| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Mar 2008 05:59:00 +0200 From: "Markus Jansson" <markus.jansson@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Wireless keyboard insecurity - any secure one available? I decided to write here after not getting any real response from any vendor or security forums that I have written about the subject in the past few months. The issue is relatively simple and affecting a lot of people, companies and propably even goverment officials: Wireless keyboards. Now, we know that most of the wireless keyboards are just stupid, if not analog, atleast somehow buggy and cheap pieces of tech that work on various RF bands. Some of them have been analysed and cracked wide open and ofcourse nobody is patching them up at all. For example here is a good example to proof my point: http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/ Is this a big issue? Oh yes. What point is having a good 32+ char passphrase on your www-accounts, 63marks long WPA2-PSK and PGP encryption in your emails...if you type them all with wireless keyboard, that can be easily eavesdropped maybe over 100yards away? Or is it just me thinking its "weakest link in the chain of security"? >>From my knowledge, Id say the best option for secure wireless keyboard is somekind of bluetooth keyboard that actually, REALLY works like bluetooth is supposed to work. You know, a wireless keyboard that would allow its default PIN (which is usually 1234 or 0000) to be changed in secure fashion to something long and complext (well, lets say 16 or 32 marks long)...and that would only allow encrypted and authenticated connections and would not broadcast its existance to the rest of the world. Sure, there has been cracks in bluetooth and its crypto, like here: http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216 that make you think that even bluetooths crypto, if it would actually be used, is not good enought for wireless keyboards. But its still the best we got right? WUSB might be a good replacement for bluetooth, but are there really any secure ones available yet - or will there ever be? How can you know they are secure - are you trusting the same manufactorers claims that have for years marketed and sold insecure wireless keyboards while claiming that they are secure? I dont. Is it just me or have someone else also payed attention to the insecurity of the wireless keyboards - and the total silence around this serious security issue? And how to fix this? How and where to get wireless keyboards that are really secure? -- http://www.markusjansson.net http://markusjansson.blogspot.com PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists