Technical Details
Wireless Keyboard Sniffing and Injection
Marc Newlin, Bastille Research Team
Version 1.0
Abstract
KeySniffer is a set of security vulnerabilities affecting non-Bluetooth wireless keyboards from eight vendors. The wireless keyboards susceptible to KeySniffer use unencrypted radio communication protocols, enabling an attacker to eavesdrop on all the keystrokes typed by the victim from several hundred feet away using less than $100 of equipment. This means an attacker can see personal and private data such as credit card numbers, usernames, passwords, security question answers and other sensitive or private information all in clear text.
Overview
Wireless keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.
Wireless keyboards work by transmitting radio frequency packets from the keyboard to a USB dongle plugged into a user’s computer. When a user types on their wireless keyboard, information describing the specific keystrokes is sent wirelessly to the USB dongle. The USB dongle listens for radio frequency packets sent by the keyboard, and notifies the computer whenever the user has pressed or released a key.
In order to prevent eavesdropping, high-end keyboards encrypt the keystroke data before it is transmitted wirelessly to the USB dongle. The dongle knows the encryption key being used by the keyboard, so it is able to decrypt the data and see which key was pressed. Without prior knowledge of the encryption key, an attacker is unable to decrypt the data, and therefore unable to see what is being typed.
New research from the Bastille Research Team reveals that many of today’s inexpensive wireless keyboards do not encrypt the keystroke data before it is transmitted wirelessly to the USB dongle. This makes it possible for an attacker to both eavesdrop on everything a victim types, as well as transmit their own malicious keystrokes, which allows them to type directly on the victim’s computer.
Undocumented Transceivers
Prior research into wireless keyboard sniffing by Schroeder & Moser [1], Goodspeed [2], and Kamkar [3] targeted a line of weakly encrypted Microsoft keyboards that used the well documented nRF24L family of transceivers from Nordic Semiconductor. Documentation about how the transceivers operate, including radio frequency packet formats, enabled them to focus on understanding the data being transmitted between the keyboard and USB dongle.
The keyboards susceptible to the KeySniffer vulnerabilities use undocumented transceivers, which necessitated the Bastille Research Team reverse engineering the physical layer and radio frequency packet formats before the data could be examined. Vulnerable keyboards from Hewlett-Packard, Anker, Kensington, RadioShack, Insignia, and EagleTec use transceivers from MOSART Semiconductor. Vulnerable keyboards from Toshiba use transceivers from Signia Technologies, and vulnerable keyboards from GE/Jasco use an entirely unknown transceiver.
All of the wireless keyboards vulnerable to KeySniffer operate in the 2.4GHz ISM band using GFSK modulation, which is similar to the modulation scheme employed by Bluetooth and other proprietary wireless keyboards (note that this refers to how the binary data of a keystroke packet is turned into a radio waveform, rather than how the packet is constructed or if encryption is used). The techniques used to reverse engineer the undocumented transceivers were presented at the Hack in the Box Security Conference in Amsterdam[4].
Crazyradio PA Dongles
The Crazyflie[5] is an open source drone which is controlled with an amplified nRF24L-based USB dongle called the Crazyradio PA[6]. This is equivalent to an amplified version of the USB dongles commonly used with wireless mice and keyboards. Custom firmware and software was developed for the Crazyradio PA dongle in order to communicate with the keyboards vulnerable to KeySniffer.
Vulnerabilities: Keystroke Sniffing and Injection
Each of the vulnerable keyboards is susceptible to both keystroke sniffing and keystroke injection attacks. Keystroke sniffing enables an attacker to eavesdrop on every keystroke a victim types on their computer from several hundred feet away. The attacker can recover email addresses, usernames, passwords, credit card information, mailing addresses, and other sensitive information.
Previously demonstrated vulnerabilities affecting wireless keyboards required the attacker to first observe radio packets transmitted when the victim typed on their keyboard. The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing.
In addition to eavesdropping on the victim’s keystrokes, an attacker can inject their own malicious keystroke commands into the victim’s computer. This can be used to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer.
Mitigation
The transceivers used in wireless keyboards vulnerable to KeySniffer are inherently insecure due to a lack of encryption, and do not support firmware updates. Users of vulnerable keyboards should switch to Bluetooth or wired keyboards in order to protect themselves from keystroke sniffing and injection attacks.
Affected Devices
View the list of vulnerable devices.
References (updated at time of publishing)
Schroeder & Moser. (March, 2010). Practical Exploitation of Modern Wireless Devices. Retrieved from http://www.remote-exploit.org/content/keykeriki_v2_cansec_v1.1.pdf
Goodspeed, Travis. (February 7, 2011). Promiscuity is the nRF24L01+'s Duty. Retrieved from http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html
Kamkar, Samy. (January 12, 2015). KeySweeper. Retrieved from http://samy.pl/keysweeper/
Newlin, Marc. (May 26, 2016). OSINT Reverse Engineering of the ARFz. Retrieved from https://conference.hitb.org/hitbsecconf2016ams/materials/D1%20COMMSEC%20-%20Marc%20Newlin%20-%20Applying%20Regulatory%20Data%20to%20IoT%20RF%20Reverse%20Engineering.pdf
Bitcraze AB. (2016). Crazyflie 2.0. Retrieved from https://www.bitcraze.io/crazyflie-2/
Bitcraze AB. (2016). Crazyradio PA. Retrieved from https://www.bitcraze.io/crazyradio-pa/