Do you trust wireless input devices on security-critical computers

fwiw, you probably don't need to worry on input devices where you can feasibly flash the firmware. homebrew keyboards and keyboards that support this, you're probably in the clear in terms of security concerns (... I think)

@cwebber the 'q' in QMK stands for CVE

@cwebber

wireless mouse: ehh probably ok
wireless keyboard: what the fuck hell no

@cwebber

If its just a consumer or basic business class system I would feel alright. But I remember SIPERNET from when I was Air Force. Air Gapped and hard ware security everywhere.

If the computer is mission critical high security then a wireless input device is just another potential attack surface you don't need when a wired keyboard and mouse will do.

@cwebber I think the devil is in the details here - exactly what we mean by "security-critical" & the nature of the threats.

@cwebber Part of me feels like if it applies to wireless keyboards it's going to apply to wired ones too given a much better antenna.

@cwebber wired keyboard. unfortunately the only ergonomically-acceptable-to-me pointing devices are all wireless.

@cwebber This unlocked the memory of me reading the warning in the manual for Phantasy Star Online for Gamecube about using a wireless controller when inputting your account password.

@cwebber https://zmk.dev/docs/features/bluetooth

ZMK documents security concerns around Bluetooth connections.

TL;DR: there are no known vulnerabilities after a bond has been made - a bond should be made in a controlled environment to avoid MITM

@cwebber
My first thought was casual eavesdropping, but evil firmware is certainly a concern! Now you bring it up I can 100% see the business case for slurping up everything your customers type.

@lanodan true for eavesdropping, but is it true for pushing inputs?

@cwebber Oooh… haven't thought of that one before, that's probably a *lot* harder if not straight up impossible

@cwebber probably. But why take the risk? Corded mice and kbs are cheap.

@cwebber on a security critical computer (and also my own) i use wired input only, bluetooth is horribly insecure anyways and id rather just wire everything, im doing the same when my airpods die out and getting anc wired earbuds cuz i dont want to use wireless input/output where possible

@cwebber even if the mouse protocol is insecure I lock my devices when I'm not there so you can only engage in active attacks and only if you can pull up the onscreen keyboard

@cwebber the most security-critical way to use a computer is without an input device

@trwnh damn true

@cwebber @trwnh I have an alternative suggestion for absolute maximum security:

Have you tried turning it off and never turning it on again?

@datarama @trwnh https://social.coop/@cwebber/114240234685276986

@ElliesSurviving @cwebber > anc wired earbuds

Offtopic, do you know of any good ones? It's not that hard get a nice wired mouse and keyboard, but these days it's really hard to find a good wired headphone or earbuds, almost everything is wireless only now and 3.5 mm port is long gone in most devices :(

@datarama @cwebber well, that would be non-use. i am being somewhat facetious but "use without input" would be like configuring some automated services and then disconnecting everything

@tris @cwebber unfortunate cant give suggestions yet as i haven't personally started looking, sorry

@trwnh @datarama How many automated services do you use that, once configured, take no inputs

@trwnh and no mic just in case the OS comes with some AI "personal assistant". @cwebber

@trwnh @cwebber Real programmers use butterflies :D

https://xkcd.com/378/

@cwebber I use USB keyboard and mouse. I'd not considered security, I find it more convenient not having to ever think about charging.

@cwebber @trwnh @datarama my Christmas lights do a nice job of blinking forever after I configure them!!

@cwebber Even if there are no known or likely vulnerabilities it is that greatest demon of Additional Complexity. The benefits are absolutely not worth it.

@darius @cwebber @trwnh The timer for my pet lizard's lighting and heat *almost* doesn't take other inputs than electricity after I've configured it! ("Almost" because I reconfigure it twice a year, due to switches to and from daylight savings time).

But, well, it's not really a computer in any non-ridiculous sense.

@cwebber I pretty much only use wireless input devices (IR remote and ps5 gamepad) with the little PC hooked up to the TV for video playback and such.

Beyond any security implications, I just really never want to worry about charging or replacing *more* batteries in my day-to-day computing experience, much less RF interference/flakiness issues.

Fwiw I don't use wireless inputs on security-critical computers myself. It's not that I'm completely convinced that they can't be safe, it's that I'm not convinced enough that I could keep the firmware updated and research the topic to the degree required

@cwebber Related: almost everything in the house is on actual wired ethernet. Wifi is the domain of the phone, tablet, and laptop (which moves from room to room), not the workstation, fileserver, game console, printer, test instruments, etc.

@cwebber kinda but i am thoroly air gapped and keep the dongles behind a physical switch just in case

@cwebber not even WiFi on security-critical machine, wired ethernet only. Portable router connects to wifi and tether via ethernet to machine when needed.

@lanodan @cwebber intuition says you'd cook nearby electronics / wires before you could induce stuff

@cwebber they are verboten in my workplace

@cwebber I don’t have security critical computers, probably

@cwebber Does SSH from another computer over wifi count? I answered "no and I don't use them" thinking of bluetooth keyboards/mice, but I do use SSH over wifi.

@cwebber I have worked in a Faraday cage because of tempest. I don’t even trust wired input devices.😉

But I do trust wireless input devices as much as any other component in a secure environment.

https://en.wikipedia.org/wiki/Tempest_(codename)

@cwebber
Security and wireless are things you should not mix in my opinion

@MartyFouts @cwebber This. Most wires are just wireless with a low range and no security because it's "not wireless," but I find wires convenient for knowing what's attached to what.

@cwebber
Eventually I'm going to migrate my Logitech keyboards and mice to Bolt versions, but it's really hard when the insecure models are so damned cheap, and the Bolt models are so damned expensive.

@cwebber other, "trust" is relative to an environment. If I'm in an environment where a wireless device would be a concern, I shouldn't be touching anything sensitive there because I assuredly have bigger concerns.

@cwebber Adding Yet More Firmwares to the device chain is a consideration. But these days wired devices, or even cables themselves, can't be fully trusted regarding that. There are no absolutes.

@tris If you’re good with headphones, I like the ones I picked up from Audio Technica. I’ve been using my pair for probably 7+ years now, no issues other than the vinyl(?) covering wearing off the headband and ear pads, and the wire’s replaceable if it ever gives out on you.

Though I just realized I missed the ANC part - when I was looking last, ANC and wired seemed to be mutually exclusive, unfortunately.

@cwebber
I plugged a cheap wired keyboard into a USB 3 port on a raspberry Pi 4 and knocked out my entire ZigBee network...

I guess if I were really security needy I would prefer a modern encrypted low powered bluetooth signal to a cheap wired keyboard radiating who knows what strong enough to knockout a local area ZigBee net.

Ideally I'd probably use an explicitly shielded USB 2 keyboard

@cwebber Shit, I never seriously thought about this. I use a wireless mouse and keyboard.

@cwebber essentially any input devices have issues, keyboards make noise which can be analyzed, wireless ones leak information (ignoring encryption), wired ones leak information through radiation from the cable, etc.

I guess it's easier to snoop on the wireless ones though from far away