Keyboard hijacking and monitoring caused by hard coding channel table and gzll base address.

[sealpp]

Hey there.

I made 2 set of keyboards. When I using them, I find that the two keyboards will interfere with each other when they work at the same time. After further testing, I found that the cause of this problem is hard coding at:

• gzll base address:

  • redox-w-firmware/redox-w-keyboard-basic/main.c

    Line 214 in a193645

    nrf_gzll_set_base_address_0(0x01020304);

  • redox-w-firmware/redox-w-keyboard-basic/main.c

    Line 215 in a193645

    nrf_gzll_set_base_address_1(0x05060708);

  • redox-w-firmware/redox-w-receiver-basic/main.c

    Line 92 in a193645

    nrf_gzll_set_base_address_0(0x01020304);

  • redox-w-firmware/redox-w-receiver-basic/main.c

    Line 93 in a193645

    nrf_gzll_set_base_address_1(0x05060708);

• channel_table

  • redox-w-firmware/redox-w-receiver-basic/main.c

    Line 47 in a193645

    static uint8_t channel_table[6]={4, 25, 42, 63, 77, 33};

  • redox-w-firmware/redox-w-keyboard-basic/main.c

    Line 32 in a193645

    static uint8_t channel_table[3]={4, 42, 77};

  • redox-w-firmware/redox-w-keyboard-basic/main.c

    Line 35 in a193645

    static uint8_t channel_table[3]={25, 63, 33};

Not only the interference between keyboards, but also serious security problems:

• An attacker can use a receiver of the same specification or a receiver with higher power to monitor user keyboard input from a long distance.
• An attacker can use a signal transmitter of the same specification or higher power to control the target host from a long distance.

I think the address and channel should be determined according to user input, and users should be informed of certain security risks.

[mattdibi]

Hi there,
everything you reported is indeed correct and already brought to my attention here and other multiple occasions.

I think the address and channel should be determined according to user input

It is in the form of the hardcoded addresses you linked.

users should be informed of certain security risks.

This is an area that needs improvement for sure. I'll try to update the main docs ASAP.