Full Disclosure mailing list archives

Re: Does the following...

From: James Tucker <jftucker () gmail com>
Date: Sat, 11 Sep 2004 15:46:21 +0100

Just a couple of comments which are important for people to know.

<snip>

- RF keyboards don't exist. Nobody's *that* unconcerned about security.


What do you think TV broadcasts (plain), radio (plain), GSM (heavy
encryption scheme), bluetooth (reasonable encryption scheme), paknet
(no encryption, but the modulation scheme is at this time uncrackable
by any individual), wifi (don't even get us all started) are? ALL
Radio Frequency communications.

- Bluetooth keyboards require a pairing process to work, so that's not
   too likely.


Bluetooth does have a higher degree of security than most other,
"plain text" if you like, peripheral RF schemes.

As I am sure you are all aware wifi is not exactly hard to crack the
modulation scheme or the WEP keys.

In case you don't know, "typical" RF cordless keyboards and mice have
been recorded to have effective ranges to around 150m (way beyond what
the manufacturer's specs say):

   http://www.aftenposten.no/english/local/article427668.ece

   http://www.securityfocus.com/archive/100/374785


Amusing articles, but there are lessons to be learned here. 
1) RF ranges are based upon the environments the transmitters and
receivers are in.
2) RF can be boosted (both ends effective) by adding GAIN to ONE END
ONLY. (Yes that means the coke can with a little wire out of one end
hanging out of the next door neighbors kids window is in fact a
wireless tapping antenna (joke, but this is not by any means
impossible))
3) "plain" RF on its own provides no security against someone who
knows, evaluation of modulation schemes and data protocols is
essential.

Agreed -- these were stabs-in-the-dark by folk who forgot to understand
the problem description before responding...


Are the wireless device and speech recognition ideas really that much
more "likely", they are all "ideas" and are all possible in some way
or another.


If anyone wants to learn more about RF, consider some introductory
courses from places such as Proxim. RF is not IP, the rules are _VERY_
different.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Does the following..., (continued)
- Re: Does the following... Mister Coffee (Sep 10)
- Re: Does the following... nobody (Sep 10)
- Re: Does the following... Nick FitzGerald (Sep 10)
- RE: Does the following... Esler, Joel - Contractor (Sep 10)
- RE: Does the following... Chmielarski TOM-ATC090 (Sep 10)
  - Re: Does the following... Andrew Farmer (Sep 10)
    - Re: Does the following... Valdis . Kletnieks (Sep 10)
    - Re: Does the following... Andrew Farmer (Sep 10)
    - Re: Does the following... Mister Coffee (Sep 11)
    - Re: Does the following... Nick FitzGerald (Sep 11)
    - Re: Does the following... James Tucker (Sep 11)
    - Re: Does the following... Nick FitzGerald (Sep 11)
    - Re: Does the following... James Tucker (Sep 11)
  - Re: Does the following... XOR (Sep 14)
- RE: Does the following... Todd Towles (Sep 10)
- RE: Does the following... Todd Towles (Sep 10)
- FW: Does the following... cj thirteen (Sep 11)
- Re: Does the following... Peter Hickman (Sep 14)