Reminds me of an episode of Due South (the tv series about a Canadian mountie working as a detective in Chicago) in which he correctly works out a password from just the sound of someone typing it.
Turns out this is not so far-fetched after all:
"If you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed."
There was a great talk at Defcon in 2009 about sniffing keystrokes with voltmeters and lasers. It's worth watching the video[1] if you're interested in this audio technique.
The first part of their presentation uses a novel method to pick up PS/2 keystrokes from a system's ground connection. This presentation was what lead me to design the PS/2 tap[2] to sniff keystrokes with my sound card.
The problem is that the company who's saying "Trust us, we have 128 bit encryption in our product" isn't giving you enough information to make an informed decision about how secure the device really is.
Choosing a keyboard because the box says "128 bit encryption" doesn't help if the manufacturer bakes in the same key on every device. Or a predictable key. Or really, any static session key even if it varies by device serial number or something like that. And a marketing or advertising guy doesn't know this, they just see a checkbox they can stick on the artwork. "Just get that 128 bit stuff in there so we aren't lying" is the most likely scenario for something like a keyboard, where competition is tough and margins are wafer thin.
Personally I'd use copper if I was at all worried, because the likelihood of some random firmware engineer getting a security protocol right is pretty slim.
do you think a wired keyboard might emit tappable rf? Should users take care to not have coils in their wires? Do solenoided keyboards (with the flexy chord coils) also pose a transmission risk?
The cable is the least likely part to be the source of the problem. The data lines are inside a shield, and in USB they are balanced (“D+” and “D-”). Both of these act to prevent radiation of the signals.
If a keyboard radiates it is likely to be either from the unshielded, unbalanced matrix wires going to the keyswitches, or leakage from the controller going onto the outside of the shield. (I think the latter could be reduced by using (more/bigger) decoupling capacitors, i.e. shorting out the RF.)
Coiling a wire does not generally make it a more effective antenna; it may or may not make it less effective depending on the circumstances. (The reason some antennas are coiled is to get the same length of conductor into a smaller space.)
So how far can you go and still eavesdrop on the signal? I haven't the first clue regarding signals, but I guess you'd have to plant a bug on the underside of the desk as opposed to a radar dish on the other side of the wall?
But yeah, another post from windytan that's left me amazed. If you're uninitiated, this is the same woman that figured out how to read from bus timetable display radio signals [1].
I'll stick to my USB wired keyboard for now, though, until encrypted wireless keyboards come down from £70-100.
Also, Bluetooth LE provides no eavesdropping protection. If an attacker can capture the pairing frames, they may be able to determine the "long-term key". Here's the NIST guidance paper on Bluetooth security: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133
The attack surface can be minimized if the keyboard manufacturer implements crypto properly, requires encryption at the protocol level, uses a long and complex PIN, etc. The manufacturer with the best reputation right now is Microsoft. They got burned pretty hard when their propriety wireless encryption was hacked back in 2007, and it looks like their bluetooth keyboards are doing everything right.
> Also, Bluetooth LE provides no eavesdropping protection. If an attacker can capture the pairing frames, they may be able to determine the "long-term key"
There's a practical attack for that, and it's quick. It also uses Ubertooth[1].
For all Bluetooth keyboards that I've seen in the past ~5 years the pairing process uses one of the "Secure Simple Pairing" modes. none of these have been broken, although "Just Works" is probably vulnerable. The keyboard that I've see use the "enter a 6 digit number" mode, which is not susceptible to man in the middle attacks that have been used against Bluetooth keyboards before[2].
Disclosure: I work on the Ubertooth and related projects.
(As a side note) Seeing the comment on acoustic fingerprinting, I guess it applies to wireless keyboards as well - even if the exact keycodes could be securely encrypted, keypress timing data, paired with finger movement model and typist habits analysis, would probably still leak information on what's typed.
This is why Apple's iBeacon was never going to be a viable method of payment, unlike NFC. The range on Bluetooth is just too long to safely do something like payments with it.
Turns out this is not so far-fetched after all:
"If you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed."
https://freedom-to-tinker.com/blog/felten/acoustic-snooping-...