Software for cracking wireless keyboard encryption published

Optical Desktop 1000 and 2000 wireless keyboard users should consider replacing them with a wired keyboard as it has now become a practical possibility for attackers to sniff out their keystrokes. About one and a half years after announcing that they cracked Microsoft's wireless keyboard encryption, Max Moser and Thorsten Schröder of Dreamlab have published the required Keykeriki software as well as instructions for building the sniffing hardware (circuit diagram and board layout in Eagle format).

The hardware is based around the Texas Instruments TRF7900A 27 MHz receiver used in wireless mice and keyboards. It's controlled via an 8-bit Atmel controller. Dreamlab is even considering selling readily assembled hardware units.

In a 49 page presentation, Moser and Schröder explain the hardware and software details behind the hack. Two Flash videos on the project page show the software and hardware in action.

Only Microsoft wireless keyboards transmitting on the 27 MHz band are currently affected. Bluetooth keyboards are not at risk. Decoding Microsoft keyboards is extremely easy because the encryption is based on a simple XOR operation and only requires an 8-bit key. Although the method of cracking these keyboards has been known since December 2007, Moser and Schröder have so far found nothing to indicate that Microsoft has taken steps to resolve the situation.

The researchers will target 2.4 GHz keyboards next. Even switching to a wired keyboard, however, doesn't seem to be the ultimate solution. Researchers at the CanSecWest security conference have already demonstrated how to tap wired keyboards by taking laser measurements and monitoring power line leakage.

See also:

• Security firm cracks encryption for Microsoft's wireless keyboards, a report from The H.

(crve)