Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Secure wireless mice

kasperd (592156) writes | about 10 years ago

Security 13

Most of you probably already know how annoying the wire on the mouse sometimes may be. That is why the wireless mouse was invented, and now I'm looking for one. But as with any other wireless equipment, security is an important issue. Sometimes these devices work over longer ranges than expected.

Most of you probably already know how annoying the wire on the mouse sometimes may be. That is why the wireless mouse was invented, and now I'm looking for one. But as with any other wireless equipment, security is an important issue. Sometimes these devices work over longer ranges than expected.

The possibility to sniff the input is not my only concern. Authenticity is also important, I don't want anybody within a range of 100m to be able to control my computer. So any product that doesn't do both encryption and MAC (message authentication codes), is out of the question.

It wouldn't be difficult to produce a secure product. Good ciphers and MACs exists, and key exchange can safely be done while the mouse is placed in the recharger. But finding a product that actually does this proves to be difficult.

I searched for wireless mice satisfying most of my needs (that is optical wireless mice with at least three mouse buttons). And I picked five well known manufacturers from the list. None of the informations I could find online answered my questions. So I decided to contact the companies and ask. The result were depressing.

  • The first company had a wide range of wireless mice, but only one product with encryption. And even this product wasn't trustworthy, as it was based on proprietary algorithms. Security through obscurity is generally considered a sign of weakness, and is advised against in more than one place.
  • The second company did not know what encryption and MAC is, and did not consider it to be necessary.
  • The third company never replied to my email.
  • The fourth company replied to my email, but did not try to answer my questions. Instead I was referred me to a reseller. The reseller had never heard about the product.
  • The fifth company did not provide any contact informations on their webpage.

So I am starting to worry, that maybe secure wireless mice simply does not exist. Where should I look for a secure wireless mouse? And if I find a manufacturer, that can provide a good description of a secure product, how should I verify that the implementation actually match the description?

Of course my considerations about wireless mice also applies to keyboards. The keyboard may in fact be even more sensitive than a mouse, and since I don't move my keyboard as much as I move my mouse, I have decided to stick with wired keyboards.

cancel ×

13 comments

Sorry! There are no comments related to the filter you selected.

Wow (-1, Troll)

Anonymous Coward | about 10 years ago | (#9668864)

You are a paranoid fuck.

Bluetooth (1)

CptChipJew (301983) | about 10 years ago | (#9668881)

Bluetooth mice often use encryption.

Apple's BT mice use AES-128

Re:Bluetooth (1)

kasperd (592156) | about 10 years ago | (#9676142)

Bluetooth mice often use encryption.

Maybe that is true. The one mouse the first company could offer with encryption was in fact a bluetooth mouse. But since it is security through obscurity, I still cannot trust it. It is not enough for me that they say there is encryption, I want a trustworthy product.

Apple's BT mice use AES-128

I did not look much on the Apple products, because I couldn't find any Apple mouse that satisfied the rest of my requirements. One of the requirements I mentioned was at least three mouse buttons. Another requirement I did not mention is that it must be a PS/2 mouse such that it will work with my KVM switch.

Besides that, choosing a cipher is the least part of making a secure product. I would trust AES-128, but without further information I would not trust that they use it correctly. Do they really use a probabilistic encryption, which is necesarry to achieve semantic security? And how is the integrity ensured. This is one of the harder parts, because the data transfered from a mouse need only very small packets (3-6 bytes AFAIK), so a 128-bit MAC would be a large overhead. And security is more than just verifying integrity of individual packets. You will expect some packet loss, but you don't want to allow an attack that discard packets arbitrarilly, or even worse duplicate and reorder packets.

Finally there is the most tricky part, the key exchange. The simple solution would be to make them fixed when the mouse is manufactured. But then you cannot replace the mouse without replacing the receiver, and vice-versa. So I guess few vendors actually do that. But then how do they perform the key exchange?

Re:Bluetooth (1)

CptChipJew (301983) | about 10 years ago | (#9679746)

Besides that, choosing a cipher is the least part of making a secure product. I would trust AES-128, but without further information I would not trust that they use it correctly.

This isn't Apple's only implementation of AES-128. MacOS X has a feature that will encrypt a uses home folder in AES-128 on the fly, and they stand by it as being both secure and reliable.

But of course as you said, an Apple mouse isn't going to serve. This Bluetooth mouse [radtech.us] has 2 buttons and a scroll wheel, though I'm not sure of it encrypts. As well, the pairing code is 0000 on all of them, which I guess leads to some insecurity.

Re:Bluetooth (1)

kasperd (592156) | about 10 years ago | (#9680794)

This isn't Apple's only implementation of AES-128.

It is still not the implementation of AES-128 I'm worried about. That part they can easilly test against reference implementations. It is the way it is used.

MacOS X has a feature that will encrypt a uses home folder in AES-128 on the fly, and they stand by it as being both secure and reliable.

Is this on the block layer or on the filesystem layer? I have been looking a lot into what have been done on the block layer. But most of it sounds like an insecure pile of crap. The only product that sounds resonably secure is the one for FreeBSD [slashdot.org] which was mentioned on slashdot about a year ago. If you try to do it on the filesystem layer you can avoid some of the challenges of a block layer implementation. But the end result is probably going to be a lot more complicated, and there are even more possibilities to do something wrong than on the block layer. So I wouldn't expect the average filesystem encryption to be more secure than the average block layer encryption.

This Bluetooth mouse has 2 buttons and a scroll wheel, though I'm not sure of it encrypts.

I should investigate that a bit further.

As well, the pairing code is 0000 on all of them, which I guess leads to some insecurity.

Sounds insecure to me. Even a four digit code you could chose yourself would be insecure if not used very carefully.

Find one you like and hack it? (1)

Annirak (181684) | about 10 years ago | (#9698365)

If you can find a mouse with relatively common hardware, updating the firmware to do what you want *might* not be that bad. Of course, that all depends on the complexityof the firmware. And writing USB firmware can really suck if the hardware doesn't take care of what it should.

Re:Find one you like and hack it? (1)

kasperd (592156) | about 10 years ago | (#9700279)

If you can find a mouse with relatively common hardware, updating the firmware to do what you want *might* not be that bad.

Updating the firmware is not an option if the hardware cannot do what I need. I mean the best solution I can think of requires the mouse to communicate with the receiver through the connectors in the recharger. If the hardware cannot do that, there is no way a modified firmware can help. Besides where do I find a mouse where I can actually update the firmware in the mouse?

hmm... (1)

l33t m4st3r (672779) | about 10 years ago | (#9700485)

I'm gonna go with what the first guy said. What is somone gonna do with how you move your mouse and click? A keyboard might be diferent, but a mouse? If your that paranoid then go back to a wired mouse.

Re:hmm... (1)

kasperd (592156) | about 10 years ago | (#9700762)

What is somone gonna do with how you move your mouse and click?

So did you not read what I wrote? Or did you just not understand it?
Authenticity is also important, I don't want anybody within a range of 100m to be able to control my computer.
But of course secrecy is actually important as well. Many random number generators use mouse input as their primary or only source of randomness. If you can sniff the mouse you can predict randomness that was supposed to protect your network communication. You cannot solve a problem by pretending it does not exist.

If your that paranoid then go back to a wired mouse.

That is probably the most useless piece of advice I got today. Do you give that kind of advice to everybody who ask which wireless mouse they should use?

It is possible to create a secure wireless mouse. We already have the technology and theoretic knowledge to make an unconditionally secure protocol for a wireless mouse if we want it. But no vendor have made one, and most customers seems to accept the hopelessly insecure products. I'm surprised that even slashdotters seem to accept status quo.

Re:hmm... (1)

l33t m4st3r (672779) | about 10 years ago | (#9751949)

i misunderstood the first point. i use a wireless mouse my self. i have never seen the frequences hijacked by anyone. if somone does gain control over your computer, they will have to see the screen to do anything. if they are that close they might as well be using your own mouse. yes it would be nice to have some security like that, but i dont see it being a big enough demand now.

Re:hmm... (1)

kasperd (592156) | about 10 years ago | (#9761681)

if somone does gain control over your computer, they will have to see the screen to do anything.

It is easier if you can see the screen, but I still believe a lot of damage can be done if you have a carefully prepared sequence of movements. It is easy to move the cursor to a corner of a screen. So if you know the coordinates of some icon relative to any of the corners of the screen, you can use it. If you can somehow manage to open a window with some predicatble text in it, you can also use cut'n'paste to type in stuff. Given these possibilities, how difficult would it be to open a browser and take you to a site I control, and click yes when the browser asks if it is okay to download and install this program from an untrusted source?

Bluetooth (1)

silas_moeckel (234313) | about 10 years ago | (#9733084)

OK You seem to be looking for something that isn't there because your insisting on a PS/2 Interface. Thats a legacy interface designed for wired devices why would a company have any desire to implement security over a wired interface?

Bluetooth gives you security as it's built into the protocal at Layer 2 I beleive. The pairing process is when key exchange is done. As to security of the cypher it the same across BT as it's part of that standard. The only reasons any security is there is because it's built into th protocal and thus the cheap chipsets to support that protocal get built into the mice.

Oh BTW the big reasons you wont ever find realy secure wireless mice is because if security is nessicary they will use a wire with good shielding.

Re:Bluetooth (1)

kasperd (592156) | about 10 years ago | (#9735538)

OK You seem to be looking for something that isn't there because your insisting on a PS/2 Interface.
That is wrong. I never told any of those companies, that PS/2 was in fact a requirement. They still were not able to suggest any trustworthy wireless mouse.

Thats a legacy interface designed for wired devices why would a company have any desire to implement security over a wired interface?
This is nonsense. I'm not talking about security over PS/2. I'm talking about security over the wireless connection. The wireless communication doesn't magically end up in the PS/2 connector on the computer. There is a receiver that will send the data through a wire the last way to the computer. That receiver clearly is designed for wireless communication, and should have been designed with security in mind. There is no reason the wireless communication should use the PS/2 protocol, I'm even sure it would be a bad idea to use the PS/2 protocol at that point. You can come up with something that is a lot more stable in case of lost packets over the wireless link. And it doesn't have to be compatible with anything, they sell you a mouse and a receiver that needs to communicate with each other, that's all.

Bluetooth gives you security as it's built into the protocal at Layer 2 I beleive.
I have already explained twice why the bluetooth product suggested by one of the companies is not a trustworthy product.

The pairing process is when key exchange is done.
From what I have heard about the pairing, the security is based on a four digit pin. This is already very weak. Except from the weakness of the too small key, there is another problem. Nobody have been able to show me how this exchange works, so I cannot trust it.

As to security of the cypher it the same across BT as it's part of that standard.
And yet even on request the vendor provides no information at all about the security of the product.

The only reasons any security is there is because it's built into th protocal and thus the cheap chipsets to support that protocal get built into the mice.
Do you know something I don't know. Because none of the information I have seen so far gave me any reason to believe the protocol was secure. I wonder if the availability of such standard chips would make it easier to break the system, at least I wouldn't have to build the hardware from scratch.

if security is nessicary they will use a wire with good shielding.
I don't believe that. I'm sure wireless mice are being used in a lot of places where security is necessary. But maybe wireless mice are only being used by people that are ignorant to security.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>