No announcement yet.

RF Keyboard sniffing

  • Filter
  • Time
  • Show
Clear All
new posts

  • RF Keyboard sniffing

    I was hoping someone might be able to help me with a project I have recently been tasked with.

    Where I work we have always disallowed the usage of wireless keyboards and most peripherals, only allowing non-Bluetooth cordless mice and DECT encrypted RF wireless headsets.

    I was recently sent a pair of wireless keyboards to assess, one of which I have no issues pen-testing (It's bluetooth based and theres no end to the list of tools and adapters I can use to exploit that sucker)

    However, the other keyboard is RF operating in the 916.5mhz band using an assigned channel (1 of 65,000) that is specified when the kb is synced with the receiver, with a range of 100ft, yes, I said 100. Additionally the transmission is encrypted using a proprietary algorithm that the vendor will not disclose (bad news I know!)

    The most problematic piece I can see is that wireless keyboards transmit data in roughly 16bit data blocks, 1 character at a time. I would think it would be trivial to decrypt a single character with a very finite number of possibilities.

    What I want to do is to capture the traffic being transmitted so that I and my team can analyze the encryption scheme and determine if it will be sufficient for usage in our environment. I need to acquire an rf receiver that I can attach to my computer to capture the data stream and output to a file, or possibly a pda with an rf adapter.

    I have tried to find resources via google and these forums, but either I found nothing useful or I was too thickheaded to comprehend what I was reading to modify it for my particular needs.

    Does anyone know of a commercial solution I might be able to utilize? Or possibly know where I can find information specifically for what I am trying to do? Additionally any information about how an attacker could force a re-pairing of the kb/receiver would be great as well

  • #2
    Re: RF Keyboard sniffing

    Since you have both ends, my suggestion would be to tap into the existing receiver, and read the RF traffic off that. With a bit of futzing around with a scope, you should be able to get the traffic before it's decoded. That way you just have to attempt a break on the encryption, and you don't have to figure out the modulation, too.

    If that's not acceptable there are plenty of 900MHz receivers out there, but you will have to figure out what modulation is used before you purchase. Googling for "900MHz receiver" nets about 731,000 hits. Making friends with someone with a spectrum analyzer would be a good idea.

    A good resource is the FCC's site. All you need it the FCC Number, which is usually on a sticker on the keyboard itself, the receiver, or both. Usually the full testing information for any FCC Certified item is available on the site, including interior and exterior photos of the prototype, parts lists, block diagrams and occasionally, full schematics. Sometimes those interior photos and parts lists can be a godsend in trying to figure out how something is functioning.
    "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird


    • #3
      Re: RF Keyboard sniffing

      For the RF receiver for PDA(CF, or PCMCIA?) You're out of luck. You can't even get public band packet radio equipment for those buses(mainly do to lack of power) let alone a open band 900Mhz receiver.

      You'll need a Parallel, or Serial interface card, and a power supply for a PC controlled receiver. All you'll get for a receiver without designing one yourself is some PC controlled 1.2Ghz trunking RF scanner. +900Mhz is illegal in the US even though you can buy a 1.5Ghz scanner from radioshack for a couple hundred bucks that has all the good parts of the RF spectrum clocked out of the firmware.

      Also there's a big difference between discrete protocol, and encryption. Embedded encryption solutions are pricey, and pretty hard to implement over RF. Most manufacturers use techniques like inverted modulation instead. Which is also a hassle, and costs more money to implement.

      If you're really hard core you can hack the firmware resonator on one of those FM radio CF cards. It'll only be able to pick up from maybe 30' away, but you could add some surface mount components.

      My work place has ISA based receivers that cover 333Mhz to 7.9Ghz. You can buy them from ameteure satellite, and radio astronomy related equipment manufacturers.
      Last edited by VAX_to_PBX; February 14, 2007, 17:08.