Re: [Full-disclosure] Wireless keyboard insecurity - any secure one available?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ever hear of a factotum? D -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH1Vn+yWX0NBMJYAcRAnSVAJ9OmdapVIaP+vwrkeHZYfYKhp5w4wCdFyVk sMx2LfGTOSPcgIrMq7GCIXs= =DKHp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wireless keyboard insecurity - any secure one available?
SHUT UP GADI ! On Mon, Mar 10, 2008 at 5:59 AM, Markus Jansson <[EMAIL PROTECTED]> wrote: > I decided to write here after not getting any real response from any > vendor or security forums that I have written about the subject in the > past few months. The issue is relatively simple and affecting a lot of > people, companies and propably even goverment officials: Wireless > keyboards. > > Now, we know that most of the wireless keyboards are just stupid, if > not analog, atleast somehow buggy and cheap pieces of tech that work > on various RF bands. Some of them have been analysed and cracked wide > open and ofcourse nobody is patching them up at all. For example here > is a good example to proof my point: > http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/ > > Is this a big issue? Oh yes. > What point is having a good 32+ char passphrase on your www-accounts, > 63marks long WPA2-PSK and PGP encryption in your emails...if you type > them all with wireless keyboard, that can be easily eavesdropped maybe > over 100yards away? Or is it just me thinking its "weakest link in the > chain of security"? > > >From my knowledge, Id say the best option for secure wireless keyboard > is somekind of bluetooth keyboard that actually, REALLY works like > bluetooth is supposed to work. You know, a wireless keyboard that > would allow its default PIN (which is usually 1234 or ) to be > changed in secure fashion to something long and complext (well, lets > say 16 or 32 marks long)...and that would only allow encrypted and > authenticated connections and would not broadcast its existance to the > rest of the world. > > Sure, there has been cracks in bluetooth and its crypto, like here: > http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216 > that make you think that even bluetooths crypto, if it would actually > be used, is not good enought for wireless keyboards. But its still the > best we got right? > > WUSB might be a good replacement for bluetooth, but are there really > any secure ones available yet - or will there ever be? How can you > know they are secure - are you trusting the same manufactorers claims > that have for years marketed and sold insecure wireless keyboards > while claiming that they are secure? I dont. > > Is it just me or have someone else also payed attention to the > insecurity of the wireless keyboards - and the total silence around > this serious security issue? And how to fix this? How and where to get > wireless keyboards that are really secure? > > > > -- > http://www.markusjansson.net > http://markusjansson.blogspot.com > PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA > PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wireless keyboard insecurity - any secure one available?
I decided to write here after not getting any real response from any vendor or security forums that I have written about the subject in the past few months. The issue is relatively simple and affecting a lot of people, companies and propably even goverment officials: Wireless keyboards. Now, we know that most of the wireless keyboards are just stupid, if not analog, atleast somehow buggy and cheap pieces of tech that work on various RF bands. Some of them have been analysed and cracked wide open and ofcourse nobody is patching them up at all. For example here is a good example to proof my point: http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/ Is this a big issue? Oh yes. What point is having a good 32+ char passphrase on your www-accounts, 63marks long WPA2-PSK and PGP encryption in your emails...if you type them all with wireless keyboard, that can be easily eavesdropped maybe over 100yards away? Or is it just me thinking its "weakest link in the chain of security"? >From my knowledge, Id say the best option for secure wireless keyboard is somekind of bluetooth keyboard that actually, REALLY works like bluetooth is supposed to work. You know, a wireless keyboard that would allow its default PIN (which is usually 1234 or ) to be changed in secure fashion to something long and complext (well, lets say 16 or 32 marks long)...and that would only allow encrypted and authenticated connections and would not broadcast its existance to the rest of the world. Sure, there has been cracks in bluetooth and its crypto, like here: http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216 that make you think that even bluetooths crypto, if it would actually be used, is not good enought for wireless keyboards. But its still the best we got right? WUSB might be a good replacement for bluetooth, but are there really any secure ones available yet - or will there ever be? How can you know they are secure - are you trusting the same manufactorers claims that have for years marketed and sold insecure wireless keyboards while claiming that they are secure? I dont. Is it just me or have someone else also payed attention to the insecurity of the wireless keyboards - and the total silence around this serious security issue? And how to fix this? How and where to get wireless keyboards that are really secure? -- http://www.markusjansson.net http://markusjansson.blogspot.com PGP: 6E9E375EC50A27FDB9DA1672A78C27BF735ADADA PGP2: 9966C10DDC7F0DEDEC480A75FE952445F24D55DD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
