We know what you typed last summer
cybernmd posted in exploits, hacking, hardware hacks, Uncategorized on December 1st, 2007
An interesting advisory comes from guys at remote-exploit and dreamlab technologies dealing with (in)security of common non-bluetooth wireless keyboards sold by Microsoft (Wireless Optical Desktop 1000 and 2000). According to the white paper released on the subject (available here) only the actual key pressed is transmitted in encrypted form, all other communication such as keyboard identification, metakeys (Shift, Alt, etc.), and other data are all transmitted in clear text. Furthermore, the encryption scheme used for keystroke data consists of “a simple XOR mechanism with a single byte of random data generated during the association procedure”. What this means is that not only can you quickly brute force entire key space (256 combinations), but you can actually obtain the encryption key by intercepting the initial association of keyboard and receiver (as was demonstrated in this video ). Authors did not release the PoC tool to the public citing an ongoing research (meaning more goodies coming soon ;). As such we can only applaud at this effort and look forward to seeing this tool in the upcoming Backtrack 3.