Wireless Keyboards - Should I be concerned?

bencarroll · 2015-05-11T07:42:10.000Z

A couple of people have been bringing in their own Wireless Keyboard/Mice recently and remembering a few articles from a while back insisting they were insecure, as the data being passed between keyboard and PC was being done so without encryption, I’m wondering if I should be allowing this to happen.

However, now reading articles, such as this: Keysweeper: proof that it's relatively simple to hack a wireless keyboard

I wonder how concerned I should be.

Do you use Wireless Keyboards? Are you concerned? Do you ensure that you purchase ones which have encrypted connections?

Be interested to see everyones take on this!

ich · 2015-05-11T08:05:39.000Z

Two things:

Is there a policy concerning personal equipment use in the company? If not, you should have one, whether it says yay or nay, and it needs to be signed off at the highest level.
What work are the users doing? Does it matter if it is insecure, or are the users working on confidential and/or regulated work, as in covered by SOX or Defence or Healthcare regulations. If the latter it is a no-no regardless of company policy.

bencarroll · 2015-05-11T08:12:19.000Z

We’ve never had this before to be honest. So the Policy only talks about Company Equipment FOR personal use as opposed to opposite.

It’s not particularly secure work, until today when someone in HR brought one. That’s what got me thinking. We’re not governed by any regulations such as those, so we’re not breaking any rules from that point of view. This is purely a personal concern.

oliverkinne · 2015-05-11T08:15:27.000Z

I’m pretty certain the Data Protection Act has something to say about HR bringing in their own equipment. It’s all about having physical and procedural steps in place to secure personal data - which is what HR would be dealing with.

So maybe it’s time to check with a solicitor or even the Information Commissioner’s Office for advice.

psophos · 2015-05-11T08:56:53.000Z

I’d ask the people who are bringing the wireless keyboards in (politely) why they are doing so.

As for the security risk, who knows? With a mic in a quiet office researchers managed to determine what people were typing with up to 95% certainty based purely on analysing the audio of the recorded tapping on the keyboard. More keyboards in action reduced the certainty to ~80%.

Should you be concerned? Yes. But it might well be waaay down your list of priorities.

bencarroll · 2015-05-11T09:01:12.000Z

M Boyle:

Should you be concerned? Yes. But it might well be waaay down your list of priorities.

Agree completely. This was just a passing thought really.

They’re only bringing them in because they don’t like the wires trailing on their desks. Nothing more.

apsutcliffe · 2015-05-11T09:07:04.000Z

There’s a couple of problems with wireless keyboards. People borrow / lose / steal the dongles which means that they have to be replaced (and they’re not that cheap); and if you get too many devices in the same area, sometimes the hardware gets mixed up. It can be a pig to sort out.

As for having people bringing stuff into the office; what happens if someone does steal it? Who is liable? Personally, I would make it clear that it is entirely at their risk; there is no way that I would be prepared to replace a “missing” keyboard, mouse of dongle.

javvad-att-cybersecurity · 2015-05-11T09:32:24.000Z

I agree with M Boyle here that whilst there is a risk, it is typically a low one. An attacker needs to get into your office (or already be within) to plug in a wireless sniffer to pick up all the keystrokes. And if someone is willing to go to those lengths, then they may as well plug in a physical key logger into the wired keyboard for the same effort.

Really is dependant upon your risk profile and what kind of threat models you have.

Like Bottman says, it’s probably more about making sure the company is not liable for any losses and if anything is to be plugged into the mains it should undergo a PAT inspection.

psophos · 2015-05-11T09:50:08.000Z

Bottman there nailed most of my concerns.

Theft and interference. Both will be a pain to resolve. We don’t like to think about such things as theft but it does happen and it can create a rally poisonous atmosphere.

With a proper antenna these wireless signals can be detected at a reasonable distance, but again that’s a fair amount of effort to go to when hacking is generally much easier and has no requirement for physical proximity.

In the HR case I would mention that the signals can be detected. Best to nip it in the bud. And then ask the HR person what you should do if people’s personal property does get stolen.

idodge5093 · 2015-05-11T10:14:26.000Z

We don’t allow anyone to bring in their own keyboard, mice, or software. If they need it for work, work should by it - and hold the license for it.

zachtrue0065 · 2015-05-11T10:43:28.000Z

idodge wrote:

…If they need it for work, work should by it

This is the correct response. Our policy states that any and all hardware that is connected to work-owned equipment, becomes work-owned. I doubt it is legally defensible, but it keeps stupid stuff like this from happening.

Our primary driver for this is that we do not want to have to keep track of whom bought/brought what in. On employee separation I do not have confidence that HR or supervisors will know that Jim-bo brought in the $80 mouse on his desk, but that work bought the $300 spaceball. Before I got here, some employees had gone so far as to bring in speakers, sound-cards, external HDDs, monitors, and the requisite keyboard/mouse combinations. Cleaning it up was a mess.

Could we build a system to keep track? Yes. Do I want yet another system to build and maintain? Nope.

john2542970083 · 2015-05-11T10:47:06.000Z

I don’t agree that an attacker has to be in your office in order to attempt to intercept key strokes, it could be done from another floor in the building, or potentially outside of it. The technology the device uses would also be a factor in how far the signal travels, such as Bluetooth Class 1, 2 3 etc or 2.4 GHz wireless.

Furthermore there are examples of weak crypto being used on some keyboard models which is trivial to break.

glenlashley · 2015-05-11T12:07:29.000Z

Though the newer keyboards use 2.7Ghz, look out for the older 27Mhz models. This guy used an RTL SDR dongle to decode the datastream of a logitech wireless keyboard:

absorptions

Eavesdropping on a wireless keyboard

A blog about signals, programming, music, and other stuff.

As long as the airgap is encrypted with an acceptable cipher then you should be fine in most cases.

austinjaney · 2015-05-11T12:17:03.000Z

I have given stern warnings against them but being a contractor my job is mostly to advise I just make sure when I do so that my thoughts are well known and if that’s the method at which a breach happens that they were warned.

greg-collective-software · 2015-05-11T12:18:00.000Z

Last time I read about this attack, it was useful against “some” Microsoft and Logitech keyboards that were NOT using Bluetooth, but rather their own proprietary wireless protocol.

I understand Bluetooth keyboards to be secure as long as the attacker is not eavesdropping during the moment of pairing.

I don’t know any way to tell which non-BT keyboards are vulnerable. It’s scary to me because the attack is pretty trivial to carry out and low risk for the attacker. Radio waves go in every direction and there’s no way to detect they are being intercepted; the attacking device can be tiny and hidden, and also look innocuous.

mikemalsom1295 · 2015-05-11T12:20:40.000Z

We use the “if you need it for your job, work will purchase it” approach as well. The only exception we have had on this is for some one off things that people have asked for, we have let them bring their personal version of the equipment in to do a demo of how it will make them more productive (hard to get the boss to sign off on a $60 mouse when we have hundreds of the standard ones floating around).

As for being concerned about the wireless keyboards, unless you are in an industry that requires you to be concerned, I would say you have bigger things to worry about, though you could use this as a goal to work towards the day when this is your biggest concern to worry about!

paolo0111 · 2015-05-11T12:25:41.000Z

If someone wants to steal secrets from the keyboard or mouse, has a number of interesting alternatives, hardware, software or even wireless, without interfering with the normal appearance of the keyboard:

https://www.keelog.com/

sgestwicki · 2015-05-11T12:27:40.000Z

I agree with a lot of the posts here. It is fairly easy to do against some keyboards but if someone is already inside the building they easily could just install a keylogger. I like the Bluetooth suggestion because I also have only read about them being vulnerable during paring.

lenmc · 2015-05-11T12:37:25.000Z

I do not honestly see a need for a wireless keyboard. I am sure there are certain extenuating circumstances where they are useful. But for the most part your keyboard is withing a couple feet of your machine. is the 1 thin wire gonna screw up your fengshwey that much?

kptim · 2015-05-11T12:37:38.000Z

I would be more concerned about users bringing in devices and freely plugging them into workstations, that seems like more of a risk than someone logging keystrokes, although that is still pretty bad.