I got asked by a CEO of a local credit union whether or not his tellers using wireless mice and keyboards posed any sort of security threat. I’ve never been asked something like this before and I recommended to stick with a wired keyboard, but a wireless mouse was probably okay.
Am I right in what I told him? My thought is that a sniffer could theoretically pick up keystrokes from a wireless keyboard, but a mouse doesn’t pose as much risk.
What are your thoughts on this? Any ideas or input that I may not be thinking of?
9 Spice ups
Mike400
(Mike400)
3
I believe the Logitech wireless is reasonably secure, but I’m surprised you were allowed to install wireless anything in a bank lobby. Remember, these are the same places the chain their pens to the desk. 
8 Spice ups
As I understand it depends on the wireless Keyboards used.
This question should be answered by they Risk Management team since it is a finical institution
and there level of PCI compliance.
The last contract I worked require the PC Case to be locked and then locked again in a Secure Enclosure
without connection to any wireless technology.
1 Spice up
I frown on all wireless in this setting as well. This is the only type of wireless in the entire building, but the tellers insist that atleast for the mouse the wireless is nice since the cord doesn’t get in the way.
I didn’t realize that there were encrypted sets from Microsoft, so thank you to Dennis Kelley for the link!
I’ll have to check with the compliance team on this. They haven’t said anything in the past about the PC cases needing locked, but as we all know things change quickly in the IT/Security world!
1 Spice up
This has been a practice for years. They took they’re client confidentiality to a level I never seen before.
And now with the compromised WPA I am sure that a ton of their AP’s have been shutdown.
One location alone had 38,000 endpoints alone, not including POS or Servers.
kevinhsieh
(kevinmhsieh)
7
There is always a risk with wireless. Some devices aren’t encrypted at all. Bluetooth is encrypted, but the standard is so complicated that everyone just uses the sample code, which was never designed to be production ready, and you are vulnerable to implementation bugs. Also don’t believe that you can to be within 30 feet to receive and decode a signal. It’s not like a signal hits a magical wall and just stops. They go through walls and just get weaker over distance. Sniffing a mouse probably isn’t too useful, but maybe the mouse interface can be compromised and be added in as a keyboard driver too, and then things get really interesting. I wouldn’t allow any wireless technology to connect in a high security environment. If I were to ever go to a hacker security conference like Black Hat, I would probably just leave my phone off.
1 Spice up
As far as I know none of our tellers have wireless keyboards or mice, however some of the people in Admin do. I’m not sure why they do, or what our overall policy is about that. mostly we just use wired keyboards and mice.
enyr0py
(enyr0py)
9
The Logitech wireless keyboard takeover issue is real: https://www.mousejack.com/
I was able to perform the attack with a $20 piece of hardware from Amazon. I don’t have l33t skillz, it was trivially easy.
Logitech updated the firmware for the devices but most users don’t know or bother to update that kind of thing.
There was some work being done to do the same attack on the Logitech mouse, but I don’t know that anything came of it.
1 Spice up
I am in the process of replacing any wireless keyboard with a Bluetooth keyboard and mouse. One branch that was newly remodeled needed wireless and it seemed that Bluetooth was the most secure for us.
By the sounds of it Bluetooth is more secure than a standard wireless keyboard and mouse?
Garrett, Once again make sure that your RISK compliance peep’s sign-off on this…Not that it will protect
your job in case of a breach but hell it can’t hurt if they come asking Y…
That’s a good point, Mike.
