And this is why the Google security folks don't let employees use wireless keyboards unless they're bluetooth, and above a certain bluetooth protocol version at that. Not that this analysis at any time conducted attacks on the bluetooth protocols - every single one of these keyboards had a secondary 2.4GHz dongle and just happily transmitted everything over that. I'd have liked to know whether they're trying to transmit to that dongle all the time or whether it turns off when the bluetooth connects!
Summary of the results (page 137):<p><pre><code> Protocol Sniffing Injection
Plexgear Yes Yes
Rapoo Yes Yes
Logitech No Yes
Corsair Yes Yes
iiglo Yes Yes
Exibel Yes Yes
Razer No No
</code></pre>
Choice quotes from Chapter 6 (Discussion):<p>The results show that 9 out of 10 keyboards have at least some form of vulnerability. Out of all the keyboards, 8 of them were shown to contain new previously unknown vulnerabilities that could grant an attacker full control of the computer of the keyboard. The severity of these vulnerabilities in combination with how prevalent they are show that the usage of wireless keyboards should in no way be used in any situation where security, privacy, or integrity is of any concern whatsoever.<p>[...]<p>Out of all the keyboards, only one of them actually promised any form of encryption as part of the marketing of the keyboard and this is the Corsair K63 Wireless. The keyboard is marketed with 128-bit AES encryption but as the results of the penetration test show, this is not the case. The keyboard’s only obfuscation of the wireless transmission is a simple XOR of the payload with a static key that can potentially be reverse engineered automatically with some very simple calculations.<p>[...]<p>Razer BlackWidow V3 Pro was the only keyboard not shown to contain any vulnerability. As a result of this, it is deemed the most secure of the targeted keyboards but it could still be vulnerable to some unidentified vulnerability that requires more time and resources compared to the rest of the keyboards
Seems wireless keyboard vulnerabilities can also be problems <i>accidentally</i>...<p>Just a couple years ago, I was finalizing and testing some factory stations we'd built (incorporating industrial NUCs) before they'd be flown to Asia for installation in a production line.<p>Someone had ordered a name-brand wireless keyboard with USB dongle, and I'd said we probably don't want wireless keyboards nor their dongles in the factory, but I figured it was OK to use briefly for testing, since it's what we had handy.<p>Was getting phantom key events, which initially was alarming, because I'd had to get creative with some device drivers and the Linux input system. But then it also happened during BIOS/UEFI setup.<p>There was one other person in the shared tech/lab space at this time, so I go over and ask if they happen to be doing anything with RF... It turns out they were also using the same brand of wireless keyboard, which seemed to intermittently be barging-in or interfering with mine, in such a way to generate valid USB input device events.<p>When I brought it up with colleagues, we were all baffled, since presumably the name-brand would like to sell fleets of wireless keyboards to entire open-plan office building floors at a time, and would design it to work well for that use case. But it did indeed seem that activity on one keyboard was triggering events out the USB dongle on another.<p>(I won't mention the brand, since I didn't investigate rigorously, and write it up. We were crazy-busy, launching our startup's MVP. Fortunately, without the wireless keyboards, the stations were rock-solid for the entire year-plus deployment, against all odds.)
Unfortunately they only tested Logitechs unifying system, that's known to be broken (mentioned in the paper).<p>That's one of the reasons Logitech is moving to Logi Bolt, which is supposed to be very similar to BLE (but with a separate receiver). I'd be really interested to know if it's also as secure as BLE.
Answered my own question, so sharing it. I wanted to know if the Sculpt Ergo was vulnerable. (Seems not). (Also, this has been ~known since at least ~2016)> <a href="http://xahlee.info/kbd/Microsoft_wireless_keyboard_key_sniffer.html" rel="nofollow">http://xahlee.info/kbd/Microsoft_wireless_keyboard_key_sniff...</a>
So what are the choices for secure wireless keyboards? The only one I know of is the Apple Magic Keyboard with Lightning port, which uses Bluetooth (BLE rather than the classic one) and not some random home-baked protocol over 2.4GHz. It also sidesteps the vulnerable pairing step by asking you to plug in to pair.
I for one will not make a keyboard purchase based on how secure the underlying wireless mechanism is.<p>Goes without saying though they should all be 100% secure so credit to the author for investigating this
I got a Rapoo keyboard for free. Since I consider it a no-name brand I'm not at all surprised that it turns out to be insecure (perfectly matches my expectations), I'm rather surprised that the author even audited them and that they even <i>attempted</i> to secure the communication a little bit.<p>So my intuition that generic "2.4GHz" communication is insecure has mostly been proven right. Now what about Bluetooth keyboards? Can they be considered secure?
I didn’t expect to see a masters thesis from KTH on HN. I actually took a course with Roberto, one of the supervisors of this thesis, while I studied there. Small world.