[Full-disclosure] Wireless keyboard insecurity - any secure one available?
markus.jansson at gmail.com
Mon Mar 10 03:59:00 GMT 2008
I decided to write here after not getting any real response from any
vendor or security forums that I have written about the subject in the
past few months. The issue is relatively simple and affecting a lot of
people, companies and propably even goverment officials: Wireless
Now, we know that most of the wireless keyboards are just stupid, if
not analog, atleast somehow buggy and cheap pieces of tech that work
on various RF bands. Some of them have been analysed and cracked wide
open and ofcourse nobody is patching them up at all. For example here
is a good example to proof my point:
Is this a big issue? Oh yes.
What point is having a good 32+ char passphrase on your www-accounts,
63marks long WPA2-PSK and PGP encryption in your emails...if you type
them all with wireless keyboard, that can be easily eavesdropped maybe
over 100yards away? Or is it just me thinking its "weakest link in the
chain of security"?
>From my knowledge, Id say the best option for secure wireless keyboard
is somekind of bluetooth keyboard that actually, REALLY works like
bluetooth is supposed to work. You know, a wireless keyboard that
would allow its default PIN (which is usually 1234 or 0000) to be
changed in secure fashion to something long and complext (well, lets
say 16 or 32 marks long)...and that would only allow encrypted and
authenticated connections and would not broadcast its existance to the
rest of the world.
Sure, there has been cracks in bluetooth and its crypto, like here:
that make you think that even bluetooths crypto, if it would actually
be used, is not good enought for wireless keyboards. But its still the
best we got right?
WUSB might be a good replacement for bluetooth, but are there really
any secure ones available yet - or will there ever be? How can you
know they are secure - are you trusting the same manufactorers claims
that have for years marketed and sold insecure wireless keyboards
while claiming that they are secure? I dont.
Is it just me or have someone else also payed attention to the
insecurity of the wireless keyboards - and the total silence around
this serious security issue? And how to fix this? How and where to get
wireless keyboards that are really secure?
Full-Disclosure is hosted and sponsored by Secunia.