logitech wireless devices: man-in-the-middle attack

[Axel Hammer <alpha01 () grafx-design de>]

Device(s) tested:
Logitech wireless desktop (mouse, keyboard, receiver)
These devices transfer data wireless via RF, this set uses
CB-band-frequencies at about 27MHz.
The syncronisation between the wireless devices is initiated by pressing
a connect-button on the receiver and then on the wireless devices to
find a matching and undistorted pair of frequencies (oder codes).

Problem:
The receiver waits for 30 minutes after initialising a connect for new
devices to sync on them.
An attacker is able to sniff the connect-sequence of a victim's device
from
far and to lock-in to the pair of frequencies / codes of the
victim's devices or to take control of a victim's devices.

Impact:
It is possible to gain access to wireless devices. The keystrokes may be
sniffed in plain, unscrambled text.
It is possible for the victim AND the attacker to read the keystrokes
without
the victim to notice the attack.

Exploit:
To sniff a connection of wireless devices, you need a receiver from the
same manufacturer, same model.
By slight modifications it is possible, to extend the range of the
receiver to
about 30m (using an external antenna).
It is neccessary to 'remotely' initiate a reconnection of the victim's
devices by the victim himself (no details, sorry).

Solution:
We intend strongly NOT TO USE these devices in security-relevant
locations.

Vendor-Status:
not informed.

Regards, Axel

Information first published: (c) 2001/05/05, www.daten-treuhand.de