Presented at DeepSec 2016 „Ten“
Wireless desktop sets consisting of a wireless mouse, a wireless keyboard, and a USB dongle have become more popular and more widespread in the last couple of years. Seen as potential target, those radio-based devices are of more interest to people with malicious intentions than their wired counterparts, due to the fact that they can also be attacked remotely from a safe distance via radio signals.
As wireless desktop sets represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords, they have been frequently analyzed for security vulnerabilities and were successfully attacked in the past. One well-know example for exploiting vulnerabilities in wireless keyboards is the open source wireless keyboard sniffer KeyKeriki by Dreamlab Technologies. The first version was presented back in 2009 for Microsoft keyboards using the 27 MHz ISM band. The second version also supported wireless keyboards using the 2.4 GHz ISM band and was presented in 2010. In 2015, Samy Kamkar published an Arduino-based wireless keyboard sniffer for Microsoft keyboards with known security weaknesses that extended the work of the KeyKeriki v2.0 project and of Travis Goodspeed's research concerning Nordic Semiconductor's transceiver family nRF24. And in spring 2016, a collection of security vulnerabilities found in USB dongles of wireless desktop sets of different manufacturers was released by Bastille Networks Internet Security under the name of MouseJack, which allowed keystroke injection attacks.
SySS GmbH started a research project about the security of modern wireless desktop sets using AES encryption in 2015, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Up to now (May 2016), several security vulnerabilities in modern wireless desktop sets of different manufacturers, like Microsoft, Cherry, Logitech, and perixx, have been found and reported in the course of our responsible disclosure program.
The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys, which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks, due to insecure implementations of the AES encrypted data communication.
The results of our research shows that the security levels of modern wireless desktop sets of different manufacturers are not equal and that some devices are more secure than others. Still, so far there has been no wireless desktop set without any security issues.
In this talk, I will present the results of our research and will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.
- SySS GmbH
Gerhard is interested in all things concerning IT security - especially when it comes to hardware or radio protocols. He successfully studied IT security at Aalen University and is working at SySS GmbH since 2014 as IT security consultant and penetration tester. Gerhard was speaker at GPN 2013 - a conference organized by the Chaos Computer Club (CCC) in Karlsruhe - where he talked about hacking RFID-based student cards. He is also author of the Mifare Classic Tool Android app.