Sounds like some public-key crypto could make it safe:
embed some unique keys at manufacturing time and use some small crypto library (like tweetnacl) to communicate and have mutual authentication. For the paranoid there could be a way to update the keys so that not even the vendor can sniff the keystrokes.
Isn't there a RFC for something similar?
That's the entire point. The crypto is not very good. Also it doesn't apply to all bluetooth keyboards because Microsoft uses a proprietary protocol to communicate apparently (at least this series of keyboards).
This is very specifically for Microsoft keyboards. There's multiple bugs that are exploited (both in the $1 receiver chip he's using and the fact that all MS keyboards start with the same bit for their mac address) that make it very easy in that specific case.
Hold my beer while I perform a table flip and throw away all my Microsoft Wireless Keyboards
Interestingly Microsoft aren't the only manufacturer to use the Nordic chipset for their "proprietary" 2.4GHz keyboards. I believe that Logitech's system is based on the same protocol.
I'm unsure if Logitech keyboard are affected in a similar way, I know that this attack only affects Microsoft keyboards but they may have similar issues.
As far as I can tell, bluetoooth keyboards should be a bit better off. Not sure how the "secure" modes work (presumably some kind of DH-exchange?) - but apparently they're not immune to brute forcing.
I recently switched back to usb Microsoft Natural keyboard for comfort from multiple versions of Microsoft wireless ergonomic keyboards but this hack makes me value the wire even more.
You know this'd be a fair bit less complex to implement as a USB hub, right? (for maximum lulz, a powered USB hub with one of these as it's power brick!)
The only wireless keyboard I use is for my HTPC... Interesting, and somewhat scary thing. Thinking it would be easy enough to plant other electronics (surveillance devices) in such a thing.
No, I meant the preventive measures. Would encryption be such a big battery-hog that they preferred security through "obscurity" or did they just overlook the fact that those devices were broadcasting users' keystrokes to the open air? It's unjustifiable in either case but just wondering. (BTW I also don't get the down-vote. Did I say something unrelated?)
The datasheet for the nRF24LE1 talks about it's AES encryption/decryption accelerator (section 15) and thermal noise random number generator (section 16), but the power consumption specs (section 26.1) talk about the rng using 0.5mA and don't even mention the AES hardware (even though they list other modules all the way down to 0.5uA). The RX/TX modules use over 10mA, so an order of magnitude more than the hardware RNG, and possibly 4 orders of magnitude more than the AES hardware.
I doubt the encryption would even register in battery life - completely obscured by the power consumed by the TX/RX modules.
Sounds like some public-key crypto could make it safe: embed some unique keys at manufacturing time and use some small crypto library (like tweetnacl) to communicate and have mutual authentication. For the paranoid there could be a way to update the keys so that not even the vendor can sniff the keystrokes. Isn't there a RFC for something similar?