COMMAND

    Logitech wireless desktop (mouse, keyboard, receiver)

SYSTEMS AFFECTED

    Logitech wireless desktop (mouse, keyboard, receiver)

PROBLEM

    Axel Hammer found following.  Device(s) tested:

        - Logitech Cordless Desktop, sold in Germany.
        - Keyboard: M/N: Y-RC14
        - P/N: 867097-0102 125283-401A
        - S/N: MCU04607129
        - Working at 27.145 MHz

    in combination with several others from Logitech, sold in Germany.

    These devices transfer data (mouse-movements, keystrokes) wireless
    via RF.   Modulation is  very likely  AM, mutliplexing  is done by
    kind  of  CDMA  (imho).   The  syncronisation between the wireless
    devices and the receiver is initiated by pressing a connect-button
    first on the receiver and then  on the wireless devices to find  a
    matching and undistorted transmit-code.  The cordless devices seem
    to  cycle  through  a  fixed  set  of  codes  every time you press
    'connect' and  the receiver  seems to  lock in  on the  first code
    he receives  undistorted.   Any pair  of transmitter  <-> receiver
    sold doesn't  seem to  be hard-coded  to match  each other.   They
    simply seem to run out of  the fab and the customer connects  them
    the  first  time  he  is  using  the set, according to the manual.
    This leaves the  cruical backdoor to  connect whatever device  you
    have to whatever receiver you have.

    The receiver waits for 30 minutes after initialising a connect for
    new devices to sync to them, even if there has been an undistorted
    reception of at least one sync-code.  An attacker is able to sniff
    the connect-sequence of a victim's device from far and to  lock-in
    to  the  code  of  the  victim's  devices  or to take control of a
    victim's device.

    It is possible to gain access to cordless devices.  The keystrokes
    may be sniffed in plain, unscrambled text.  It is possible for the
    victim AND the attacker to read the keystrokes without the  victim
    to  notice  the   attack,  since  it's   a  (mostly,  see   below)
    non-intrusive 'trojanizing', to say so.

    To sniff  a connection  of wireless  devices, you  need a receiver
    from the same manufacturer, same model.

    By slight modifications it is possible, to extend the range of the
    receiver to about 30m (using an external antenna).  This range may
    be  further  extended  by  using  a  preamplifier  and directional
    antennas.  It is neccessary to 'remotely' initiate a  reconnection
    of the victim's devices by the victim himself.

    This  can  be  done  by  jamming  the  signals  with  any ordinary
    CB-transceiver, tuned to an  appropriate frequency as provided  by
    logitech. This is also a way for a brute-force DoS.  After  having
    jammed the wireless link, the victim wants to re-establish the (as
    he thinks) broken connection between the keyboard and the receiver
    (this is the  only intrusive action  to be noticed  by the victim.
    In  most  cases,  the  innocent  victim  just  thinks 'uh, another
    interference,  lets  reconnect...').   The  reconnection  he  will
    achieve by 'connecting' the  devices, as described in  the manual.
    The attacker  now also  has to  initiate a  connection-sequence by
    also  pressing  the  'connect'-button  on  his  modified receiver.
    Since these receivers wait  for 30 minutes for  a connect-sequence
    after pressing the  button, it is  very likely to  phase-in to the
    victims keyboard.   If the attacker  fails, well, he  hits the PTT
    on his  transceiver again.   If a  successful connection  has been
    established,  the  attacker  now  is  able  to  read  the victim's
    keystrokes in plain unscrambled text.   Starting on a morning,  he
    most likely will receive logins, passwords and other informations.
    There's no need to be a genius to interpret what he's receiving.

    The receiver of the attacker  stores the code, so there  ist alwas
    the possibility to  come back some  time later and  to look what's
    going on (unless  there has been  a new connection-procedure  done
    on either side).

SOLUTION

    NOT TO USE these devices in security-relevant locations.