Some time ago, I needed to find a new wireless keyboard. With the level of digital paranoia that I have, my main priority was security. But is eavesdropping a justifiable concern? How insecure would it actually be to type your passwords using an older type of wireless keyboard?
To investigate this, I bought an old Logitech iTouch PS/2 cordless keyboard at an online auction. It's dated July 2000. Back in those days, wireless desktops used the 27 MHz shortwave band; later they've largely moved to 2.4 GHz. This one happens to be of the shortwave type. They've been tapped before (pdf), but no proof-of-concept was published.
I actually disposed of the keyboard before I could photograph it, so here's a newer Logitech S510 from 2005, still using the same technology:
Compared to modern USB wireless dongles, the receiver of the iTouch is huge. It isn't a one chip wonder either, and contains a PCB with multiple crystal oscillators and decoder ICs. Based on Google results, one of the Motorola chips is an FM receiver, which gives us a hint about the mode of transmission.
But because eavesdropping is our goal here, I'm tossing the receiver. Afterall, the signal is well within the 11-meter band of any home receiver with an SW band. For bandwidth reasons however, I'll use my RTL2838-based television receiver dongle, which can be tuned to an arbitrary frequency and commanded to just dump the I/Q sample stream (using rtl-sdr).
The transmission is clearly visible at 27.14 MHz. Zooming closer and taking a spectrogram, the binary FM/FSK nature of the transmission becomes obvious:
The sample length of one bit indicates a bitrate of 850 bps. A reference oscillator with a digital PLL can be easily implemented in software. I assumed there's a delta encoding on top of the FSK.
One keypress produces about 85 bits of data. The bit pattern seems to always correlate with the key being pressed, so there's no encryption at all. Pressing the reassociation button doesn't change things either. Without going too much into the details of the obscure protocol, I just mapped all keys to their bit patterns, like so:
w 111111101111011111101111101101011011100111111111001111111101111011111101111101101
e 111111101111011111101111110101011011100111111111001111111101111011111101111110101
1 111111101111011111101111110110110111001111111110011111111011110111111111110110110
2 111111101111011111101111110110111111100111111111001111111101111011111101111110110
3 111111101111011111101111111010111101001111111110011111111011110111111011111110101
7 111111101111011111101111111110110110110011111111100111111110111101111111011111111
8 111111101111011111101111101110111110011111111100111111110111101111110111110111011
9 111111101111011111101111101110110101100111111111001111111101111011111101111110110
0 111111101111011111101111110110111011001111111110011111111011110111111011111101110
u 111111101111011111101111111101011110011111111100111111110111101111110111111110101
i 111111101111011111101111111101010111001111111110011111111011110111111011111111010
6,8 40%
The bitstrings are so much correlated between keystrokes that we can calculate the Levenshtein distance of the received bitstring to all the mapped keys, find the smallest distance, and behold, we can receive text from the keyboard!
$ rtl_sdr - -f 27132000 -g 32.8 -s 96000 |\ > sox -r .raw -c 2 -r 96000 -e unsigned -b 8 - -t .raw -r 22050 - |\ > ./fm |perl deco.pl Found 1 device(s): 0: Realtek, RTL2838UHIDIR, SN: 00000013 Using device 0: ezcap USB 2.0 DVB-T/DAB/FM dongle Found Rafael Micro R820T tuner Tuned to 27132000 Hz. Tuner gain set to 32.800000 dB. Reading samples in async mode... [CAPS]0wned █
So, when buying a keyboard for personal use, I chose one with 128-bit AES air interface encryption.
Update: This post was mostly about accomplishing this with low-level stuff readily available at home. For anyone needing a proof of concept or even decoder hardware, there's KeyKeriki.
Update #2: Due to requests, my code is here: fm.c, deco.pl. Of course it's for reference only, as it's not a working piece of software, and never will be. Oh and it's not pretty either.
"but no proof-of-concept was published, so it's up to me to write one."
ReplyDeleteOkay, where can we download your PoC?
You're right, perhaps I should correct that one ;)
Deletehttp://www.remote-exploit.org/articles/keykeriki_v1_0_-_27mhz/index.html Should i really put the logitech decoder up there as well.... i mean its 27Mhz stoneage technology :-)
ReplyDeleteThanks, I'll link to it.
DeleteThat 2.4 GHz frequency is rather vulnerable, though widely used. Why people still use obsolete encryption protocols for that is a real secret for me.
ReplyDeleteWhat graphical interface do you use for your terminal?
ReplyDeleteThe question is ambiguous. But rxvt-unicode and xfwm4.
DeleteWould you recommend any AES-using keyboard or product line?
ReplyDeleteI recently recommended a team treat their wireless keyboards as a route of compromise in a recent password compromise. In your example, as in their case, it seems feasible to "keyboard tap" at several meters, enough for prepared neighbors or passersby to accomplish without a ...friendly visit ;-B
In their case, website phishing or malware compromise seems easier and more likely, but *shrug* the world may never know #aintnobodygottimefodat
I use Logitech K360.
DeleteSamy Kamkar has released KeySweeper, a device that looks like a simple USB wall charger but claims the ability to decrypt the keystrokes of "any Microsoft wireless keyboard in the vicinity." He posted the code and schematic on GitHub.
ReplyDelete