OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Wireless keyboard insecurity - any secure one available?

From: Dmitry (security.research.labsgmail.com)
Date: Mon Mar 10 2008 - 11:01:08 CDT


SHUT UP GADI !

On Mon, Mar 10, 2008 at 5:59 AM, Markus Jansson <markus.janssongmail.com>
wrote:

> I decided to write here after not getting any real response from any
> vendor or security forums that I have written about the subject in the
> past few months. The issue is relatively simple and affecting a lot of
> people, companies and propably even goverment officials: Wireless
> keyboards.
>
> Now, we know that most of the wireless keyboards are just stupid, if
> not analog, atleast somehow buggy and cheap pieces of tech that work
> on various RF bands. Some of them have been analysed and cracked wide
> open and ofcourse nobody is patching them up at all. For example here
> is a good example to proof my point:
> http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/
>
> Is this a big issue? Oh yes.
> What point is having a good 32+ char passphrase on your www-accounts,
> 63marks long WPA2-PSK and PGP encryption in your emails...if you type
> them all with wireless keyboard, that can be easily eavesdropped maybe
> over 100yards away? Or is it just me thinking its "weakest link in the
> chain of security"?
>
> >From my knowledge, Id say the best option for secure wireless keyboard
> is somekind of bluetooth keyboard that actually, REALLY works like
> bluetooth is supposed to work. You know, a wireless keyboard that
> would allow its default PIN (which is usually 1234 or 0000) to be
> changed in secure fashion to something long and complext (well, lets
> say 16 or 32 marks long)...and that would only allow encrypted and
> authenticated connections and would not broadcast its existance to the
> rest of the world.
>
> Sure, there has been cracks in bluetooth and its crypto, like here:
> http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216
> that make you think that even bluetooths crypto, if it would actually
> be used, is not good enought for wireless keyboards. But its still the
> best we got right?
>
> WUSB might be a good replacement for bluetooth, but are there really
> any secure ones available yet - or will there ever be? How can you
> know they are secure - are you trusting the same manufactorers claims
> that have for years marketed and sold insecure wireless keyboards
> while claiming that they are secure? I dont.
>
> Is it just me or have someone else also payed attention to the
> insecurity of the wireless keyboards - and the total silence around
> this serious security issue? And how to fix this? How and where to get
> wireless keyboards that are really secure?
>
>
>
> --
> http://www.markusjansson.net
> http://markusjansson.blogspot.com
> PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA
> PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/