Tool logs keystrokes of Wireless 27 MHz keyboards

December 4, 2007

Security researchers have cracked the rudimentary encryption used in a range of popular wireless keyboards. Although Bluetooth is increasingly becoming the de-facto standard for wireless communication in peripheral devices and is reckoned to be secure, some manufacturers such as Logitech and Microsoft manufacture keyboards that use 27 MHz radio technology which, it transpires, is anything but secure. Armed with a simple radio receiver, a soundcard, and suitable software, Swiss security firm Dreamlab Technologies managed to capture and decode the radio communications between a keyboard and a PC. The attack opens the way up to all sorts of mischief including keystroke logging to capture login credentials.1

Dreamlab was able to successfully log the keystrokes of Microsoft's Wireless Optical Desktop 1000 & Wireless Optical Desktop 2000 products. Although they were unable to test this against all of the various Microsoft models, they believe that the attack would also work against the Wireless Optical Desktop 3000, Wireless Optical Desktop 4000, as well as Microsoft's 27Mhz based Wireless Laser Desktop series.2

While developing the proof of concept tool, Dreamlab discovered that by using wordlist checking along with a weighting algorithm, every data in range could be decrypted within only a few keystrokes. They claim that there is no need to wait for the encryption key to pass from the keyboard to the receiver because it only takes about 20 to 50 keystrokes to successfully recover the encryption key. Their custom application basically consists of a sniffer / decoder running in a terminal. As soon as it has estimated the correct encryption key and / or sniffed the valid encryption key, a window pops up and displays all keystrokes recorded from the keyboard in clear text. 2

Max Moser and Philipp Schrödel say that the decryption was very easy because the devices use a simple XOR mechanism for encryption and the keys are only one byte long. Additionally, there are only 256 different key values possible per keyboard and receiver pair. They claim that even a PDA with a slow ARM-CPU would have derived the combination quickly. Aside from not using such keyboards, there currently is no workaround for this issue.3

But before you consider throwing out your keyboard in the name of better security, note that wireless keyboards from Microsoft, Logitech, and IBM operating on 27 MHz only have a range of about 6 feet, meaning that an attacker would need to get within close proximity of their target in order to execute this attack.4

1. "Microsoft wireless keyboards crypto cracked", The Register, December 3, 2007

2. "27Mhz Wireless Keyboard Analysis Report", Dreamlab Technologies, November 30, 2007

3. "Security firm cracks encryption for Microsoft's wireless keyboards", Heise Security, December 1, 2007

4. "Cordless Desktop: Using a Wireless Mouse and Keyboard with Windows XP", Microsoft, July 8, 2002