Some time ago, I needed to find a new wireless keyboard. With the level of digital paranoia that I have, my main priority was security. But is eavesdropping a justifiable concern? How insecure would it actually be to type your passwords using an older type of wireless keyboard?
To investigate this, I bought an old Logitech iTouch PS/2 cordless keyboard at an online auction. It's dated July 2000. Back in those days, wireless desktops used the 27 MHz shortwave band; later they've largely moved to 2.4 GHz. This one happens to be of the shortwave type. They've been tapped before (pdf), but no proof-of-concept was published.
I actually disposed of the keyboard before I could photograph it, so here's a newer Logitech S510 from 2005, still using the same technology:
Compared to modern USB wireless dongles, the receiver of the iTouch is huge. It isn't a one chip wonder either, and contains a PCB with multiple crystal oscillators and decoder ICs. Based on Google results, one of the Motorola chips is an FM receiver, which gives us a hint about the mode of transmission.
But because eavesdropping is our goal here, I'm tossing the receiver. Afterall, the signal is well within the 11-meter band of any home receiver with an SW band. For bandwidth reasons however, I'll use my RTL2838-based television receiver dongle, which can be tuned to an arbitrary frequency and commanded to just dump the I/Q sample stream (using rtl-sdr).
The transmission is clearly visible at 27.14 MHz. Zooming closer and taking a spectrogram, the binary FM/FSK nature of the transmission becomes obvious:
The sample length of one bit indicates a bitrate of 850 bps. A reference oscillator with a digital PLL can be easily implemented in software. I assumed there's a delta encoding on top of the FSK.
One keypress produces about 85 bits of data. The bit pattern seems to always correlate with the key being pressed, so there's no encryption at all. Pressing the reassociation button doesn't change things either. Without going too much into the details of the obscure protocol, I just mapped all keys to their bit patterns, like so:
w 111111101111011111101111101101011011100111111111001111111101111011111101111101101 e 111111101111011111101111110101011011100111111111001111111101111011111101111110101 1 111111101111011111101111110110110111001111111110011111111011110111111111110110110 2 111111101111011111101111110110111111100111111111001111111101111011111101111110110 3 111111101111011111101111111010111101001111111110011111111011110111111011111110101 7 111111101111011111101111111110110110110011111111100111111110111101111111011111111 8 111111101111011111101111101110111110011111111100111111110111101111110111110111011 9 111111101111011111101111101110110101100111111111001111111101111011111101111110110 0 111111101111011111101111110110111011001111111110011111111011110111111011111101110 u 111111101111011111101111111101011110011111111100111111110111101111110111111110101 i 111111101111011111101111111101010111001111111110011111111011110111111011111111010 6,8 40%
The bitstrings are so much correlated between keystrokes that we can calculate the Levenshtein distance of the received bitstring to all the mapped keys, find the smallest distance, and behold, we can receive text from the keyboard!
$ rtl_sdr - -f 27132000 -g 32.8 -s 96000 |\ > sox -r .raw -c 2 -r 96000 -e unsigned -b 8 - -t .raw -r 22050 - |\ > ./fm |perl deco.pl Found 1 device(s): 0: Realtek, RTL2838UHIDIR, SN: 00000013 Using device 0: ezcap USB 2.0 DVB-T/DAB/FM dongle Found Rafael Micro R820T tuner Tuned to 27132000 Hz. Tuner gain set to 32.800000 dB. Reading samples in async mode... [CAPS]0wned █
So, when buying a keyboard for personal use, I chose one with 128-bit AES air interface encryption.
Update: This post was mostly about accomplishing this with low-level stuff readily available at home. For anyone needing a proof of concept or even decoder hardware, there's KeyKeriki.