lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bb31befc0803100901n7535486aqd4181b125d7d524c@mail.gmail.com>
Date: Mon, 10 Mar 2008 18:01:08 +0200
From: Dmitry <security.research.labs@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Wireless keyboard insecurity - any secure one
	available?

SHUT UP GADI !

On Mon, Mar 10, 2008 at 5:59 AM, Markus Jansson <markus.jansson@...il.com>
wrote:

> I decided to write here after not getting any real response from any
> vendor or security forums that I have written about the subject in the
> past few months. The issue is relatively simple and affecting a lot of
> people, companies and propably even goverment officials: Wireless
> keyboards.
>
> Now, we know that most of the wireless keyboards are just stupid, if
> not analog, atleast somehow buggy and cheap pieces of tech that work
> on various RF bands. Some of them have been analysed and cracked wide
> open and ofcourse nobody is patching them up at all. For example here
> is a good example to proof my point:
> http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/
>
> Is this a big issue? Oh yes.
> What point is having a good 32+ char passphrase on your www-accounts,
> 63marks long WPA2-PSK and PGP encryption in your emails...if you type
> them all with wireless keyboard, that can be easily eavesdropped maybe
> over 100yards away? Or is it just me thinking its "weakest link in the
> chain of security"?
>
> >From my knowledge, Id say the best option for secure wireless keyboard
> is somekind of bluetooth keyboard that actually, REALLY works like
> bluetooth is supposed to work. You know, a wireless keyboard that
> would allow its default PIN (which is usually 1234 or 0000) to be
> changed in secure fashion to something long and complext (well, lets
> say 16 or 32 marks long)...and that would only allow encrypted and
> authenticated connections and would not broadcast its existance to the
> rest of the world.
>
> Sure, there has been cracks in bluetooth and its crypto, like here:
> http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216
> that make you think that even bluetooths crypto, if it would actually
> be used, is not good enought for wireless keyboards. But its still the
> best we got right?
>
> WUSB might be a good replacement for bluetooth, but are there really
> any secure ones available yet - or will there ever be? How can you
> know they are secure - are you trusting the same manufactorers claims
> that have for years marketed and sold insecure wireless keyboards
> while claiming that they are secure? I dont.
>
> Is it just me or have someone else also payed attention to the
> insecurity of the wireless keyboards - and the total silence around
> this serious security issue? And how to fix this? How and where to get
> wireless keyboards that are really secure?
>
>
>
> --
> http://www.markusjansson.net
> http://markusjansson.blogspot.com
> PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA
> PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ