Eavesdropping is a significant threat to cyber security and it is a significant threat against which confidentiality countermeasures are deployed. We encrypt our data (right?), we shield some facilities, locate buildings a “safe distance” from roads and other public spaces, but if the threat is reasonably near a device, the usual measures may not be enough. This is especially true if the device includes a radio transmitter such as a We-Fi or Bluetooth device.
Recently Samy Kamar (@SamyKamar) published an article on his blog detailing how to build a device to wirelessly sniff out keystrokes from modern Microsoft wireless keyboards. There have been similar articles about sniffing older keyboards that used a much lower frequency band. (The newer ones use the same 2.4GHz Industrial, Scientific, and Medical (ISM) bands that Wi-Fi, Bluetooth, baby monitors, and some cordless phones use.) Kamar’s article notes the weakness of the encryption Microsoft uses in the keyboards his device can sniff, but they may use different methods in other keyboards. Logitech touts the security of their keyboards’ encryption as 128-bit AES.
Since the Logitech and enhanced encryption Microsoft keyboards use AES – which is a symmetric or single key algorithm – it may be possible to sniff the key exchange and thus decrypt the traffic anyway. Or maybe the keyboard and dongle are paired at the factory (although I know at least some wireless keyboards are not as they can be paired with any compatible dongle). Maybe the keyboard and dongle use a Diffie-Hellman key exchange so an observer can’t intercept the keys. Microsoft published a document called “Microsoft 2.4GHz Wireless Protocol”, but it doesn’t describe the protocol itself. It just notes that keyboards have unique IDs.
Maybe the transmissions of some of these keyboards can be sniffed and keystrokes extracted as Kamar did, and maybe others cannot. People have been using other ways for intercepting key strokes for a long time. There are two important points here: 1) wireless data can be intercepted. It can be decoded by clever developers. If it is strongly encrypted and the key exchange can’t be intercepted, it will be very difficult to intercept the actual keystroke data, and 2) there are ways to intercept keystrokes other than by sniffing wireless data.
A good countermeasure for wireless keyboard sniffing is to use a wired keyboard (D’oh!). That won’t eliminate all threats as we describe in Learning Tree’s System and Network Security Introduction, but it will address that one.
Kamar’s design and the analysis behind it are interesting. One probably can’t use it to sniff data from all keyboards (and he doesn’t claim you can!). But, his work helps emphasize the point that wireless data can be captured and that appropriate measures to secure it need to be taken by manufacturers and users.
If you decide to build this sniffer, let us know about it in the comments below.
To your safe computing,