Keyboards, Hardware, Peripherals, Dancho Danchev

Researchers from Remote-Exploit.org, the home of the BackTrack pen-testing Linux distribution, have recently released an open source wireless keyboard sniffer Keykeriki, capable of sniffing and decoding keystrokes of Microsoft 27Mhz based keyboards through on-the-fly deciphering of XOR based encryption.

Their wartyping — decoding signals from wireless keyboards — proof of concept is based on a research paper published by the group one and a half years ago:

“Now 1.5 years after releasing our whitepaper “27Mhz Wireless Keyboard Analysis Report” about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier.”

According to their slides, it took them approximately 20 to 50 keystrokes in order to successfully recover the encryption key, which shouldn’t come as a surprise taking into consideration the use of XOR encryption.

Moreover, the researchers aren’t aware of any patching possibility to the affected 27Mhz keyboards, and point out that while Logitech’s “Secure Connect” solution is in fact adding an additional layer of encryption, they intend to include decryption capability in future releases of Keykeriki, next to inspection of 2.4Ghz wireless devices and keystroke injection on the affected keyboards.

Time to get yourself a wired keyboard? Not necessarily, since additional research also proves that wired keyboards are also susceptible to sniffing attacks. The potential security implications and potential for abuse, are pretty evident. However, it’s worth pointing out that with or without Keykeriki, economies of scale centered mass keylogging and session hijacking for fraudulent purposes, would continue happening through the usual channels - botnets and crimeware.