Logitech Wireless Devices Vulnerable to Man-in-the-Middle Attack
17 May 2001
Summary
Logitech sells wireless desktop products such as wireless mouse and keyboard. These devices transfer data wireless via RF (Radio Frequency), using CB-band-frequency (Citizens Band) set at about 27MHz. The synchronization process between the wireless device and the receiver is initiated by pressing the connect-button on the receiver and then on the wireless devices.
A security flaw in the way the receiver works allows attackers (located up to 30m away) to detect this synchronization process (by 'sniffing' the connect-sequence) and take over the "session" that has been established between the receiver and the wireless device (essentially taking over the "controls" of the device).
Credit:
The information has been provided by Axel Hammer.
This security vulnerability in the wireless devices occurs because the receiver waits for up to 30 minutes after initializing a connection for new devices to sync on them.
An attacker is able to sniff the connect-sequence of a victim's device from afar and to lock-in to the pair of frequencies / codes of the victim's devices or to take control of a victim's devices.
Impact:
It is possible to gain access to wireless devices. The keystrokes may be sniffed in plain (unscrambled text). It is possible for the attacker to read the keystrokes without the victim to knowing it.
Exploit:
To sniff a connection of wireless devices, you need a receiver from the same manufacturer, same model. By slightly modifying it to extend the range of the receiver to about 30m (using an external antenna), it is possible to attack devices that are located very far away.
Solution:
It is strongly recommended that you not use these devices in security-relevant locations.
