[HN Gopher] Penetration testing wireless keyboards ___________________________________________________________________ Penetration testing wireless keyboards Author : Breadmaker Score : 81 points Date : 2022-10-07 16:21 UTC (1 days ago) (HTM) web link (kth.diva-portal.org) (TXT) w3m dump (kth.diva-portal.org) | danhor wrote: | Unfortunately they only tested Logitechs unifying system, that's | known to be broken (mentioned in the paper). | | That's one of the reasons Logitech is moving to Logi Bolt, which | is supposed to be very similar to BLE (but with a separate | receiver). I'd be really interested to know if it's also as | secure as BLE. | solarkraft wrote: | Do you know why, then, they went with their own, yet-another- | new protocol, instead of just using BLE? | | One hint may be that on my Macbook my Logitech mouse appears to | have a higher latency (feeling more "spongy") when connected | via Bluetooth instead of via the dongle. | hericium wrote: | PDF: https://kth.diva- | portal.org/smash/get/diva2:1701492/FULLTEXT... | wongarsu wrote: | Summary of the results (page 137): Protocol | Sniffing Injection Plexgear Yes Yes Rapoo | Yes Yes Logitech No Yes Corsair | Yes Yes iiglo Yes Yes Exibel | Yes Yes Razer No No | | Choice quotes from Chapter 6 (Discussion): | | The results show that 9 out of 10 keyboards have at least some | form of vulnerability. Out of all the keyboards, 8 of them were | shown to contain new previously unknown vulnerabilities that | could grant an attacker full control of the computer of the | keyboard. The severity of these vulnerabilities in combination | with how prevalent they are show that the usage of wireless | keyboards should in no way be used in any situation where | security, privacy, or integrity is of any concern whatsoever. | | [...] | | Out of all the keyboards, only one of them actually promised any | form of encryption as part of the marketing of the keyboard and | this is the Corsair K63 Wireless. The keyboard is marketed with | 128-bit AES encryption but as the results of the penetration test | show, this is not the case. The keyboard's only obfuscation of | the wireless transmission is a simple XOR of the payload with a | static key that can potentially be reverse engineered | automatically with some very simple calculations. | | [...] | | Razer BlackWidow V3 Pro was the only keyboard not shown to | contain any vulnerability. As a result of this, it is deemed the | most secure of the targeted keyboards but it could still be | vulnerable to some unidentified vulnerability that requires more | time and resources compared to the rest of the keyboards | pushedx wrote: | kth is a great name for a university that teaches data science | capableweb wrote: | Seems it's a bit older than the concept of "data science" | (founded 1827, 195 years ago) and also just happens to _also_ | teach data science. | adamfarhadi wrote: | I didn't expect to see a masters thesis from KTH on HN. I | actually took a course with Roberto, one of the supervisors of | this thesis, while I studied there. Small world. | buildbot wrote: | KTH is pretty well known internationally! | stoplying1 wrote: | Answered my own question, so sharing it. I wanted to know if the | Sculpt Ergo was vulnerable. (Seems not). (Also, this has been | ~known since at least ~2016)> | http://xahlee.info/kbd/Microsoft_wireless_keyboard_key_sniff... | Tsiklon wrote: | I see that they discuss Logitech's protocol, does this cover | "Bolt" devices? or is it only their "unifying receiver"? | sphars wrote: | In their testing they tested the Logitech MK270, which is a | mouse and keyboard combo. It uses the Unifying Reciver. | saulrh wrote: | And this is why the Google security folks don't let employees use | wireless keyboards unless they're bluetooth, and above a certain | bluetooth protocol version at that. Not that this analysis at any | time conducted attacks on the bluetooth protocols - every single | one of these keyboards had a secondary 2.4GHz dongle and just | happily transmitted everything over that. I'd have liked to know | whether they're trying to transmit to that dongle all the time or | whether it turns off when the bluetooth connects! | solarkraft wrote: | I got a Rapoo keyboard for free. Since I consider it a no-name | brand I'm not at all surprised that it turns out to be insecure | (perfectly matches my expectations), I'm rather surprised that | the author even audited them and that they even _attempted_ to | secure the communication a little bit. | | So my intuition that generic "2.4GHz" communication is insecure | has mostly been proven right. Now what about Bluetooth keyboards? | Can they be considered secure? | hoppla wrote: | From my understanding, Bluetooth is vulnerable in the pairing | process, but secure after that. | mtreis86 wrote: | I am disappointed that QMK isn't included in the analysis. | dfc wrote: | It's a review of wireless keyboard communication protocols. I | do not follow QMK development that closely. Have they | implemented their own wireless protocol? | Okkef wrote: | QMK is not wireless. There is ZMK, but that's bluetooth and | should be safe. | userbinator wrote: | Is there really any compelling use-case for a wireless keyboard | outside of those few scenarios where it needs to be very mobile? | capableweb wrote: | Don't ask my why (because I certainly don't agree personally) | but most people I know prefer wireless anything if they can, | because they can't stand cables. | | But then I have a 32 channel mixer with cables everywhere in my | office, so not the most unbiased cable-opinionator directly. | dsr_ wrote: | People like the way it looks. | | Me, I like a wireless mouse, but a wired keyboard. | alar44 wrote: | Managers think it looks nice. | kccqzy wrote: | So what are the choices for secure wireless keyboards? The only | one I know of is the Apple Magic Keyboard with Lightning port, | which uses Bluetooth (BLE rather than the classic one) and not | some random home-baked protocol over 2.4GHz. It also sidesteps | the vulnerable pairing step by asking you to plug in to pair. ___________________________________________________________________ (page generated 2022-10-08 23:00 UTC)