I suspect it is the same way as other wireless keyboards and mice (including BT devices) do it - they set the passphrase/PIN in firmware. This is necessary to ensure offices, for example, with several like keyboard and mouse sets don't interfere with other devices (or the computers they are linked to). I currently have 2, but until recently had 3 like Microsoft BT keyboards and mice in my home office - and never had a problem with one keyboard or mouse sending signals to the wrong computer.
This is no different than the SIM cards in cell phones. The number in the SIM is "paired" with the phone company's system, etc. I bought a Logitech mouse which came with a unified receiver (UR) that were already paired. I then bought a kbd with a UR that were also paired but with a different ID #. I can choose to change the kbd to use the UR that came with the mouse (or I can change the mouse to pair with the UR that came with the kbd). I could even swap pairing on a schedule (daily/hourly/15 minutes?) just to mix things up if I was extremely paranoid about Logitech or anyone else trying to hack my system. In my opinion, don't worry about it.
I'm not sure that the swapping you speak of would guarantee protection against a flawed pairing/key-gen scheme. It sounds promising because you would be changing things away from factory settings that could/would be known to the factory (and anyone else who could acquire the info through hacking, paying off a rogue employee, government mandated sharing of info for intercepts, etc). However, the vulnerability might come from the algorithms themselves (rather than the initialization done at the factory) and therefore apply even when a user messes with pairing. At least some of the protocols involved transmit hardware identifiers in the clear, which (alone and/or in conjunction with other in the clear data) might allow for automatic, at-a-distance, recognition of the vulnerable devices and their specific algorithmic vulnerabilities. Even if a field re-pair would be a useful defense, we'd have to focus on the cases where user's do NOT mess with pairing. Which for discussion purposes might be a bank, medical office, or other sensitive information processing business. One thing that has made me a little bit more interested in the possibility of wireless HID vulnerabilities is running into them more often. I've seen more of them in businesses, particularly after remodeling to achieve that minimalist/sterile look.
Well, for sure, where there is genuine sensitive or classified information involved, this is a no-brainer. Use a wired keyboard and mouse and an Ethernet network connection and avoid wireless of any and all kinds. Case solved.
Beware of keystroke loggers disguised as USB phone chargers, FBI warns http://arstechnica.com/security/201...rs-disguised-as-usb-phone-chargers-fbi-warns/
One reason to buy a new keyboard that uses BT encryption. I don't know who makes the keyboards and mice for Microsoft but I have three of these Wireless Comfort Desktop 5050 AES Encryption Keyboard and Mouse Sets and really like them. Do note for that device disguised as a USB phone charger might work in a crowded office environment where there are lots of people coming and going and everyone thinking the charger belongs to coworker. But in a small office or particularly your home, you would probably notice a stranger coming in and plugging in a strange charger into your wall outlet.
