Tweet
I was hoping someone might be able to help me with a project I have recently been tasked with.
Where I work we have always disallowed the usage of wireless keyboards and most peripherals, only allowing non-Bluetooth cordless mice and DECT encrypted RF wireless headsets.
I was recently sent a pair of wireless keyboards to assess, one of which I have no issues pen-testing (It's bluetooth based and theres no end to the list of tools and adapters I can use to exploit that sucker)
However, the other keyboard is RF operating in the 916.5mhz band using an assigned channel (1 of 65,000) that is specified when the kb is synced with the receiver, with a range of 100ft, yes, I said 100. Additionally the transmission is encrypted using a proprietary algorithm that the vendor will not disclose (bad news I know!)
The most problematic piece I can see is that wireless keyboards transmit data in roughly 16bit data blocks, 1 character at a time. I would think it would be trivial to decrypt a single character with a very finite number of possibilities.
What I want to do is to capture the traffic being transmitted so that I and my team can analyze the encryption scheme and determine if it will be sufficient for usage in our environment. I need to acquire an rf receiver that I can attach to my computer to capture the data stream and output to a file, or possibly a pda with an rf adapter.
I have tried to find resources via google and these forums, but either I found nothing useful or I was too thickheaded to comprehend what I was reading to modify it for my particular needs.
Does anyone know of a commercial solution I might be able to utilize? Or possibly know where I can find information specifically for what I am trying to do? Additionally any information about how an attacker could force a re-pairing of the kb/receiver would be great as well
Where I work we have always disallowed the usage of wireless keyboards and most peripherals, only allowing non-Bluetooth cordless mice and DECT encrypted RF wireless headsets.
I was recently sent a pair of wireless keyboards to assess, one of which I have no issues pen-testing (It's bluetooth based and theres no end to the list of tools and adapters I can use to exploit that sucker)
However, the other keyboard is RF operating in the 916.5mhz band using an assigned channel (1 of 65,000) that is specified when the kb is synced with the receiver, with a range of 100ft, yes, I said 100. Additionally the transmission is encrypted using a proprietary algorithm that the vendor will not disclose (bad news I know!)
The most problematic piece I can see is that wireless keyboards transmit data in roughly 16bit data blocks, 1 character at a time. I would think it would be trivial to decrypt a single character with a very finite number of possibilities.
What I want to do is to capture the traffic being transmitted so that I and my team can analyze the encryption scheme and determine if it will be sufficient for usage in our environment. I need to acquire an rf receiver that I can attach to my computer to capture the data stream and output to a file, or possibly a pda with an rf adapter.
I have tried to find resources via google and these forums, but either I found nothing useful or I was too thickheaded to comprehend what I was reading to modify it for my particular needs.
Does anyone know of a commercial solution I might be able to utilize? Or possibly know where I can find information specifically for what I am trying to do? Additionally any information about how an attacker could force a re-pairing of the kb/receiver would be great as well
Comment