Researchers from a Swiss security company, Dreamlab Technologies, have successfully hacked the the protocol used for securing some of Microsoft’s wireless keyboards; Microsoft Wireless Optical 1000 and Microsoft Wireless Optical 2000. They also mentioned that Wireless Optical 3000, Wireless Optical 4000 and other 27Mhz based Wireless Laser Desktop series could be vulnerable to this hack.
These wireless keyboards communicate with a receiver connected to the Computer and all keyboards communicate in the same frequency range. Each keyboard has to be associated with the corresponding receiver before it can function properly. This association is done by pressing ‘connect’ or ‘synch’ buttons on the keyboard and receiver. Once a keyboard has been associated with the receiver, it’ll ignore packets received from any other keyboard in range.

Three main packet frametypes identified in the research were Data Packets (actual keystrokes), Management Packets, and Synch Packets (Keyboard and receiver association). Data packets are used to transport actual keystrokes from keyboard to the receiver in encrypted form. Meta-keys like “Shift”, “CTRL”, and “ALT” are transported in clear-text as flag fields. Management packets are used to identify when all the keys have been released on the keyboard with no encryption involved. Synch packets are used in associating keyboard with the receiver and changing encryption key. The encryption key does not change as long as the keyboard and receiver has been in synch mode. Thus, pressing ‘connect’ key initiates it.

Only the actual keystrokes are encrypted in transmission. No other identifier bits or meta-flags are encrypted or obfuscated at all. A simple XOR (Exclusive OR) mechanism is used to encrypt the one byte USB HID code using a single byte of random data generated using association process. 256 different key values that can be used in any keyboard to receiver encryption can be cracked easily with the very slow computers today. The researchers boasted that by using a simple wordlist checking in combination with a weighting algorithm, they were able to decrypt data within only 20-50 keystrokes.

They’ve a video demonstration showing how easy it is to sniff and decrypt multiple keyboards simultaneously using an application. The application consists of a sniffer/decoder running in a terminal which opens up a new window as soon as it figures out the correct encryption key, and shows all keystrokes from the keyboard in clear-text. Multiple keyboards can be sniffed with a separate window for each. Researchers said that they are close to being able to use the hack to control the computers as well.

The frequency used by the keyboards is also used by CB radios, and it could be possible to obtain radio equipment that could intercept these transmissions. The effective range of these keyboards are around 10 meters, through walls and floors as well. There is no patching possibility as this is a hardware issue. If you’re using any of these keyboards, and is concerned about the guy next door sniffing your usernames, password or other sensitive stuff, you better change to a wired keyboard, bluetooth keyboard, or a more secure wireless keyboard.