The “encryption” used on each regular keystroke involves XORing the key against a random one byte value determined during the initial sync with the receiver. So, if you sniff the handshake, you can decrypt the keystrokes. You really don’t have to though; there are only 256 possible encryption keys. Using a dictionary file you can check all possible keys and determine the correct one after only receiving 20-50 keystrokes
What I don’t get is this – who thinks this is good encryption for the real world? Yeah, an XOR is a nice and easy obfuscation, but is it not encryption!
As an industry, we really have to get our heads out of asses on this. Wireless communication is being used more and more in production environments and this shit is often way too easy to hack.