An attacker could, Moser continued, send keystrokes that represent the Windows key, then the "r" key to open Windows' Run command-line interface, then other keystrokes to launch Internet Explorer and download a malicious file from a malware-hosting site. "The user would notice the keystrokes, but you could wait until he stops typing and goes for a coffee. Or until after he leaves for the day if he keeps his computer on." Moser said they've also figured out a way to broadcast the rogue keystrokes, so that any wireless keyboard within range accepts the bogus data.
"Once we understood the signal -- and this was not just about understanding the encryption, but about how the data was configured and transported, because it's completely proprietary -- we were able to not only record the traffic, but also send it out again," said Moser.
Keyboards that communicate via Bluetooth are much more secure, Moser said, because the key must be sniffed at the moment when it's exchanged -- in Bluetooth's case, that's when the keyboard is first paired with the receiver.
Symantec recommended that users consider tossing out wireless keyboards. "[Their] research also suggests that many other keyboards are likely to have the same level of weak encryption," said Symantec researcher Raymond Ball in a warning to customers of the company's DeepSight threat system. "Customers are advised to assess the need for any wireless input device used in a secure environment, not just keyboards. Although wireless input devices are convenient, they are rarely necessary."
The Moser and Schrodel research was completed with help from remote-exploit.org.