PCI and the "other wireless"

From the “never been asked that question before” files, I recently had a client who wanted to know about wireless keyboards and whether they are in-scope for PCI. There are no PCI requirements that address keyboards or other wireless peripherals (though you could make a case that some keyboards transmit unencrypted cardholder data over ‘open, public networks’). Just to double check, I reread the Security Standards Council’s Wireless Special Interest Group publication on wireless best practices and PCI; the guidelines are geared towards 802.11 WLANs and specifically exclude Bluetooth. Wireless keyboards are ubiquitous; there is a reasonable chance your organization is using them as the interface to a POS application or virtual terminal. The input could include customer name, expiration, PAN, and CVV. As we typically wouldn’t pay much attention to the peripherals that we type this data on, the question got me thinking about how much we take technology (and its security through obscurity) for granted. I did some exhaustive research on the subject (at least 5 minutes searching Google) and easily found some real world examples of wireless keyboard sniffing techniques; though not currently a prevalent attack, it is quite feasible to intercept the output from a wireless keyboard without leaving fingerprints behind. Unlike traditional keystroke loggers and screen scrapers, which can often be detected by antimalware applications, wireless attacks are transparent and do not require physical or logical access to target machines. One of the more advanced tools out there is on Remote Exploit’s site, called KeyKeriki. This is a combination of hardware/software that targets the wireless signals from 27MHz keyboards (there’s a 2.7 GHz version on the way, too) and can capture or output the keystrokes. The hardware looks simple to build and includes an SDCard for logging; additionally, the software can do decryption of some weak XOR-based encryption on the fly (it takes about 40 keystrokes to get enough data to decipher the stream in real-time). I don’t want to go too far down the rabbit hole here as you can’t defend against every attack vector (PCI doesn’t address TEMPEST or Van Eck phreaking either), but there are some simple steps that can be taken to reduce the risk of compromise:

  • Include standards for input devices in your list of approved hardware; pick keyboards that use strong cryptography to transmit data.
  • It looks like many of the exploits are written to take advantage of certain vendor’s keyboards (I’m looking at you, Logitech and Microsoft…). Do some research when purchasing wireless keyboards to see if their communications security has already been compromised.
  • If you do have a need for wireless input devices, consider using Bluetooth, which offers some protection through the use of a PIN and a custom SAFER+ block cipher implementation. Check the footnote for a good publication on Bluetooth and security from NIST.
  • Drink plenty of coffee and/or adult beverages of your choice before typing credit card numbers. The resultant twitching/lack of coordination will make it more difficult for a malicious user to extract useful information from your typing. Bonus: it’s fun.
  • Consider using wired keyboards for virtual terminals and POS workstations. Remember those things?


Discover why security operations teams choose NetSPI.