[ISN] Logitech Wireless Mice & Keyboards Can Be Sniffed

From: InfoSec News (isnat_private)
Date: Thu May 24 2001 - 21:04:21 PDT

  • Next message: InfoSec News: "[ISN] Security against hacking to be discussed at workshop"

    http://www.daten-treuhand.de/security-news/bugtraq.htm
    
    Preface:
    Every information provided is based on the tested devices. We cannot
    ensure that other sets, sold elsewhere, may be vulnerable OR NOT!
    
    Device(s) tested:
    Logitech Cordless Desktop, sold in Germany.
    Keyboard: M/N: Y-RC14
    P/N: 867097-0102 125283-401A
    S/N: MCU04607129
    Working at 27.145 MHz
    in combination with several others from Logitech, sold in Germany.
    
    These devices transfer data (mouse-movements, keystrokes) wireless via
    RF. Modulation is very likely AM, mutliplexing is done by kind of CDMA
    (imho). The syncronisation between the wireless devices and the
    receiver is initiated by pressing a connect-button first on the
    receiver and then on the wireless devices to find a matching and
    undistorted transmit-code. The cordless devices seem to cycle through
    a fixed set of codes every time you press 'connect' and the receiver
    seems to lock in on the first code he receives undistorted. Any pair
    of transmitter <-> receiver sold doesn't seem to be hard-coded to
    match each other. They simply seem to run out of the fab and the
    customer connects them the first time he is using the set, according
    to the manual. This leaves the cruical backdoor to connect whatever
    device you have to whatever receiver you have.
    
    Problem:
    The receiver waits for 30 minutes after initialising a connect for new
    devices to sync to them, even if there has been an undistorted
    reception of at least one sync-code. An attacker is able to sniff the
    connect-sequence of a victim's device from far and to lock-in to the
    code of the victim's devices or to take control of a victim's device.
    
    Impact:
    It is possible to gain access to cordless devices. The keystrokes may
    be sniffed in plain, unscrambled text. It is possible for the victim
    AND the attacker to read the keystrokes without the victim to notice
    the attack, since it's a (mostly, see below) non-intrusive
    'trojanizing', to say so ;-).
    
    Exploit:
    
    To sniff a connection of wireless devices, you need a receiver from
    the same manufacturer, same model. By slight modifications it is
    possible, to extend the range of the receiver to about 30m (using an
    external antenna). This range may be further extended by using a
    preamplifier and directional antennas. It is neccessary to 'remotely'
    initiate a reconnection of the victim's devices by the victim himself.
    This can be done by jamming the signals with any ordinary
    CB-transceiver, tuned to an appropriate frequency as provided by
    logitech. This is also a way for a brute-force DoS. After having
    jammed the wireless link, the victim wants to re-establish the (as he
    thinks) broken connection between the keyboard and the receiver (this
    is the only intrusive action to be noticed by the victim. In most
    cases, the innocent victim just thinks 'uh, another interference, lets
    reconnect...'). The reconnection he will achieve by 'connecting' the
    devices, as described in the manual. The attacker now also has to
    initiate a connection-sequence by also pressing the 'connect'-button
    on his modified receiver. Since these receivers wait for 30 minutes
    for a connect-sequence after pressing the button, it is very likely to
    phase-in to the victims keyboard. If the attacker fails, well, he hits
    the PTT on his transceiver again. If a successful connection has been
    established, the attacker now is able to read the victim's keystrokes
    in plain unscrambled text. Starting on a morning, he most likely will
    receive logins, passwords and other informations. There's no need to
    be a genius to interpret what he's receiving. The receiver of the
    attacker stores the code, so there ist alwas the possibility to come
    back some time later and to look what's going on (unless there has
    been a new connection-procedure done on either side).
    
    Solution:
    We intend strongly NOT TO USE these devices in security-relevant
    locations. In case cordless devices are absolutely neccessary, we
    stronlgy intend to use either infrared devices or to wait for
    manufacturers to supply you 'hardened' devices.
    
    Vendor-Status:
    informed. no reaction yet.
    
    Details about this exploit , especially the mofidifcation to the
    receiver to extend the range can be found at our homepage
    www.daten-treuhand.de.
    
    Legal Notice:
    This Advisory is Copyright (c) 2001 Daten-Treuhand.de and Axel Hammer.
    You may distribute it unmodified. You may not modify it and distribute
    it or distribute parts of it without the author's written permission.
    
    Disclaimer:
    In no event shall the author be liable for any damages whatsoever
    arising out of or in connection with the use of this information. Any
    use of this information is at the user's own risk and for
    informational purposes only. All trademarks are properties of their
    respective holders and are fully respected.
    
    Sincerely Yours,
    
    Axel Hammer
    daten-treuhand.de
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu May 24 2001 - 23:24:18 PDT