[HN Gopher] Penetration testing wireless keyboards
___________________________________________________________________
Penetration testing wireless keyboards
Author : Breadmaker
Score : 81 points
Date : 2022-10-07 16:21 UTC (1 days ago)
(HTM) web link (kth.diva-portal.org)
(TXT) w3m dump (kth.diva-portal.org)
| danhor wrote:
| Unfortunately they only tested Logitechs unifying system, that's
| known to be broken (mentioned in the paper).
|
| That's one of the reasons Logitech is moving to Logi Bolt, which
| is supposed to be very similar to BLE (but with a separate
| receiver). I'd be really interested to know if it's also as
| secure as BLE.
| solarkraft wrote:
| Do you know why, then, they went with their own, yet-another-
| new protocol, instead of just using BLE?
|
| One hint may be that on my Macbook my Logitech mouse appears to
| have a higher latency (feeling more "spongy") when connected
| via Bluetooth instead of via the dongle.
| hericium wrote:
| PDF: https://kth.diva-
| portal.org/smash/get/diva2:1701492/FULLTEXT...
| wongarsu wrote:
| Summary of the results (page 137): Protocol
| Sniffing Injection Plexgear Yes Yes Rapoo
| Yes Yes Logitech No Yes Corsair
| Yes Yes iiglo Yes Yes Exibel
| Yes Yes Razer No No
|
| Choice quotes from Chapter 6 (Discussion):
|
| The results show that 9 out of 10 keyboards have at least some
| form of vulnerability. Out of all the keyboards, 8 of them were
| shown to contain new previously unknown vulnerabilities that
| could grant an attacker full control of the computer of the
| keyboard. The severity of these vulnerabilities in combination
| with how prevalent they are show that the usage of wireless
| keyboards should in no way be used in any situation where
| security, privacy, or integrity is of any concern whatsoever.
|
| [...]
|
| Out of all the keyboards, only one of them actually promised any
| form of encryption as part of the marketing of the keyboard and
| this is the Corsair K63 Wireless. The keyboard is marketed with
| 128-bit AES encryption but as the results of the penetration test
| show, this is not the case. The keyboard's only obfuscation of
| the wireless transmission is a simple XOR of the payload with a
| static key that can potentially be reverse engineered
| automatically with some very simple calculations.
|
| [...]
|
| Razer BlackWidow V3 Pro was the only keyboard not shown to
| contain any vulnerability. As a result of this, it is deemed the
| most secure of the targeted keyboards but it could still be
| vulnerable to some unidentified vulnerability that requires more
| time and resources compared to the rest of the keyboards
| pushedx wrote:
| kth is a great name for a university that teaches data science
| capableweb wrote:
| Seems it's a bit older than the concept of "data science"
| (founded 1827, 195 years ago) and also just happens to _also_
| teach data science.
| adamfarhadi wrote:
| I didn't expect to see a masters thesis from KTH on HN. I
| actually took a course with Roberto, one of the supervisors of
| this thesis, while I studied there. Small world.
| buildbot wrote:
| KTH is pretty well known internationally!
| stoplying1 wrote:
| Answered my own question, so sharing it. I wanted to know if the
| Sculpt Ergo was vulnerable. (Seems not). (Also, this has been
| ~known since at least ~2016)>
| http://xahlee.info/kbd/Microsoft_wireless_keyboard_key_sniff...
| Tsiklon wrote:
| I see that they discuss Logitech's protocol, does this cover
| "Bolt" devices? or is it only their "unifying receiver"?
| sphars wrote:
| In their testing they tested the Logitech MK270, which is a
| mouse and keyboard combo. It uses the Unifying Reciver.
| saulrh wrote:
| And this is why the Google security folks don't let employees use
| wireless keyboards unless they're bluetooth, and above a certain
| bluetooth protocol version at that. Not that this analysis at any
| time conducted attacks on the bluetooth protocols - every single
| one of these keyboards had a secondary 2.4GHz dongle and just
| happily transmitted everything over that. I'd have liked to know
| whether they're trying to transmit to that dongle all the time or
| whether it turns off when the bluetooth connects!
| solarkraft wrote:
| I got a Rapoo keyboard for free. Since I consider it a no-name
| brand I'm not at all surprised that it turns out to be insecure
| (perfectly matches my expectations), I'm rather surprised that
| the author even audited them and that they even _attempted_ to
| secure the communication a little bit.
|
| So my intuition that generic "2.4GHz" communication is insecure
| has mostly been proven right. Now what about Bluetooth keyboards?
| Can they be considered secure?
| hoppla wrote:
| From my understanding, Bluetooth is vulnerable in the pairing
| process, but secure after that.
| mtreis86 wrote:
| I am disappointed that QMK isn't included in the analysis.
| dfc wrote:
| It's a review of wireless keyboard communication protocols. I
| do not follow QMK development that closely. Have they
| implemented their own wireless protocol?
| Okkef wrote:
| QMK is not wireless. There is ZMK, but that's bluetooth and
| should be safe.
| userbinator wrote:
| Is there really any compelling use-case for a wireless keyboard
| outside of those few scenarios where it needs to be very mobile?
| capableweb wrote:
| Don't ask my why (because I certainly don't agree personally)
| but most people I know prefer wireless anything if they can,
| because they can't stand cables.
|
| But then I have a 32 channel mixer with cables everywhere in my
| office, so not the most unbiased cable-opinionator directly.
| dsr_ wrote:
| People like the way it looks.
|
| Me, I like a wireless mouse, but a wired keyboard.
| alar44 wrote:
| Managers think it looks nice.
| kccqzy wrote:
| So what are the choices for secure wireless keyboards? The only
| one I know of is the Apple Magic Keyboard with Lightning port,
| which uses Bluetooth (BLE rather than the classic one) and not
| some random home-baked protocol over 2.4GHz. It also sidesteps
| the vulnerable pairing step by asking you to plug in to pair.
___________________________________________________________________
(page generated 2022-10-08 23:00 UTC)