Thursday, February 11, 2010

Insecure As Designed: Logitech's Touch Mouse application

Logitech recently introduced a handy application that converts an iPhone into a Wifi enabled mouse and virtual keyboard. The TouchMouse app is available for free, and has both Windows and MacOS clients, making it a neat way to control a home theater PC, or other system that you want to interact with from across the room.

Unfortunately, it isn't an app that I can recommend to most users because it is insecure as designed. The first thing I noted after starting the app and linking it to a PC was that there was no authentication. Any TouchMouse user can connect to any other TouchMouse system that they can find.

That's bad enough with a mouse, but add the keyboard and you're in interesting territory. If the application had some form of authentication, even at the simple level of a Bluetooth bonding style code, my next step would have been to sniff the traffic between the devices to make sure that it was encrypted. Without any form of encryption, I stopped there. Some applications disqualify themselves right away...

No comments: