COMMAND
Logitech wireless desktop (mouse, keyboard, receiver)
SYSTEMS AFFECTED
Logitech wireless desktop (mouse, keyboard, receiver)
PROBLEM
Axel Hammer found following. Device(s) tested:
- Logitech Cordless Desktop, sold in Germany.
- Keyboard: M/N: Y-RC14
- P/N: 867097-0102 125283-401A
- S/N: MCU04607129
- Working at 27.145 MHz
in combination with several others from Logitech, sold in Germany.
These devices transfer data (mouse-movements, keystrokes) wireless
via RF. Modulation is very likely AM, mutliplexing is done by
kind of CDMA (imho). The syncronisation between the wireless
devices and the receiver is initiated by pressing a connect-button
first on the receiver and then on the wireless devices to find a
matching and undistorted transmit-code. The cordless devices seem
to cycle through a fixed set of codes every time you press
'connect' and the receiver seems to lock in on the first code
he receives undistorted. Any pair of transmitter <-> receiver
sold doesn't seem to be hard-coded to match each other. They
simply seem to run out of the fab and the customer connects them
the first time he is using the set, according to the manual.
This leaves the cruical backdoor to connect whatever device you
have to whatever receiver you have.
The receiver waits for 30 minutes after initialising a connect for
new devices to sync to them, even if there has been an undistorted
reception of at least one sync-code. An attacker is able to sniff
the connect-sequence of a victim's device from far and to lock-in
to the code of the victim's devices or to take control of a
victim's device.
It is possible to gain access to cordless devices. The keystrokes
may be sniffed in plain, unscrambled text. It is possible for the
victim AND the attacker to read the keystrokes without the victim
to notice the attack, since it's a (mostly, see below)
non-intrusive 'trojanizing', to say so.
To sniff a connection of wireless devices, you need a receiver
from the same manufacturer, same model.
By slight modifications it is possible, to extend the range of the
receiver to about 30m (using an external antenna). This range may
be further extended by using a preamplifier and directional
antennas. It is neccessary to 'remotely' initiate a reconnection
of the victim's devices by the victim himself.
This can be done by jamming the signals with any ordinary
CB-transceiver, tuned to an appropriate frequency as provided by
logitech. This is also a way for a brute-force DoS. After having
jammed the wireless link, the victim wants to re-establish the (as
he thinks) broken connection between the keyboard and the receiver
(this is the only intrusive action to be noticed by the victim.
In most cases, the innocent victim just thinks 'uh, another
interference, lets reconnect...'). The reconnection he will
achieve by 'connecting' the devices, as described in the manual.
The attacker now also has to initiate a connection-sequence by
also pressing the 'connect'-button on his modified receiver.
Since these receivers wait for 30 minutes for a connect-sequence
after pressing the button, it is very likely to phase-in to the
victims keyboard. If the attacker fails, well, he hits the PTT
on his transceiver again. If a successful connection has been
established, the attacker now is able to read the victim's
keystrokes in plain unscrambled text. Starting on a morning, he
most likely will receive logins, passwords and other informations.
There's no need to be a genius to interpret what he's receiving.
The receiver of the attacker stores the code, so there ist alwas
the possibility to come back some time later and to look what's
going on (unless there has been a new connection-procedure done
on either side).
SOLUTION
NOT TO USE these devices in security-relevant locations.