|
Preface:
Every information provided is based on the tested devices.
We cannot
ensure that other sets, sold elsewhere, may be vulnerable
OR NOT!
Device(s)
tested:
Logitech Cordless Desktop, sold in Germany.
Keyboard: M/N: Y-RC14
P/N: 867097-0102 125283-401A
S/N: MCU04607129
Working at 27.145 MHz
in combination with several others from Logitech, sold in
Germany.
These
devices transfer data (mouse-movements, keystrokes) wireless
via
RF.
Modulation is very likely AM, mutliplexing is done by kind
of CDMA
(imho).
The syncronisation between the wireless devices and the receiver
is
initiated by pressing a connect-button first on the receiver
and then on
the wireless devices to
find a matching and undistorted transmit-code. The cordless
devices seem
to cycle through a fixed set of codes every time you press
'connect' and
the receiver seems to lock in on the first code he receives
undistorted.
Any pair of transmitter <-> receiver sold doesn't seem
to be hard-coded
to match each other. They simply seem to run out of the fab
and the
customer connects them the first time he is using the set,
according to
the manual. This leaves the cruical backdoor to connect whatever
device
you have to whatever receiver you have.
Problem:
The receiver waits for 30 minutes after initialising a connect
for new
devices to sync to them, even if there has been an undistorted
reception
of at least one sync-code.
An attacker is able to sniff the connect-sequence of a victim's
device
from far and to lock-in to the code of the victim's devices
or to take
control of a victim's device.
Impact:
It is possible to gain access to cordless devices. The keystrokes
may be
sniffed in plain, unscrambled text.
It is possible for the victim AND the attacker to read the
keystrokes
without the victim to notice the attack, since it's a (mostly,
see
below) non-intrusive 'trojanizing', to say so ;-).
Exploit:
To sniff a connection of wireless devices, you need a receiver
from the
same manufacturer, same model.
By slight modifications it is possible, to extend the range
of the
receiver to about 30m (using an external antenna). This range
may be
further extended by using a preamplifier and directional antennas.
It is neccessary to 'remotely' initiate a reconnection of
the victim's
devices by the victim himself.
This can be done by jamming the signals with any ordinary
CB-transceiver, tuned to an appropriate frequency as provided
by
logitech. This is also a way for a brute-force DoS. After
having jammed
the wireless link, the victim wants to re-establish the (as
he thinks)
broken connection between the keyboard and the receiver (this
is the
only intrusive action to be noticed by the victim. In most
cases, the
innocent victim just thinks 'uh, another interference, lets
reconnect...'). The reconnection he will
achieve by 'connecting' the devices, as described in the manual.
The attacker now also has to initiate a connection-sequence
by also
pressing the 'connect'-button on his modified receiver. Since
these
receivers wait for 30 minutes for a connect-sequence after
pressing the
button, it is very likely to phase-in to the victims keyboard.
If the
attacker fails, well, he hits the PTT on his transceiver again.
If a successful connection has been established, the attacker
now is
able to read the victim's keystrokes in plain unscrambled
text. Starting
on a morning, he most likely will receive logins, passwords
and other
informations. There's no need to be a genius to interpret
what he's
receiving.
The receiver of the attacker stores the code, so there ist
alwas
the possibility to come back some time later and to look what's
going on
(unless there has been a new connection-procedure done on
either side).
Solution:
We intend strongly NOT TO USE these devices in security-relevant
locations. In case cordless devices are absolutely neccessary,
we
stronlgy intend to use either infrared devices or to wait
for
manufacturers to supply you 'hardened' devices.
Vendor-Status:
informed. no reaction yet.
Details
about this exploit , especially the modification to the
receiver to extend the range can be found at our homepage
www.daten-treuhand.de.
Legal
Notice:
This Advisory is Copyright (c) 2001 Daten-Treuhand.de and
Axel Hammer.
You may distribute it unmodified. You may not modify it and
distribute
it or distribute parts of it without the author's written
permission.
Disclaimer:
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use of this information.
Any use of this information is at the user's own risk and
for
informational purposes only.
All trademarks are properties of their respective holders
and are fully
respected.
Sincerely
Yours,
Axel
Hammer
daten-treuhand.de
|
