Device(s) tested: Logitech wireless desktop (mouse, keyboard, receiver) These devices transfer data wireless via RF, this set uses CB-band-frequencies at about 27MHz. The syncronisation between the wireless devices is initiated by pressing a connect-button on the receiver and then on the wireless devices to find a matching and undistorted pair of frequencies (oder codes). Problem: The receiver waits for 30 minutes after initialising a connect for new devices to sync on them. An attacker is able to sniff the connect-sequence of a victim's device from far and to lock-in to the pair of frequencies / codes of the victim's devices or to take control of a victim's devices. Impact: It is possible to gain access to wireless devices. The keystrokes may be sniffed in plain, unscrambled text. It is possible for the victim AND the attacker to read the keystrokes without the victim to notice the attack. Exploit: To sniff a connection of wireless devices, you need a receiver from the same manufacturer, same model. By slight modifications it is possible, to extend the range of the receiver to about 30m (using an external antenna). It is neccessary to 'remotely' initiate a reconnection of the victim's devices by the victim himself (no details, sorry). Solution: We intend strongly NOT TO USE these devices in security-relevant locations. Vendor-Status: not informed. Regards, Axel Information first published: (c) 2001/05/05, www.daten-treuhand.de
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 19:02:50 PDT