×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security - Logitech Wireless Mice & Keyboards Can Be Sniffed

Cliff posted more than 11 years ago | from the and-just-as-I-was-getting-used-to-mine dept.

Privacy 292

Brock Tellier writes "The old adage 'The only safe computer is locked in a room and unplugged from the Internet' proves false. According to a recent security report about Logitech wireless mice and keyboards, an attacker can sit a hundred feet or more from your computer and 'sniff' the data from your keyboard and mouse. Scary." Scary indeed! Having just purchased one of these, and finding them immensely conveinient such news is disheartening. Are there easy ways in which Logitech might be able harden any new models against this? How difficult are these things to sniff, and what kind of hardware would one need to do so? Obvious security tip: if you have these keyboards attached to machines that may access secure data, consider moving them back to the wired standbys until a more secure wireless options present itself.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

292 comments

Re:Tempest (1)

Anonymous Coward | more than 11 years ago | (#199828)

The BBC did a demo of this years ago. The tape was banned under the 'Official Secrets Act' or some equivalent. I saw it at CISSP training in 1999; I have no idea how to get ahold of a copy.

Re:How much could be learned... (1)

Anonymous Coward | more than 11 years ago | (#199829)

Combining information from a cordless mouse with that of the cordless keyboard would be useful. It would help delineate the keyboard data by associating a mouse move/click before or after some keyboard input. For example:
[mousemove][click]Anonymous Coward
[TAB] *or* [mousemove][click]mypassword
[TAB] *or* [mousemove][click]Re:How much could be learned...
[TAB] *or* [mousemove][click]blah

would be the sequence of events, no timing needed, to understand the data from me filling out the form to write this message. Otherwise the data from the keyboard is a little more difficult to decypher (remember though, this is a *very* basic example. It makes more sense to apply it to a more complicated case.).
Anonymous CowardmypasswordHow much could be learned...blah

TEMPEST? (2)

Anonymous Coward | more than 11 years ago | (#199831)

You know, part of the reason the very existence of TEMPEST was classified for so long was that: a) it worked, and b) no one knew about it. That time has passed; why is this "news"?

Re:Tempest (3)

Anonymous Coward | more than 11 years ago | (#199832)

It basically is a room which is a gaussian sphere

I believe the term is "Faraday cage".

Re:I sniffed my mouse... (1)

Micah (278) | more than 11 years ago | (#199834)

Either that or get a gerbil. I had mice and gerbils as a kid and you wouldn't believe how much cleaner gerbils are.

Usefulness of sniffing mice (2)

Micah (278) | more than 11 years ago | (#199835)

ok... so you're sniffing someone's cordless mouse.

"moving up a bit... left click... moving right a bit... moving down a bit.... right click... moving left a lot and up a bit. silence... moving down a lot, a little to the left... right click... moving up a bit...."

What exactly could you do with that info?

Method 101 (1)

narrowhouse (1949) | more than 11 years ago | (#199839)

There are a thousand ways that "some people" can sniff what you do. I have heard rumors of government technology that can get some data about what you are typing by tapping your electrical lines, or even fron the sound of your typing, devices that can recreate the image on a CRT from across the street. It all sounds like "Enemy of the State" paranoia until you find out it is real (Echelon anyone?). Security is an illusion unless you take very STRONG precautions. A fact of life, not that I haven't thought about distributing a one time code pad to a few choice friends just in case:) Be VERY careful about the physical security of your machine of get used it.


Insert pithy comment here.

If they can read it, They can write it. (1)

mgrennan (2067) | more than 11 years ago | (#199840)

Ok I own one of these things too. They are nice. But as a amature radio guy I can know this was posible a long time ago.

The part the disterbs me is the fact they can write to your keyboard reciver. Just stay logged in, walk way, and I can enter a rm /* for you or maybey a scp -r mark@myserver.com:/stuff /root/*.

Anyone know where most people keep their GNU-CASH data directory?

Just joking.

mark

An option to secure the transmissions (2)

psychosis (2579) | more than 11 years ago | (#199842)

You could always take the character key, base-64 it, and XOR the bit string....
oh, wait a minute... you might get sued for that marvel of technical prowess!

Get the adage right :) (1)

smooge (3938) | more than 11 years ago | (#199848)

> The old adage 'The only safe computer is locked
> in a room and unplugged from the Internet'
> proves false. According to a recent security
> report about Logitech wireless mice and
> keyboards, an attacker can sit a hundred feet
> or more from your computer and 'sniff' the data
> from your keyboard and mouse. Scary."

Actually the adage is
'The only safe computer is locked in a bunker, unplugged from the power grid, and turned off. And then it is questionable. Safer still is just to slag the whole thing down to its random bits.

stucco houses look better every day (1)

bcboy (4794) | more than 11 years ago | (#199849)

there's nothing like a wire mesh wall for blocking rf.... though you do have to mount an antenna if you want to listen to the radio

Assuming it matters (2)

maggard (5579) | more than 11 years ago | (#199850)

First off this is *news*? Did anyone expect a wireless mouse or kb to encrypt? While it's likely possible to do some sort of encryption between the transmitter & the reciever I don't see how keys would easily be synchronized.

Furthermore devices like this invariably end up stepping on each other's toes. They're fine if you're the only user in the building but when the secretary upstairs gets one you end up getting who-gets-the-bandwidth glitches or worse yet finding thier mousing on your screen (or "Iieeeeyyhahh - my cursor is posessed!")

Of course one key thing to ask yourself is if you care that someone could decode your mouse or kb.

In the office as I noted these things are of limited utility, at least if you're in a geek-dense area. At home the question is how many folks are in range and how many could possibly care.

In my neighborhood the average age is 60-something and of a definite non-technical bent. Frankly I doubt there's so much as an active ham in the neighborhood much less anyone with enough geek-tendencies to scan, identify, then decode my mouse or keyboard.

The same with the odds of there being another comperable device - I can count the cable-modem users by looking at the wires and there are 4 of us in two blocks (and from sniffing I know I'm 90% of the traffic.)

Yeah unsecured wireless devices aren't a good thing to use in a secure environment, but again, that's *news?

Re:Tempest (1)

Switchback (6988) | more than 11 years ago | (#199852)

Not true. Many people incorrectly refer to the sniffing of electromagnetic signals as 'TEMPEST attacks'. While it is certainly convenient to use this term, TEMPEST actually deals with the prevention of such signals, not the gathering of them.

As for only reading monitors, you are quite mistaken. TEMPEST covers the entire electromagnetic spectrum. If you've ever seen TEMPEST equipment, everything is 'shielded', not just the monitor. Electromagnetic sniffing can be applied to any electronic device, not just computers. Monitors are probably the easiest for people to think of because it's information they're seeing. But sniffing the monitor does you no good for gather passwords, because they either don't show up on the screen or are some other character. But sniffing the keyboard will certainly give you this info.

Of course! (1)

juuri (7678) | more than 11 years ago | (#199853)

What retard didn't know this when they purchased such equipement? The same ones that have never used a learning remote?

How the hell does this warrant a front page story.

Slashdot, news for people who can't think or figure anything out for themselves.

The flip side... (2)

unicorn (8060) | more than 11 years ago | (#199854)

Maximum PC had an article about PC Pranks last week. And they drove one editor nuts by hooking a cordless mouse to his system as the primary pointing device, and driving his machine from across the room.

Surprised? (1)

Ageless (10680) | more than 11 years ago | (#199862)

This is a surprise?
Hey! Guess what, that fancy remote control you use for your TV at home can be sniffed too! THEY CAN TELL WHAT YOU ARE WATCHING!
Also! Those walkie talkies you use to talk to your buddies can be sniffed! THEY KNOW WHAT YOU ARE SAYING!
Hey! This comment isn't encrypted! In fact, most of the Internet isn't encrypted! THEY CAN READ WHAT Yjk2#@!

Re:Surprised? (1)

Ageless (10680) | more than 11 years ago | (#199864)

I am going to go ahead and take this into the realm of the far fetched but... With a little bit of habit watching you could find a calibration point.
First, you can take out any channels that home may or may not receive. It's going to be obvious that the person isn't watching channel 6 for 3 hours at a time if it's static.
Next, watch how long they watch a channel. Do they watch a certain channel for 2 hours and 10 minutes and was there just a movie on that was 2 hours and 10 minutes or so? Good starting point.
Anyway, cryptographers perform much more complicated miracles breaking ciphers. It's not too hard... :)

Duh (1)

Ouroboro (10725) | more than 11 years ago | (#199865)

All I can really say is, well duh. Who would have thought that a device that sends unencrypted signals out willy nilly would be vulnerable to sniffing.

This should be espescially obvious since we are already worried about people sniffing monitors and ethernet w/out actually being in the circuit.

Scary my ass! (2)

uradu (10768) | more than 11 years ago | (#199866)

If you buy peripherals that broadcast their data through the air, what the hell do you expect?! We take it as a given that true security with 802.11b even using encryption is an iffy thing, despite using pretty heavy duty hardware, and yet we're floored when a cheap input device with nary more horsepower than a CD player is insecure? Perhaps we should come up with a public key protocol for mice and keyboards? Given the required horsepower, we could then also use them as co-processors, offloading all those Quake computations on the mouse and keyboard. Hmm...

Re:Common Sense (1)

SpacePunk (17960) | more than 11 years ago | (#199879)

No offense? Hell, intend as much offense as possible.

What gets me is someone actually did a 'security report' on it. DUH! Ok, next up will be a 'security report' on how shouting down a hall isn't secure.

Re:Just shows how important key management is (2)

Ralph Wiggam (22354) | more than 11 years ago | (#199885)

"Logitech had to do something that "works" but gives people zero privacy and no security"

Yes, and they did exactly the right thing. Their "job" is to produce products that do what they claim to do and sell them at a price people will pay. They never claim these products are secure in any way. As the above post says, if you bought this product *assuming* it's secure, you're a dumbass and you deserve whatever you get.

-B

How horrible... (1)

Rombuu (22914) | more than 11 years ago | (#199888)

I mean if a hacker could track my mouse movements he could.. um, he could.. well...

...damn, I can't think of anything. Sounds like a big waste of effort.

Paranoia makes you feel important. (1)

flockofseagulls (48580) | more than 11 years ago | (#199904)

My grandmother had her cable TV service disconnected because she believed "they" could watch her through her TV. The more extreme worries about security and privacy that come up periodically on slashdot are in the same vein.

Unless you are a real spy, diplomat, or someone with real secrets to protect why do you think the CIA or whatever gives a shit about sniffing your cordless keyboard? If they really wanted your secret passwords they would just get a thug to threaten to beat you up--much cheaper and less time consuming.

Stop reading Tom Clancy novels. No one cares about your keystrokes.

Updated cliche version 1.02 (2)

glitch! (57276) | more than 11 years ago | (#199914)

"The old adage 'The only safe computer is locked in a room and unplugged from the Internet' proves false.

- The only safe computer is locked in a room and unplugged from the Internet.
+ The only safe computer is locked in a light-tight, Sonex lined, Faraday cage and unplugged from the Internet.

Mice vs. keyboards (2)

ucblockhead (63650) | more than 11 years ago | (#199918)

For keyboards, I can imagine this being a real security issue, but I'm not sure how you could get useful information out of a mouse without having some access to the person's screen.

RF Keyboards (2)

Bandman (86149) | more than 11 years ago | (#199926)

Relax. This only applies only to the RF keyboard models. The IR models arn't succeptable.

I DARE someone to sniff my IR communications from hundreds of yards...

The paranoid ignorant (1)

ahde (95143) | more than 11 years ago | (#199936)

Scary indeed! Having just purchased one of these, and finding them immensely conveinient such news is disheartening. Are there easy ways in which Logitech might be able harden any new models against this? How difficult are these things to sniff, and what kind of hardware would one need to do so? Obvious security tip: if you have these keyboards attached to machines that may access secure data, consider moving them back to the wired standbys until a more secure wireless options present itself.

I bet you bought a Fisher Price baby monitor and trembled in fear the day the exploit was uncovered that let kidnappers and federal agents tune into your RADIO TRANSMISSIONS! and tell when junior wakes up.

Tempest (4)

Lazarus54 (98551) | more than 11 years ago | (#199942)

The CIA can already sniff your keyboard and mouse movements, wireless or not. It's called Tempest. It was mentioned briefly in Rainbow 6; Jack Ryan has a computer which he refers to as "Tempested" which I took to mean resistant to Tempest sniffing. The CIA did a short demonstration with a computer bigwig (I forget who) where they showed this technology off a year or so -- they were able to sniff a login/pw from a family computer from about a block away.

Laz

Old News (1)

zpengo (99887) | more than 11 years ago | (#199944)

This is, once again, old news. Sniffing electrical signals to determine what a user is doing isn't new at all. I found this out myself about six or seven years ago, when I had a mouse wire running under some speakers. As I moved the mouse, the speakers twitched and hummed according to how I moved.

Since then, I've seen dozens, if not hundreds, of articles about this or that surveillance technology that does basically the same thing, only it decodes the signals and puts them into something more intelligent than pops and hisses.

Anyone who uses a wireless keyboard and thinks that nobody could ever find out that he's writing mash notes to his favorite porn star is naive, and plain stupid.

Re:DUH (5)

John Miles (108215) | more than 11 years ago | (#199951)

No, actually, Van Eck sniffing is NOT "easy." It takes thousands of dollars' worth of exotic equipment, and is nowhere near as foolproof as the media suggests. (And how many servers display passwords on the screen when you log onto them?)

Wireless keyboard sniffing is MUCH cheaper and MUCH more damaging than TEMPEST vulnerabilities could ever be.

Tempest and military (1)

nordicfrost (118437) | more than 11 years ago | (#199959)

I don't get it. Any moron should know that anything that emits radio waves is unsafe to use in a secure enviroment. I have a lot of experience with military computers, and wireless keyboards are forbidden (Under military instrictions in Norway) even on unsafe internet-connected computers. It's just too easy to sniff.

Regarding Tempest; The instructions (In short) for tempest shielding here is that servers have to be in a Tempest approved room. There can be no windows, and no RF emitting at all. CAT-5 is banned, it's fibre all the way. Any hubs, switches or routers have to be in code locked shielded safe-like containers. And there is no way, NONE at all, to connect it to the internet.

Not suprising. (1)

re-Verse (121709) | more than 11 years ago | (#199960)

I never did want to touch those things. We make so sure that noone sees when we type in our passwords, sometimes even disguising the way we type, faking hitting certain keys etc, i've seen some Very paranoid people. I'm sure they'll not be happy to know they've been shouting their passwords and credit card numbers across the room for anyone to tune in on.

Sounds like its a whole lot easier than installing a key grabber on a users computer, some quiet geek sitting in the cublicle in the corner could be listneing to it all. fun.

Hardware required for sniffing (3)

librarygeek (126538) | more than 11 years ago | (#199966)

I must first admit that i am unaware of the design of these keyboards but i assume there is only a few channels they operate on. All you would really need to "sniff" these devices would be another reciever device of the same type set to the same channel. Once you have the channel figured out the second device, attached to a second PC, should display what was being typped on the original? This is the way the old RF keyboards sold with the Gateway 2000 Destination series of computers worked. We purchased a few of these where i work and i used to love to annoy people by setting a second mouse to the same channel they used, then in the middle of a presentation start moving their mouse around on them.

"Out of Band" key negotiation could fix this. (1)

8-Bit Junky (127079) | more than 11 years ago | (#199967)

Instead of pressing the button on the mouse / kb & receiver to select one of several (preset!) session keys, Logitech should have used "something else" to establish communication.

Like IR, or even a short patch cable. Simply attaching the cable between the remote device and the receiver could start the protocol negotiation, and a much more secure one to boot... When the negotiation was finished the receiver could blink a led or beep...

My biggest problem with these Keyboards are their lack of LEDs for numlock, scroll lock and caps lock..

Re:Cordless Logitech trackballs (1)

stilwebm (129567) | more than 11 years ago | (#199969)

Actually, they are used for presentations frequently (so you don't have to stay at the podium).

DUH (5)

stilwebm (129567) | more than 11 years ago | (#199970)

If you are security conscious and bought a wireless keyboard, you deserve to have your head examined. If it didn't say "Strong Encryption" or mention some other form of security on the box, you didn't honestly think it was secure did you? Even IR keyboards can be "sniffed", although not nearly as easily.

Paranoia (1)

Shyryly (131993) | more than 11 years ago | (#199972)

There are easier ways for someone to get your 'secret' information than going through the trouble of buying these Logitech components and building this sort of limited intrusion device.

The average person using this sort of setup isn't a security conscious individual in the first place, so why go through the hassle?

Also, based on the nature of the devices, of course you can find a way to intercept the data they're transmitting. This is true for any device that transmits information through the airwares. The lack of encryption just makes everything a cake walk once you've got the detection device made.

I don't see anything on the product features for the wireless components on Logitech's website to suggest that the items in question are flashable, so you're stuck with the unencrypted traffic if you currently own one.

Cordless mouse (1)

matt2413 (135292) | more than 11 years ago | (#199975)

What harm is sniffing my mouse going to cause? I certainly don't do anything w/ the mouse that would give up any keys/passwords...

Don't forget the Faraday Cage (1)

Ray Yang (135542) | more than 11 years ago | (#199976)

Well, if you *really* wanted your computer to be secure, you should put a power source and your computer (along with your office), inside a Faraday cage, with no wires going in or out. Last I checked, this will ensure no meaningful leakage. Now, when those gravimetric sniffers come out, we're screwed, since no known method of blocking the propagation of gravity waves exists ;-)

Ray

encryption costs money (1)

ashultz (141393) | more than 11 years ago | (#199981)

This is as surprising as the sun coming up, really. Unless you had some sort of hardware encryption with unique keys embedded in the keyboard (and hardware or maybe software on the other end to decrypt it) it's going to be sniffable.

Encryption hardware costs money. Using unique keys per item costs money to configure them at the factory. If keyboards aren't cheap no one buys them. The math is pretty inescapable.

Wireless == sniffable (2)

plover (150551) | more than 11 years ago | (#199989)

Its wireless == its sniffable. There is nothing you can do about it.

Sure, it's kind of cool that they used the off-the-shelf Logitech receiver against itself, but a custom reciever would perform the interception passively.

Hardly anything to panic about. Your cordless phone probably leaks more personal info about you anyway.

John

P.S. Did anyone else think Bluetooth?

CRT sniffing == not just photography (2)

TeknoHog (164938) | more than 11 years ago | (#199992)

Can't remember any links now, but in a lecture by Duncan Campbell he mentioned a new method by which the lower-frequency electromagnetic radiation (i.e. not light) from CRTs and even LCDs can be monitored from behind walls, and most of the information can be retrieved.

--
I hit the karma cap, now do I gain enlightenment?

WARNING! (3)

FortKnox (169099) | more than 11 years ago | (#199994)

Warning! If you work with secure data on a computer, and there is a wire spliced onto your keyboard wire in an unusual way and the wire goes into a hidden corridor, out the window, or far from site, someone might be sniffing your data!!

(also see sig s/Privacy/Security/g)...

BWAH HAHAHA! wireless hax0r1ng (1)

electricmonk (169355) | more than 11 years ago | (#199995)

Now I can not only get internet access from your wireless 802.11 network, I can sniff your passwords too!

\/\/

Re:Cordless Logitech trackballs (5)

andyh1978 (173377) | more than 11 years ago | (#199998)

Actually, they are used for presentations frequently (so you don't have to stay at the podium).
Oh, the embarrassing possibilities...

A couple of people in the audience with a cordless keyboard and/or mouse on the same channel... a couple of clicks... a few choice webpages projected on the screen...

I don't think you'd be staying at the podium for long. :-)

Sniffing keyboards (3)

Rorschach1 (174480) | more than 11 years ago | (#200000)

Actually, it's not terribly difficult to get data from a wired keyboard at a reasonable range. They run at a low data rate and leak a fair amount of RF. You can demonstrate this by holding an inductive probe near one and pressing different keys - they all make different tones.

of course they can be sniffed (1)

muerte24 (178621) | more than 11 years ago | (#200002)

they are beaming an easily detectable infrared signal from a fairly strong LED. if your keyboard has to be a palm pilotesque 3 feet from your receiver which has a lens/detector about 1/8" across, that means that if i have a mirror/detector about a foot in diameter i can get the same signal strength from almost 300 feet away. barring dust, humidity, etc, etc.

what's _really_ scary is the TEMPEST style attatcks. where the RF from your monitor can be received and reproduced from hundreds of feet away. look around on the web for TEMPEST stuff. the _only_ way to protect yourself from being sniffed in that manner is to encase the whole room in copper. as in a copper door that seals on a copper frame, etc. the bright side is that the attacker needs fairly sophisticated and expensive equipment to be able to do this.

going back to the logitech wireless thing, i think there is a way to defeat the more casual sniffers. if the base station continuously transmits a sort of "key" back to the mouse/keyboard, it is _very_ improbably that the attecker has a good enough Line Of Sight to be able to intercept both signals, and then do distinguish the two. it doesn't have to be any kind of complicated cypher, just an additive digital key.

why doesn't somebody program a palm pilot to sniff digital keys? just use some eyeglasses and a holder and you could pick up signals from (2 / .125 * 3 =) 50 feet away.

muerte

speaking then of digital keys, someday microsoft will enforce digital rights management on my keyboard. it will have to negotiate a session on my computer, then i will have to sign a lengthy agreement that i won't type in any copyrighted text.

oops (1)

muerte24 (178621) | more than 11 years ago | (#200003)

the report says they are using RF, which makes it easier to detect the signal from up close (no LOS), but the signal is harder to pick up from farther away.

one easy way to make a pretty secure connection would be to make little enigma-esque scrambler wheels on the keyboard and base station. since the number of intercepted characters is probably low, your key length doesn't have to be outrageous to provide some security.

another way is to, every couple hours or so, prompt the user to type a special, newly generated word or two into the keyboard. the computer makes up the words, puts them to the screen, and tells the keyboard to stop transmitting. then the keyboard uses the typed in phrase for a new cryptographic key and begins transmitting again. it won't work with current models, but it would be a fairly robust system for newer models.

muerte

Re:Another thought comes to mind... (1)

wcbrown (184278) | more than 11 years ago | (#200009)

Though it would be a great prank to randomly type extra characters every now and then.

Keyboard Encryption (1)

SigmoidCurve (188795) | more than 11 years ago | (#200011)

Alas, it has come to this. Now we need an encryption scheme to encode what we actually type into the keyboard. Shouldn't be too hard, just use a good md5 hash and compile it into the readline library. Then just do the conversions in your head before you type in a letter. For example, 'a' would be 'bb86e686cd925adbf14b3e9e9302c2c8'. Maybe a little more time consuming - but hey, at least it's secure!

czep

Wouldn't bother me (1)

Mtgman (195502) | more than 11 years ago | (#200013)

About once in every three times that I boot into Windows 98, my keyboard gets locked out. Don't want to drop my internet connection and lose any time needed to re-boot, so I just do without it for a while. I've gotten good at websurfing using nothing but a mouse, but cutting and pasting single letters to form google search strings can be a pain. A sniff on my keyboard would be pretty pointless even if I was surfing/accessing exactly the kind of nasty data the sniffer was looking for.

Steven

The Old Adage (2)

bartjan (197895) | more than 11 years ago | (#200015)

The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and surrounded by nerve gas and very highly paid guards. Even then, I wouldn't stake my life on it.
(Gene Spafford)


I think switched off also includes the removal of the batteries from the mouse and keyboard.

Diffie-Hellman (1)

hhg (200613) | more than 11 years ago | (#200016)

Would't it be possible to encrypt signals with DES, and have the units change their keys every 3-4 seconds? With the power of small chips theese days, such a thing would not be very difficult to implement.

Cordless Logitech trackballs (4)

Rosco P. Coltrane (209368) | more than 11 years ago | (#200020)

I bought a Logitech Cordless TrackMan FX the other day : this thing is a *cordless* trackball ! I understand the need for a cordless mouse, to avoid dragging a cord around, but a cordless trackball ?? that's about as useful as a cordless telephone pole ...

"A door is what a dog is perpetually on the wrong side of" - Ogden Nash

TEMPEST (1)

whiteben (210475) | more than 11 years ago | (#200021)

What about eavesdropping a la TEMPEST? (See this TEMPEST page [eskimo.com] .) This has been around and known for years and doesn't seem to be a big concern of the industry. It's all about acceptible risk. If you're data is not sensitive, use whatever hardware you like. If it's very sensitive, use shielded stuff. Where you fall in the spectrum should determine how much protection is warranted.

Re:Tempest (2)

jayteedee (211241) | more than 11 years ago | (#200022)

Actual Tempest is the name of a room designed to thwart electronic spying. Usually used in the sense of "tempest room". It basically is a room which is a gaussian sphere, i.e. all metal, including metal contacts around the perimeter of the door. You can't scan wired keyboards and mice. You can however scan RF transmitting devices such as monitors. It is quite easy to sync a signal from a monitor from quite some distance away and literally be able to see what the user is displaying on their screen. So the defense industry uses tempest rooms to shield the electrical transmissions from the computers.

Assume wireless devices are sniffable (1)

brlewis (214632) | more than 11 years ago | (#200025)

Until proven otherwise, assume any wireless device is sniffable. IR is relatively safe. For RF devices, if the manufacturer doesn't boast about security measures, they don't have any. Even if they have security measures, chances are they aren't strong.

Re:DUH (5)

WinterSolstice (223271) | more than 11 years ago | (#200031)

I'd never use one of those. I even switched to an HMD to avoid my screen be visible from the next room. I also put my computer into a room 6 meters underground, then sealed the entrance. I bought temperature/moisture/pressure sensors for the floor tiles, removed the air ducts (so there, Mission Impossible!), re-install NetBSD nightly to avoid any files being saved, and put EMF filters on my mouse and keyboard cables. I have my own air generator, and a lifetime supply of Spaghetti-O's.

Of course, in the real world, most of us understand that little things like 'keyboard snooping' and 'phone tapping' are seriously un-important. I'm much more concerned about the real threats like Unlawful Search and Seizure than I am about someone knowing my password for /. or MP3.Com. Who the h377 cares?

Do you actually think it matters if someone uses your credit card fraudulently? Nope. Happened to me already, before everything was 'e' something. I had someone run my card to the limit, and the company just charged me my insurance co-pay. Bango, no problem.

Life is just one big exercise in risk-management. Learn what things matter, and what things don't. Protect yourself where it matters. Don't bother to wear a flak jacket to the can.

-WS

What do you expect? (2)

rabtech (223758) | more than 11 years ago | (#200032)

With the limited battery and processing power onboard these keyboards and mice, you can't really expect them to perform much complex encoding and decoding.

That said, some basic protection would be in order. Encryption is difficult when you are talking about a few characters per second, but definitely possible. Tuning each receiver to each device at ship time might also be possible, but could prove not to be cost effective.
-------
-- russ

"You want people to think logically? ACK! Turn in your UID, you traitor!"

Re:RF Keyboards (1)

quantum bit (225091) | more than 11 years ago | (#200033)

I DARE someone to sniff my IR communications from hundreds of yards...

Ok, no problem. The original discussion about this (almost a month ago!) touched on IR devices as well. All you need is a line of sight to the beam. Once you have that you can send another IR beam through it (won't affect the communications because the frequency is different) and then sniff by detecting shifts in the interference patterns. Not quite as trivial as RF but certainly possible. Just a couple tiny holes in the wall and you're all set...

actually this could be a feature (2)

unformed (225214) | more than 11 years ago | (#200034)

Logitech keyboards and mice mice work from over a hundred feet away

but seriously speaking. If something is airborne, it CAN be sniffed. If the computer can decipher something which is not directly connected to it, then something else can too.
Sure, you can encrypt the data stream, but encryption isn't full security.

The old adage 'The only safe computer is locked in a room and unplugged from the Internet' proves false.

No it doesn't prove false, you have to use common sense. So you unplugged it from the internet but decided to use a WIRELESS device, especially one that is not built with the intent of being cryptographically secure.

This is purely a stupid post. Releasing data into the airstream obviously makes it more susceptible to sniffers. And it's been known for ages that you can sniff out WIRED keyboards by checking electrmagnetic pulses in the air. Sure it takes very expensive equipment, and you need to be close to the computer, but if that can be done, then why the hell is it surprising that WIRELESS keyboards can be sniffed?

Re:Cordless Logitech trackballs (1)

japhmi (225606) | more than 11 years ago | (#200035)

I actually think they make a great idea, because one of the main things I would use them for is to sit in my nice chair and use my trackball, and I wouldn't have to worry about finding a flat surface to move a mouse around on.

Re:Tempest (1)

(H)elix1 (231155) | more than 11 years ago | (#200044)

Tempest sniffs the EM from the monitor, letting them "see" what you see... nothing to do with the mouse and keyboard - except for what you see on the screen.

Title (2)

clinko (232501) | more than 11 years ago | (#200045)

"Security - Logitech Wireless Mice & Keyboards Can Be Sniffed"

Lets say it's 50 years ago. This title would be damned funny.
(people are smelling robotic mice and wooden keys it's a security risk.)

The CIA (2)

Calle Ballz (238584) | more than 11 years ago | (#200048)

Okay, I got all this from an old man who I work with that used to work for the NSA, this is what he says, I dunno if he is nuts or not.....

The CIA has their main building that is built within another building, and between the two buildings... white noise is pumped throughout. There is a good reason for this, *THEY* (NSA, CIA, MIB, Echeleon, whoever you are paranoid against) have the technology to sniff your keystrokes from about 50 yards away, even with your traditional wired keyboard. In some cases they can read even the radiation from your monitor.

Halflife & Quake (1)

OS24Ever (245667) | more than 11 years ago | (#200053)

Now my enemies can detetct my agile flicks of the wrist while I stomp them into the ground while playing Quake. Whatever am I to do?

All wireless communicaitons are insecure (2)

man_ls (248470) | more than 11 years ago | (#200060)

Cellular phones aren't secure. Anyone with a piece of hardware can listen in on your conversations. I know some people with such devices.

"Cordless" telephones are definately not secure. I've listened to other people's conversations because we were on the same channel, accidently, and while I couldn't talk, was very informed on this person's stock portfolio from his conversation with his broker.

Monitor cables, yes, the corded kind, emitt signals that a TEMPEST scanner can reconstruct into an image of your monitor, like a remote wireless VNC termanal that is set to look only.

Why should a wireless mouse and keyboard be any different? They are beaming keystrokes/(X,Y) coordinates into the air the same as those other devices are...why wouldn't a scanner or another receiver be able to pick them up? Anything that travels through the air is unsecure - it should never be assumed otherwise.

kinda scary (1)

Davace (250100) | more than 11 years ago | (#200061)

Let's hope whatever encryption they use will be an open standard, and not some closed-source 'security-through-obscurity' plan.

I'm not concerned. (1)

megaduck (250895) | more than 11 years ago | (#200062)

While I can see how this would be a concern for high-security environments, I don't think most of us home users really need to worry about it. With surfing and games, most of the info that I transmit is totally useless unless you know exactly what's on the screen at the time. At best, you're going to get my personal e-mails which are pretty darn boring.

Call me crazy, but I'll live with the tiny security risk if it means I don't have to get my lazy ass off the couch.

Re:kinda scary (1)

methodic (253493) | more than 11 years ago | (#200066)

My guess is that they will release a revision 2 keyboard with some lame XOR encryption that can be cracked within a week.

This raises an interesting point... can one spoof their keyboard's identity to send keystrokes to another reciever?

I wonder how fast someone can type "echo + + > ~/.rhosts" :)

---------------

Not just sniffing... control! (1)

morcheeba (260908) | more than 11 years ago | (#200068)

My former bank always had an irda-compatible printer right near the deposit slot, and I always thought it would be fun to start printing out things for them to find in the morning. Nice, harmless fun.

But, controlling the keyboard and mouse from outside is a little different -- You could sniff the passwords during the day, and with a pair of binoculars, re-enter them at night. I know there are lots of passwords on the systems, but I wonder if there is a time lockout so they can't be used at night. Hey, high security safes have these; it's about time the computers do, too.

But, then again, they probably wouldn't have too many keyboards at a bank. People already walk off with their pens all the time...

So what? (2)

RzUpAnmsCwrds (262647) | more than 11 years ago | (#200071)

So what! Cellphones, cordless telephones, 802.11b, and just about everything else can be "sniffed"! There are a million ways to compromise the security of a PC. If you need maximum security, then don't use cordless mice or keyboards!

Why are people around Slashdot always so worried about this kind of thing?

Another thought comes to mind... (1)

Scoria (264473) | more than 11 years ago | (#200072)

(Sorry about the double post, but this is rather interesting)

I bet if you can sniff the data, you can probably also forge it. I doubt those keyboards use any type of authentication and if they do, well, it's easily accessed by sniffing.

That'd be quite bad if somebody sat a few feet away from a terminal with a wireless keyboard, sniffed it, and then "h4x0r3d" the network using forged keyboard data...

Common Sense (2)

Scoria (264473) | more than 11 years ago | (#200073)

No offense, but if you don't use a wireless network because it's not encrypted, what makes you think a keyboard that runs off two AA batteries will be secure?

Common sense, people... Common sense.

AND!!! (1)

Dancin_Santa (265275) | more than 11 years ago | (#200074)

Get this! With the right equipment, it's possible to read the contents of a person's monitor, right through a wall. Oh no!

"His keyboard usage pattern indicate that he types a few commands then stops. He then uses the mouse almost exclusively. Even there, though the mouse only moves intermittently. We can't make out what's on the screen, but it doesn't appear to be textual."

Dancin Santa

Spread spectrum? (3)

MSBob (307239) | more than 11 years ago | (#200080)

I thought it would be natural to use spread spectrum for this kind of device. Data rates are really low so the chip code could be extremely long. That would be quite secure for most purposes... No?

Avoidable (1)

tlhf (312423) | more than 11 years ago | (#200082)

It can't take that much proccessing power to put a simple chip which can encode to 56bit, can it?

Conduits (3)

OG Loki (313731) | more than 11 years ago | (#200083)

If you could somehow construct a conduit that the signal could use to travel from the mouse or keyboard to the box, perhaps a metal line with some sort of insulation to prevent signal bleed, and electric shocks. Of course these conduits would need to be long enough so that your mouse or keyboard could be operated at a comfortable distance from the machine...

I thought the adage was... (1)

tthomas148 (314130) | more than 11 years ago | (#200084)

"The only safe computer is locked in a room and unplugged." Period. Who cares if it's connected to the Internet? There was hacking before the Internet, let's remember.

Re:Who would want to sniff your kbd / mouse anyway (1)

GreenEggsAndHam (317974) | more than 11 years ago | (#200087)

Anyone who cares to listen in onto my cell phone conversations is welcome to. If I have something sensitive to tell someone, I will meet in a McDonalds where my whisper will be drowned out by the kids yelling and/or the terrible canned music that they play there.

Who would want to sniff your kbd / mouse anyway ? (2)

GreenEggsAndHam (317974) | more than 11 years ago | (#200088)

No really, that's so pretentious it's not funny.

Cliff, stop kidding yourself, very few of us are important enough or have access to data that's important enough that someone would want to bother setting up a snooping station to intercept our userid/pwd.

For those of us who *do* have access to something that's sensitive, they *will* be sitting in that computer room that's disconnected from the net and they'll sure as hell not be using silly gizmos for geeks.

Not just RF Keyboards (1)

Spamalamadingdong (323207) | more than 11 years ago | (#200089)

Yeah, the IR models aren't sniffable with a radio receiver; you probably have to use a telescope with a sensitive IR detector to do something that fancy. <sarcasm> And we know that nobody could or would do that, right? Right. </sarcasm>
--

Just shows how important key management is (3)

Spamalamadingdong (323207) | more than 11 years ago | (#200091)

It's amazing how many ways this could have been done right, and it is still wrong. For instance, the system could use a Diffie-Hellman key exchange by giving the PC side a transmitter and the keyboard side a receiver. Or the keyboard could have had a light sensor and use flashing patterns on the screen as the data back-channel (you only need it during sync). Or, if the keyboard used rechargable batteries, the key-exchange could be done by hardwired connection while it was on its docking/charging stand.

But no, Logitech had to do something that "works" but gives people zero privacy and no security. I hope this product gets hacked to hell, publicized to the ends of the universe and all products with crappy security get such a black eye in the press and a drubbing in the market that nobody even thinks about trying to sell something like that ever again.
--

general security with cordless devices (1)

neodymium (411811) | more than 11 years ago | (#200098)

According to german computer magazine c't (11/2001), about any cordless device can be sniffed - not only logitech. They had an article in the last issue discussing exactly this. Maybe I'll translate it a little later...

Just a summary, now: Cordless devices tend to use a 8 or 16 bit key for identifying (and authenticating) the connection to the base station. So all you need to sniff the keystrokes is another receiver, this code and something actually logging the characters... (i.e. keyghost [keyghost.com] .)

The NHS sniffed my brain... (1)

dev!null!4d (414252) | more than 11 years ago | (#200101)

My brain has been sniffed... I had a eeg and now my pattens are on floppy disk... they know I like pr)(n ;-(

Re:Cordless Logitech trackballs (2)

Magumbo (414471) | more than 11 years ago | (#200102)

This idea could make a cool joystick-like device. I'm thinking an ergonomic pistol grip with 4 buttons -- one in each of the finger grooves. A small trackball sits on top and is manipulated with your thumb. Hmm...maybe a wheel mounted on the side.

--

sniffing (5)

redcup (441955) | more than 11 years ago | (#200104)

My boss has a wireless keyboard and he caught me sniffing it this morning. It definately wasn't worth it - it just smelled like coffee.

I know this is coming up in my performance eval...

RC

This is outrageous! (1)

sup4hleet (444456) | more than 11 years ago | (#200105)

I can't believe the didn't use spread spectrum frequency hopping to secure such sensitive data!

how easy to sniff? (2)

fortunatus (445210) | more than 11 years ago | (#200106)

of course these things are easy to sniff.

you'd use the same receiver that comes with the stuff, just a little more sensitive with some special optics. you might be able to make a sniffer with one of the regular recievers by putting it behind one side of a pair of binoculars, or other telescope.

if you have a B&W CCD camera, take the IR filter out of it & have a look at the light beams. CCD's are sensitive to near IR. you'll see that the amount of light comming out of the senders is tremendous.

you could encrypt...

I sniffed my mouse... (1)

gnovos (447128) | more than 11 years ago | (#200108)

...that's when I realized it was time to change the sawdust in the cage, phew!

Just wanted to post something (2)

terrorist-a (453386) | more than 11 years ago | (#200114)


I imagine controlling the PC (transmiting louder than the PC keyboard/mouse) is also possible... and you don't need a very special equipment.

Really scaring...

Fortunately I'm using an old fashioned wired keyboard and mouse...

Anyone knows how long a physical mouse/keyboard extension cord could be?

Take a page from Seti@home (1)

ColGraff (454761) | more than 11 years ago | (#200116)

Seti@home sends out occasional packets to clients to which it knows what the response will be. Why not do something like that with wireless keyboards/mice?

Instead of just a receiver processing signals from the mouse or keyboard, have a transmitter in addition. Send random floating-points to the mouse or keyboard after each attempt at input or a random percentage of the time, which would then return another floating-point obtained from an algorithm in ROM that would be unique for each machine, and never transmitted. A malicious individual would be unable to control a user's computer because he.she would not have the algorithm.

Here's the way it would look:

1. Mouse/keyboard sends command to computer.

2. Computer sends random numbers.

3. Random numbers are received by mouse, and are fed into an algorithm on mouse ROM.

4. Mouse returns result(s).

5. If response in incorrect, wireless peripheral is locked out, and user switchs either to wired device or different frequency.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...