37

In a situation where an admin will enter sensitive information into a keyboard (the root password), what is the risk that a bluetooth keyboard (ship by default with Mac systems these days) would put those passwords at risk?

Another way of asking would be: what security and encryption protocols are used, if any, to establish a bluetooth connection between a keyboard and host system?

Edit: Final Summary

All answers are excellent. I accepted that which links to the most directly applicable information however I also encourage you to read Nathan Adams's response and discussion about security trade-offs.

jhs
  • 1,019

5 Answers5

15

http://en.wikipedia.org/wiki/Bluetooth#Security

While Bluetooth has its benefits, it is susceptible to denial of service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation.

fsckin
  • 583
  • 4
  • 9
9

Since most of the answers are 10 years old as of today here are the 2018 results of some german security researches on the topic. They claim that modern BT keyboards have their most critical weakness when an attacker manages to get physical access to the device and extracts the crypto keys or is able to eavesdrop during the pairing process.

Here is their paper: https://www.syss.de/fileadmin/dokumente/Publikationen/2018/Security_of_Modern_Bluetooth_Keyboards.pdf

Their summary:

During this research project with a total duration of 15 person-days, SySS GmbH could identify some security issues concerning the three tested Bluetooth keyboards.

The secret pairing information stored on the keyboards can be easily extracted by an attacker with physical access. The credentials in this information can be used to conduct further attacks on the host.

The 1byone keyboard does not require authentication when pairing to a Windows 10 host and the communication of the Microsoft Designer Bluetooth keyboard can be decrypted if an attacker passively eavesdrops on the pairing process.

Furthermore, by continuously sending pairing requests to some operating systems, an attacker can prevent other devices from pairing (denial-of-service).

And here are their key findings: enter image description here

Edit Oct 2022: For wireless, non-bluetooth (ie radio) keyboards, there is some research by these students of the KTH Royal Institute of Technology. They found severe vulnerabilities for most current wireless keyboards (2022).
http://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A1701492&dswid=-3459

perelin
  • 231
4

I'd suggest looking at this publication by the NIST. It provides some pretty useful information on Bluetooth security. The encryption protocol of bluetooth is E0 which is 128 bit.

http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdf

Mark Henderson
  • 69,480
ryanyama
  • 69
3

Although bluetooth may not be the most secure protocol, you have to put things in perspective: Bluetooth has a relativity short transmit range. This means that if you were to use bluetooth keyboards in a building, a person would have to be in the same room or close to the room to actually do anything malicious.

Just because a certain technology is insecure, doesn't mean that it is useless.

Natalie Adams
  • 745
-1

Most bluetooth keyboards have been tried and tested by manufacturers to make sure they have the least amount of security risks possible. Yet on some wireless keyboards, hackers can install a 'keylogger' onto your device, which intercepts the signal and decrypts the data you are sending through the keyboard.

Louie Bnouie
  • 1