27Mhz Wireless Keyboard Analysis Report aka "We Know What You Typed Last Summer"
2 Dec. 2007
Using just a simple radio receiver, a soundcard and suitable software, the remote-exploit.org members Max Moser & Philipp Schroedel have managed to tap and decode the radio frequencies transmitted between the keyboard and PC/notebook computer.
Wireless keyboards have been distributed for years all over the globe. After the initial infrared based keyboards, the vendors developed radio frequency based models operating at 27Mhz. Logitech and Microsoft are two major brands in this market area. Their products are sold in many consumer electronic stores worldwide. After of analyzing wireless keyboard communication, Dreamlab is able to understand their functionalities, eavesdrop their traffic, crack the encryption key and decrypt the data into clear text keystrokes. The keystokes from any analyzed keyboard within the radio receiver's range can be sniffed at the same time.
The above statement is true and validated for Microsoft's Wireless Optical Desktop 1000 & Wireless Optical Desktop 2000 products. Unfortunately we could not validate it against all of the Microsoft models but according to the product documentation and pictures available on the internet, the attack might also work on the following models: Wireless Optical Desktop 3000, Wireless Optical Desktop 4000 as well as their 27Mhz based Wireless Laser Desktop series.
Please note that this document contains information about the named keyboards, other brand/products/models might differ. A detailed analysis of Logitech models is still in progress and will be published when available. We are aware that there is no quick fix for this hardware design vulnerability so we decided not to release the proof of concept to the public and we don't release the full protocol details at the moment, but maybe after we finish the research on other brands and the new solutions like Logitech's Secure Connect .
Radio Frequencies are shared media and should be considered to be shared. We suggest to not use insecure communication channels for important information without adequate levels of encryption. Dreamlab is willing to demonstrate the attack on request and will publish a demonstration video on their website. In addition, the researchers have created a presentation about their work, the procedures used and the pitfalls they experienced during the analysis. They will present their work at different events or you can book them for individual educational presentations/trainings. This will hopefully help researchers get into this very interesting topic of analyzing unknown radio based data transmission.