SHUT UP GADI !<br><br><div class="gmail_quote">On Mon, Mar 10, 2008 at 5:59 AM, Markus Jansson <<a href="mailto:markus.jansson@gmail.com">markus.jansson@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I decided to write here after not getting any real response from any<br>
vendor or security forums that I have written about the subject in the<br>
past few months. The issue is relatively simple and affecting a lot of<br>
people, companies and propably even goverment officials: Wireless<br>
keyboards.<br>
<br>
Now, we know that most of the wireless keyboards are just stupid, if<br>
not analog, atleast somehow buggy and cheap pieces of tech that work<br>
on various RF bands. Some of them have been analysed and cracked wide<br>
open and ofcourse nobody is patching them up at all. For example here<br>
is a good example to proof my point:<br>
<a href="http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/" target="_blank">http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/</a><br>
<br>
Is this a big issue? Oh yes.<br>
What point is having a good 32+ char passphrase on your www-accounts,<br>
63marks long WPA2-PSK and PGP encryption in your emails...if you type<br>
them all with wireless keyboard, that can be easily eavesdropped maybe<br>
over 100yards away? Or is it just me thinking its "weakest link in the<br>
chain of security"?<br>
<br>
>From my knowledge, Id say the best option for secure wireless keyboard<br>
is somekind of bluetooth keyboard that actually, REALLY works like<br>
bluetooth is supposed to work. You know, a wireless keyboard that<br>
would allow its default PIN (which is usually 1234 or 0000) to be<br>
changed in secure fashion to something long and complext (well, lets<br>
say 16 or 32 marks long)...and that would only allow encrypted and<br>
authenticated connections and would not broadcast its existance to the<br>
rest of the world.<br>
<br>
Sure, there has been cracks in bluetooth and its crypto, like here:<br>
<a href="http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216" target="_blank">http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216</a><br>
that make you think that even bluetooths crypto, if it would actually<br>
be used, is not good enought for wireless keyboards. But its still the<br>
best we got right?<br>
<br>
WUSB might be a good replacement for bluetooth, but are there really<br>
any secure ones available yet - or will there ever be? How can you<br>
know they are secure - are you trusting the same manufactorers claims<br>
that have for years marketed and sold insecure wireless keyboards<br>
while claiming that they are secure? I dont.<br>
<br>
Is it just me or have someone else also payed attention to the<br>
insecurity of the wireless keyboards - and the total silence around<br>
this serious security issue? And how to fix this? How and where to get<br>
wireless keyboards that are really secure?<br>
<br>
<br>
<br>
--<br>
<a href="http://www.markusjansson.net" target="_blank">http://www.markusjansson.net</a><br>
<a href="http://markusjansson.blogspot.com" target="_blank">http://markusjansson.blogspot.com</a><br>
PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA<br>
PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br>