On 08/22/2017 09:33 AM, Mario Castelán Castro wrote:
On 21/08/17 23:02, Jape Person wrote:
The keyboard communications are encrypted, and both mouse and keyboard
are rechargeable. But I at least have to check with Cherry support to
learn whether or not my new toys are vulnerable. I suspect that they are.
The problem is that even if the manufacturer assures you that the
wireless link is secured cryptographically, all you have is their word
for it. The implementation is very probably unauduitable (and even if
would not audit it yourself, somebody among the community of users
probably would do so and report if he found any vulnerability), as
almost all firmware is.
Hence, why I suspect that they are vulnerable. I bought these things
because my wife trips over her cables 3 or 4 times a day, and wireless
ones are just easier to deal with from a workstation logistics standpoint.
Dummy that I am, I had only considered the issues like password
interception, and had never considered the possibility that an
unencrypted mouse connection would be a path for introducing keystrokes
to the system, though it's a really obvious attack path. Surely proper
design of the transceiver could keep the mouse input from sending
keystrokes, but then I suppose some of the "special features" of the
mouse wouldn't work -- and we couldn't have that, could we?
I'll look into getting the test suite from Bastille to see if I can
figure out how to do some testing on these things to see if they look
vulnerable. Do you really think that this is unauditable? Bastille
claims to have produced Open Source tools for doing just that.
Maybe I'll just use the wireless keyboards and mice to control TVs.
That is why opaque cryptographic systems can not be trusted. This is
covered in any practical cryptography book.
Practical cryptography -- isn't that an oxymoron, for most users at
least? People at my lower level of competence are at least aware that
cryptography can be used in a variety of ways. I implemented encrypted
e-mail on my own systems years ago, only to find that I couldn't
persuade even one other among my acquaintances to use it. Not even if I
set it up for them. Some of these folks were medical professionals who
were exchanging the health data of patients among themselves and with
patients -- by e-mail!
In a day when people post their most personal experiences and thoughts
on Facebook or Twitter for everyone to read, most people don't seem able
to comprehend that some of us would prefer not to broadcast our
underwear preferences to the universe.
Thank you very much for your thoughts. They jerked me a little further
back into such reality as I can tolerate.
;-)
JP
