Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Matthew Gillen wrote: > I can't bring myself to use a wireless keyboard. I just don't like the > idea of broadcasting my passwords out to anyone within listening > distance. The Security Now podcast has covered the security of wireless keyboards a few times. In episode 269 Steve Gibson says: ...the wireless keyboards have such weak security that essentially, when you turn the keyboard on, it chooses an eight-bit byte randomly and XORs the data that's being sent with that byte. ...the data is not technically in the clear. It's not plaintext. But, boy, I mean, it would just be a fun and relatively short exercise to decrypt that stream. It would be trivial to decrypt it. ... So the encryption of wireless keyboards is virtually ineffective. And in episode 271 he says: Yeah, I wanted to quickly calm everyone's nerves over the issue of keyboard security. ... I did some research, read some whitepapers and some security evaluations and so forth. And the good news is Logitech got it 100 percent correct. They did a beautiful job. ... There's nonvolatile memory in the keyboard and in what they call their little unifying receiver. This is Logitech's new technology. So at the factory, nonvolatile memory in the keyboard and in the unifying receiver are synchronized with the same 128-bit symmetric key, which the AES algorithm uses to encrypt keystrokes. So if you repair the keyboard, because for example you might pair it with a different receiver that hasn't seen that keyboard before, the pairing process does exactly the right thing. There are pseudorandom number generators at each end. They're able to establish a new key without it ever going over the wire, over the air, in the clear, in order to synchronize a new key that they agree upon on the fly. That's written into nonvolatile RAM and kept there. ...I haven't looked at anybody else's. But I know that the unifying receiver technology that Logitech has is doing this. And it does say in the specs, just in the regular top-level specs, 128-bit AES encryption. So that's the way they implemented it. I would imagine anything that Logitech has done, even if it's not the K320 wireless keyboard, that also says that would be using the same technology, which means you can trust it. So the level of security depends on the keyboard, with at least some of the newer models having adequate security. And elsewhere in that episode: ...anything Bluetooth is, well, okay. Anything Bluetooth is way more secure than a simple 8-bit XOR, if for no other reason than almost nothing could be less secure than an 8-bit XOR. ... Bluetooth is good security, very good security. Episodes 280 and 283 cover BlueTooth in depth. (I haven't listened to them yet.) Episode 269: transcript: http://www.grc.com/sn/sn-269.txt audio: http://media.grc.com/sn/sn-269.mp3 Episode 271: transcript: http://www.grc.com/sn/sn-271.txt audio: http://media.grc.com/sn/sn-271.mp3 Other episodes: http://www.grc.com/securitynow.htm -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |