Re: 27Mhz based wireless security insecurities - Aka - "We know what you typed last summer"

[Jacob Appelbaum <jacob () appelbaum net>]

Max Moser wrote:
> Dear Listmembers,
>
>
> Today the team remote-exploit.org together with Dreamlab Technologies likes
> to release another piece of uniq research work.
>
> Although the trend in wireless communication in peripheral devices such as
> keyboards and mice is moving towards Bluetooth, market leaders such as
> Logitech and Microsoft rely on cost-efficient, tried-and-tested 27Mhz radio
> technology.
>
> Using just a simple radio receiver, a soundcard and suitable software, the
> remote-exploit.org  members Max Moser & Philipp Schroedel have managed to
> tap and decode the radio frequencies transmitted between the keyboard and
> PC/notebook computer.

Hi Max,

This is interesting work. It's also very similar to the work done by
Luis Miras. He presented two papers on this very subject, "Other
Wireless: New ways to get Pwned" at CanSecWest07[0] and BlackHat07[1].

Does your research take over where his left off? It seems like you found
a way to simplify some parts of the analysis. I'd be interested in
seeing the work. Will you be publishing the rest of your research within
 a given time frame? It seems like the cat is out of the bag, no?

Also, did you manage to inject traffic as Luis did? Or is your attack
limited to passive sniffing, brute forcing the "security byte" and XOR
for plain text recovery?

Impressive work reversing the keyboard protocol. Good job!

Regards,
Jacob

[0] http://luis.ringzero.net/docs/CSW07-LuisMiras.pdf
[1] http://luis.ringzero.net/docs/OtherWireless_BHUSA2007.pdf