[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <478a78440803092059j52cb3caejb7bf5a6a2904da52@mail.gmail.com>
Date: Mon, 10 Mar 2008 05:59:00 +0200
From: "Markus Jansson" <markus.jansson@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Wireless keyboard insecurity - any secure one
available?
I decided to write here after not getting any real response from any
vendor or security forums that I have written about the subject in the
past few months. The issue is relatively simple and affecting a lot of
people, companies and propably even goverment officials: Wireless
keyboards.
Now, we know that most of the wireless keyboards are just stupid, if
not analog, atleast somehow buggy and cheap pieces of tech that work
on various RF bands. Some of them have been analysed and cracked wide
open and ofcourse nobody is patching them up at all. For example here
is a good example to proof my point:
http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/
Is this a big issue? Oh yes.
What point is having a good 32+ char passphrase on your www-accounts,
63marks long WPA2-PSK and PGP encryption in your emails...if you type
them all with wireless keyboard, that can be easily eavesdropped maybe
over 100yards away? Or is it just me thinking its "weakest link in the
chain of security"?
>>From my knowledge, Id say the best option for secure wireless keyboard
is somekind of bluetooth keyboard that actually, REALLY works like
bluetooth is supposed to work. You know, a wireless keyboard that
would allow its default PIN (which is usually 1234 or 0000) to be
changed in secure fashion to something long and complext (well, lets
say 16 or 32 marks long)...and that would only allow encrypted and
authenticated connections and would not broadcast its existance to the
rest of the world.
Sure, there has been cracks in bluetooth and its crypto, like here:
http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216
that make you think that even bluetooths crypto, if it would actually
be used, is not good enought for wireless keyboards. But its still the
best we got right?
WUSB might be a good replacement for bluetooth, but are there really
any secure ones available yet - or will there ever be? How can you
know they are secure - are you trusting the same manufactorers claims
that have for years marketed and sold insecure wireless keyboards
while claiming that they are secure? I dont.
Is it just me or have someone else also payed attention to the
insecurity of the wireless keyboards - and the total silence around
this serious security issue? And how to fix this? How and where to get
wireless keyboards that are really secure?
--
http://www.markusjansson.net
http://markusjansson.blogspot.com
PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA
PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists