lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <31e5dc59-573d-0ffa-1391-206d2b1553e5@syss.de>
Date: Fri, 15 Mar 2019 19:15:23 +0100
From: Matthias Deeg <matthias.deeg@...s.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SYSS-2018-033]: Fujitsu Wireless Keyboard Set LX901 -
 Keystroke Injection Vulnerability

Advisory ID: SYSS-2018-033
Product: Wireless Keyboard Set LX901
Manufacturer: Fujitsu
Affected Version(s): Model No. GK900
Tested Version(s): Model No. GK900
Vulnerability Type: Cryptographic Issues (CWE-310)
                    Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-10-19
Solution Date: -
Public Disclosure: 2019-03-15
CVE Reference: CVE-2019-9835
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Fujitsu Wireless Keyboard Set LX901 is a wireless desktop set consisting
of a mouse and a keyboard.

The manufacturer describes the product as follows (see [1]):

"The Wireless Keyboard LX901 is a top of the line desktop solution
for lifestyle orientated customers, who want only the best for their
desk. This superb keyboard set offers ambitious users more functions,
security and better features than a conventional interface device. It
even includes 2.4 GHz technology and 128 AES encryption for security."

Due to an insecure implementation of the data communication, the
wireless keyboard LX901 is prone to keystroke injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the wireless desktop set Fujitsu LX901 is
vulnerable to keystroke injection attacks by sending unencrypted data
packets with the correct packet format to the receiver (USB dongle).

The Fujitsu wireless keyboard itself only transmits keystrokes via
AES-encrypted data packets with a payload size of 16 bytes using the
2.4 GHz transceiver CYRF6936 from Cypress Semiconductor (see [2]).

However, the receiver (a.k.a. bridge) of the Fujitsu wireless desktop
set not only processes keyboard data packets encrypted with the correct
shared AES key contained in the keyboard and bridge firmware, but also
unencrypted data packets with the data packet format described in the
CY4672 PRoC LP Reference Design Kit by Cypress Semiconductor (see [3]).

Thus, an attacker is able to send arbitrary keystrokes to a victim's
computer system. In this way, an attacker can remotely take control over
the victim's computer that is operated with an affected Fujitsu LX901
wireless desktop set.

In combination with the replay attack described in the SySS security
advisory SYSS-2016-068 (see [4]), a keystroke injection attack allows to
remotely attack computer systems with an active screen lock, for example
in order to install malware when the target system is unattended.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The SySS GmbH could successfully perform keystroke injection attacks
against the Fujitsu wireless desktop set LX901 using an in-house
developed firmware for a 4-in-1 wireless module using a CYRF6936
transceiver (see [5]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution to the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-10-19: Vulnerability reported to manufacturer
2018-10-22: Fujitsu confirms receipt of security advisory
2018-10-25: Fujitsu asks for more information about the reported
            security issue
2018-10-26: Provided more information concerning the reported security
            vulnerability to Fujitsu
2018-10-29: Fujitsu asks for more information about the reported
            security issue and proof of attacks (replay and keystroke
            injection)
2018-10-30: Clarified some misunderstandings concerning the replay
            (SYSS-2016-068) and the keystroke injection (SYSS-2018-033)
            vulnerabilities, provided source code of a developed PoC
            tool, and provided videos with proof-of-concept attacks
            exploiting these two security issues
2019-03-15: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Fujitsu Wireless Keyboard Set

http://www.fujitsu.com/global/products/computing/peripheral/accessories/input-devices/keyboards/wl-keyboard-lx901.html
[2] Datasheet WirelessUSB LP 2.4 GHz Radio SoC (CYRF6936)
    http://www.cypress.com/file/126466/download
[3] CY4672 PRoC LP Reference Design Kit

http://www.cypress.com/documentation/reference-designs/cy4672-proc-lp-reference-design-kit
[4] SySS Security Advisory SYSS-2016-068

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-068.txt
[5] Banggood 4-in-1 RF Transceiver Module

https://www.banggood.com/2_4G-CC2500-A7105-Flysky-Frsky-Devo-DSM2-Multiprotocol-TX-Module-With-Antenna-p-1048377.html
[6] SySS Security Advisory SYSS-2018-033

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-033.txt
[7] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/
[8] SySS Proof-of-Concept Video: Fujitsu Wireless Keyboard Set LX901
Keystroke Injection Attack
    https://youtu.be/87jZKTTBdtc

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en



Download attachment "smime.p7s" of type "application/pkcs7-signature" (3954 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ