Many wireless keyboard and mice setups connect to computers through a USB dongle and boast that this communication is encrypted. This is to stop hackers from sniffing the wireless connection to monitor keystrokes which can reveal sensitive information including passwords. But at Ruxcon 2016, one security researcher has demonstrated that you can still gain access to a computer using a wireless keyboard, even when the connect is protected by AES, one of the most secure data encryption standards around. No keylogging required.
Security concerns over wireless keyboards aren't exactly new. Unsecured wireless connections can be intercepted so that hackers can see what you're typing to extract valuable information such as passwords. Nowadays, it's common for keyboard makers to use encryption, usually with 128-bit AES, to ensure that communication between the keyboard and the USB dongle receiver connected to a computer is safe from prying eyes.
Syss security researcher Gerhard Klostermeier presented at hacker conference Ruxcon 2016 in Melbourne over the weekend. He and his partner Matthias Deeg had been exploring the security of wireless keyboards from various manufacturers including Cherry, Fujitsu, Microsoft, Perixx and Logitech (see below for list of specific products tested). All of the keyboards that were tested boasted AES encryption.
The pair tested the keyboards against a handful of attacks, some involving hardware hacking on the keyboards themselves, others exploited vulnerabilities that exist in the mice that comes with keyboards sets that usually don't have encryption. Mouse spoofing allows hackers to hijack a user's mouse and use the on-screen keyboard to perform remote code execution. Klostermeier pointed out the challenges in using mouse spoofing techniques as it depends on a number of variables including where the on-screen keyboard is positioned and pointer speed.
One of the more interesting attack methods Syss looked at was replay attacks which allows hackers to record the encrypted radio signal between the keyboard and USB receiver and use it to unlock a PC without having to decrypt it. Klostermeier did a live demonstration of this at Ruxcon 2016. Using an off-the-shelf software defined radio which they added to a custom-made Raspberry Pi box, he was able to record the encrypted radio signal that was transmitted while he typed in the password. Playing this signal back allowed him to unlock the target PC without needing to know what the original password was. Combining this with mouse spoofing, he opened the run dialogue box and typed in Powershell commands to compromise the PC.
Klostermeier noted that if you spend a bit more time, code execution could be done very quickly.
All this was done with equipment that you can build at home yourself and, depending on the hardware you use, you can record and send signals from 15 meters to as far as a few kilometres.
In a real-world scenario, this replay method could be used in social engineering attacks. An attacker could implant a software defined radio device, that can be made with a tiny Raspberry Pi to record wireless keyboard signals, in an office. They can wait until the targeted user steps away from the computer, physically enter the office again, replay the signal of the user typing in their password to unlock the computer.
"Nothing special, no [special] knowledge or anything," Klostermeier said at his presentation.
The Syss researchers have subsequently flagged their concerns to the various vendors who had their keyboards tested. It is impossible to fix vulnerabilities on existing keyboards that are already out on the market but four out of the five vendors said they would address the issues in newer offerings.
Cherry specifically said it will no longer advertise their existing wireless keyboard products as secure. Perixx didn't respond at all. Syss have yet to look into Bluetooth wireless keyboards.
The best way to avoid these attacks is to do the obvious: use wired keyboards.
The specific keyboards Syss tested were:
- Cherry AES B.Unlimited
- Fujitsu Wireless Keyboard Set LX901
- Logitech MK530
- Microsoft Wireless Desktop 2000
- Perixx Periduo-710W