22

I've just acquired a wireless keyboard/mouse combo (Microsoft Wireless Desktop 3000). Only after having plugged it in did it get me thinking. How susceptible are those kind of setups to sniffing? Are they secure enough for everyday use?

From a brief perusal it seems that the problem is not purely theoretical as I initially thought:

Are there any feasible methods to mitigate this kind of threat (apart from using a corded keyboard for highly sensitive applications)?


[Edit:]

So as to clarify the assumed threat model per nealmcb's request.

I'm talking mostly about my actual setup. Personal/SOHO context, trying to avoid remote keylogging threat, protected assets are mostly login passwords and some sensitive info (f.e. credit card number etc.).

I know in my context the real life threat is negligible, but the same could be said about the perception of WEP based security in the past. So my question is - would devices like KeyKeriki allow amateurs to sniff freely on wireless keyboards? I suppose the good thing is that in this case a dedicated piece of hardware would still be needed, which is not the case with penetrating poorly secured Wi-Fi networks nowadays. So I'm hoping this difference will inhibit spreading of this threat.

But to broaden the question I thought also about possible corporate setups (crowded office space) and what about remote execution in this case - is it more than just a hypothetical risk?

To be clear though, high security setups are completely out of scope of this question.

Karol J. Piczak
  • 1,155
  • 2
  • 9
  • 15
  • 1
    build thicker walls to absorb most of the signal? :P here is a paper on that stuff: http://lasecwww.epfl.ch/keyboard/ , it has a countermeasures part which you may be interested in. – Sigtran Mar 09 '11 at 12:17
  • I'd rather avoid building a bunker. ;-) But thanks for a nice paper. As to the problem - I thought more about things like virtual keyboard input. – Karol J. Piczak Mar 09 '11 at 13:54
  • "It all depends...." It would help if you clarified your threat model in the question (as discussed in the FAQ). – nealmcb Mar 10 '11 at 01:37
  • Thanks - nice job of clarifying this to make it a really relevant question! – nealmcb Mar 11 '11 at 06:06

2 Answers2

14

The key here is what you define as "every day use" - if you work in an environment where the data is sensitive, your security policy should take into account the risk from wireless interception and if appropriate, the use of wireless devices should be forbidden.

Faraday cage equivalents, such as shielded rooms/buildings may be appropriate but are obviously a much higher cost than just using a different keyboard/mouse.

If you have nothing majorly sensitive, be aware there are other potential issues - I have seen instances where another user started seeing keyboard input on their screen as the two machines managed to sync to the same wireless keyboard. This could cause some privacy worries :-)

If you are worried at all, go wired and you don't need to try and work out the risk/benefit tradeoff of wireless.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Luckily, in my case it's only personal/SOHO use, not military. :-) So out of sheer paranoia I could use a wired backup keyboard and sleep tight. But it got me thinking more as a general question - for instance, would you use wireless in a corporate environment? – Karol J. Piczak Mar 09 '11 at 14:01
  • 1
    @Karol - I know a lot of companies who do, and have carried out work to assess the risk for two global companies. Key risk is probably the key logging one - if that is mitigated by some other means (eg logon via hardware token) then it may not be an issue. – Rory Alsop Mar 09 '11 at 14:34
13

One must also keep in mind that due to various considerations, primarily cost and regulations (depending on country), even your wired keyboard may be vulnerable to interception. A couple of researchers, Vuagnoux and Pasini, discovered that the EMI produced by the keyboard itself could be decoded into plain text. The paper they presented at USENIX Security '09, Compromising Electromagnetic Emanations of Wired and Wireless Keyboards, is a good read if you are interested in that space.

The flip side of that coin is whether or not it is worth the trouble of protecting against that threat. That risk analysis will be left as an exercise to the reader.

D.W.
  • 98,860
  • 33
  • 271
  • 588
Scott Pack
  • 15,217
  • 5
  • 62
  • 91