On 08/22/2017 09:33 AM, Mario Castelán Castro wrote:
On 21/08/17 23:02, Jape Person wrote:The keyboard communications are encrypted, and both mouse and keyboard are rechargeable. But I at least have to check with Cherry support to learn whether or not my new toys are vulnerable. I suspect that they are.The problem is that even if the manufacturer assures you that the wireless link is secured cryptographically, all you have is their word for it. The implementation is very probably unauduitable (and even if would not audit it yourself, somebody among the community of users probably would do so and report if he found any vulnerability), as almost all firmware is.
Hence, why I suspect that they are vulnerable. I bought these things because my wife trips over her cables 3 or 4 times a day, and wireless ones are just easier to deal with from a workstation logistics standpoint.
Dummy that I am, I had only considered the issues like password interception, and had never considered the possibility that an unencrypted mouse connection would be a path for introducing keystrokes to the system, though it's a really obvious attack path. Surely proper design of the transceiver could keep the mouse input from sending keystrokes, but then I suppose some of the "special features" of the mouse wouldn't work -- and we couldn't have that, could we?
I'll look into getting the test suite from Bastille to see if I can figure out how to do some testing on these things to see if they look vulnerable. Do you really think that this is unauditable? Bastille claims to have produced Open Source tools for doing just that.
Maybe I'll just use the wireless keyboards and mice to control TVs.
That is why opaque cryptographic systems can not be trusted. This is covered in any practical cryptography book.
Practical cryptography -- isn't that an oxymoron, for most users at least? People at my lower level of competence are at least aware that cryptography can be used in a variety of ways. I implemented encrypted e-mail on my own systems years ago, only to find that I couldn't persuade even one other among my acquaintances to use it. Not even if I set it up for them. Some of these folks were medical professionals who were exchanging the health data of patients among themselves and with patients -- by e-mail!
In a day when people post their most personal experiences and thoughts on Facebook or Twitter for everyone to read, most people don't seem able to comprehend that some of us would prefer not to broadcast our underwear preferences to the universe.
Thank you very much for your thoughts. They jerked me a little further back into such reality as I can tolerate.
;-) JP