Through their work, the Dreamlabs team discovered that a wireless keyboard transmits three types of packets. Synchronization packets are generated when the keyboard connects to, and is associated with, a specific receiver, or when the connect button on the keyboard is pressed. Data packets transmit encrypted keystroke information from the keyboard to the receiver, and management packets are used to identify when all keys have been released.
When the keyboard transmits a data packet to the base receiver, only the actual keystroke data is encrypted—both the metaflag (use of Alt, Shift, or Ctrl) and identifier bits are sent in the clear. As for the keystroke data, it’s encrypted in a one-byte USB Hid code using a simple XOR mechanism and a single byte of random data generated when the keyboard synchronizes with the receiver. Encryption keys are not changed at any time interval, save when an end-user reassociates the keyboard.
Because there are only 256 possible key values, intercepted keystrokes can be translated by brute force without any need to actually break the encryption key; the research team was able to decrypt the transmitted data and recover the encryption key within only 20-50 keystrokes. This has the practical effect of rendering keyboard encryption meaningless—it’s literally simpler to ignore it than it is to break it.
Weak Encryption in Wireless Keyboards