Eavesdropping on a wireless keyboard

Some time ago, I needed to find a new wireless keyboard. With the level of digital paranoia that I have, my main priority was security. But is eavesdropping a justifiable concern? How insecure would it actually be to type your passwords using an older type of wireless keyboard?

To investigate this, I bought an old Logitech iTouch PS/2 cordless keyboard at an online auction. It's dated July 2000. Back in those days, wireless desktops used the 27 MHz shortwave band; later they've largely moved to 2.4 GHz. This one happens to be of the shortwave type. They've been tapped before (pdf), but no proof-of-concept was published.

I actually disposed of the keyboard before I could photograph it, so here's a newer Logitech S510 from 2005, still using the same technology:

[Image: Photo of a black cordless QWERTY keyboard with a Logitech logo.]

Compared to modern USB wireless dongles, the receiver of the iTouch is huge. It isn't a one chip wonder either, and contains a PCB with multiple crystal oscillators and decoder ICs. Based on Google results, one of the Motorola chips is an FM receiver, which gives us a hint about the mode of transmission.

[Image: On the left, a gray box with the Logitech logo, a button labeled 'CONNECT', and a wire coming out of it, ending in two PS/2 connectors. On the right, the box opened and its PCB revealed. On the PCB there are three metal-colored crystals (16.4200 0014TC, 10.1700 0011TC3, 10.2700 HELE), two bulky components labeled LT455EW, and three microchips with Motorola logos. An array of wires goes out.]

But because eavesdropping is our goal here, I'm tossing the receiver. Afterall, the signal is well within the 11-meter band of any home receiver with an SW band. For bandwidth reasons however, I'll use my RTL2838-based television receiver dongle, which can be tuned to an arbitrary frequency and commanded to just dump the I/Q sample stream (using rtl-sdr).

The transmission is clearly visible at 27.14 MHz. Zooming closer and taking a spectrogram, the binary FM/FSK nature of the transmission becomes obvious:

[Image: Spectrogram showing a constant sinusoid and, below it, a burst of data encoded in the frequency of another sinusoid.]

The sample length of one bit indicates a bitrate of 850 bps. A reference oscillator with a digital PLL can be easily implemented in software. I assumed there's a delta encoding on top of the FSK.

One keypress produces about 85 bits of data. The bit pattern seems to always correlate with the key being pressed, so there's no encryption at all. Pressing the reassociation button doesn't change things either. Without going too much into the details of the obscure protocol, I just mapped all keys to their bit patterns, like so:

w 111111101111011111101111101101011011100111111111001111111101111011111101111101101
e 111111101111011111101111110101011011100111111111001111111101111011111101111110101
1 111111101111011111101111110110110111001111111110011111111011110111111111110110110
2 111111101111011111101111110110111111100111111111001111111101111011111101111110110
3 111111101111011111101111111010111101001111111110011111111011110111111011111110101
7 111111101111011111101111111110110110110011111111100111111110111101111111011111111
8 111111101111011111101111101110111110011111111100111111110111101111110111110111011
9 111111101111011111101111101110110101100111111111001111111101111011111101111110110
0 111111101111011111101111110110111011001111111110011111111011110111111011111101110
u 111111101111011111101111111101011110011111111100111111110111101111110111111110101
i 111111101111011111101111111101010111001111111110011111111011110111111011111111010
                                                               6,8              40% 

The bitstrings are so much correlated between keystrokes that we can calculate the Levenshtein distance of the received bitstring to all the mapped keys, find the smallest distance, and behold, we can receive text from the keyboard!

$ rtl_sdr - -f 27132000 -g 32.8 -s 96000 |\
> sox -r .raw -c 2 -r 96000 -e unsigned -b 8 - -t .raw -r 22050 - |\
> ./fm |perl deco.pl
Found 1 device(s):
  0:  Realtek, RTL2838UHIDIR, SN: 00000013

Using device 0: ezcap USB 2.0 DVB-T/DAB/FM dongle
Found Rafael Micro R820T tuner
Tuned to 27132000 Hz.
Tuner gain set to 32.800000 dB.
Reading samples in async mode...
[CAPS]0wned
█

So, when buying a keyboard for personal use, I chose one with 128-bit AES air interface encryption.

Update: This post was mostly about accomplishing this with low-level stuff readily available at home. For anyone needing a proof of concept or even decoder hardware, there's KeyKeriki.

Update #2: Due to requests, my code is here: fm.c, deco.pl. Of course it's for reference only, as it's not a working piece of software, and never will be. Oh and it's not pretty either.

12 comments:

  1. "but no proof-of-concept was published, so it's up to me to write one."

    Okay, where can we download your PoC?

    ReplyDelete
    Replies
    1. You're right, perhaps I should correct that one ;)

      Delete
  2. http://www.remote-exploit.org/articles/keykeriki_v1_0_-_27mhz/index.html Should i really put the logitech decoder up there as well.... i mean its 27Mhz stoneage technology :-)

    ReplyDelete
  3. That 2.4 GHz frequency is rather vulnerable, though widely used. Why people still use obsolete encryption protocols for that is a real secret for me.

    ReplyDelete
  4. Really what a great work you have done i was looking for Wireless POS but fortunately i got your blog.
    Thanks
    Charles Chas

    ReplyDelete
  5. What graphical interface do you use for your terminal?

    ReplyDelete
    Replies
    1. The question is ambiguous. But rxvt-unicode and xfwm4.

      Delete
  6. Would you recommend any AES-using keyboard or product line?

    I recently recommended a team treat their wireless keyboards as a route of compromise in a recent password compromise. In your example, as in their case, it seems feasible to "keyboard tap" at several meters, enough for prepared neighbors or passersby to accomplish without a ...friendly visit ;-B


    In their case, website phishing or malware compromise seems easier and more likely, but *shrug* the world may never know #aintnobodygottimefodat

    ReplyDelete
  7. Samy Kamkar has released KeySweeper, a device that looks like a simple USB wall charger but claims the ability to decrypt the keystrokes of "any Microsoft wireless keyboard in the vicinity." He posted the code and schematic on GitHub.

    ReplyDelete
  8. Samy Kamkar has released KeySweeper, a device that looks like a simple USB wall charger but claims the ability to decrypt the keystrokes of "any Microsoft wireless keyboard in the vicinity." He posted the code and schematic on GitHub.

    ReplyDelete

The comments section is pre-moderated; it will take some time for the comment to show up.

You might want to check out the FAQ first.