-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-032 Product: CHERRY B.UNLIMITED AES Manufacturer: Cherry GmbH Affected Version(s): JD-0400EU-2/01 Tested Version(s): JD-0400EU-2/01 Vulnerability Type: Insufficient Protection of Code (Firmware) and Data (Cryptographic Key) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-04-22 Solution Date: - Public Disclosure: 2016-07-29 CVE Reference: Not yet assigned Authors of Advisory: Gerhard Klostermeier and Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: CHERRY B.UNLIMITED AES is a wireless desktop set consisting of a mouse and a keyboard. The manufacturer describes the product as follows (see [1]): "CHERRY B. UNLIMITED AES combines secure data transmission and an advanced energy supply in a design which has been thought through to the very last detail. For high professional requirements and security both at home and in the workplace." Some of the key benefits of CHERRY B.UNLIMITED AES are (see [2]): * Data transmission using 128-bit encryption, complying to Advanced Encryption Standard (AES) * USB cable charging function for both keyboard & mouse - even when in use * High-quality, pre-charged NiMH batteries from GP with a very low self-discharge * Almost interference-free wireless 2.4 GHz technology (range of up to 10 metres) * 3-button mouse: infrared sensor and adjustable resolution (1,000/2,000 dpi) with ergonomic side panels * Multi-station capability operation of several wireless products in one room * Easy to install, requiring no technical knowledge * Mini USB receiver * Keyboard awarded the "Blauer Engel" environmental seal Due to the insufficient protection of the flash memory of the keyboard and of the USB dongle, an attacker with physical access has read and write access to the firmware and the used cryptographic key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that the embedded flash memory of the wireless keyboard CHERRY B.UNLIMITED AES and of the corresponding USB dongle can be read and written via the SPI interface of the used transceivers with an embedded microcontroller nRF24LE1 (keyboard) and nRF24LU1+ (USB dongle) as the flash memory is not protected by the offered read back protection feature (RDISMB - Read DISable Main Block). Thus, an attacker with physical access to the keyboard or the USB dongle can simply read and write the SPI-addressable code and data flash memory. By writing a custom-made firmware to the code flash memory, an attacker can also gain access to all contents of the extended endurance flash memory of the CHERRY B.UNLIMITED AES keyboard that is not directly accessible via the SPI interface and where the AES cryptographic key is stored. Concerning the USB dongle, all data flash memory is accessible via the SPI interface. Thus, no custom-made firmware is required to extract the AES cryptographic key from the USB dongle. By having read and write access to the code and data flash memory, an attacker can either extract the cryptographic key, for instance to perform further attacks against the wireless communication, or modify the firmware or the cryptographic key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The SySS GmbH could successfully read the contents of the code and data flash memory of the CHERRY B.UNLIMITED AES keyboard and of the USB dongle using the hardware tool Bus Pirate [3] in combination with the software tool nrfprog [4]. For accessing the AES cryptographic key stored in the extended endurance flash memory, the SySS GmbH developed a small firmware for copying the contents of this memory area to the SPI-addressable flash memory from were it could simply be dumped via the SPI interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information from the manufacturer Cherry GmbH, the reported security issue will currently not be fixed in affected products. The written statement in German from Cherry GmbH regarding this and other reported security issues is: "Nach Prüfung der von Ihnen festgestellten 'Sicherheitsschwachstellen' haben wir uns dazu entschlossen, die AES Verschlüsselung bis auf weiters nicht weiter mit den Produkt zu promoten. Derzeit arbeiten wir an einem Nachfolgeprodukt. Wie bisher, empfehlen wir Kunden mit hohen Sicherheitsanfordungen ein kabelgebundenes Produkt zu verwenden. Je nach Anforderung, auch mit CC-Zertifizierung." The English translation of this statement is: "We have examined the 'security flaws' you reported to us. As a result, we decided, until further notice, to no longer refer to AES encryption in order to promote the affected product. At the moment, we are currently working on a successor product. As we already did in the past, we recommend to our customers having particularly high security demands using wired products which, depending on the requirements, should be CC certified." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-04-22: Vulnerability reported to manufacturer 2016-05-24: Response from manufacturer with information about the reported security issue and rescheduling of the publication date in agreement with the manufacturer 2016-07-04: Received written statement from manufacturer concerning the reported security issue 2016-07-29: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Data sheet for CHERRY B.UNLIMITED AES http://cherry.de/PDF/EN_CHERRY_B_UNLIMITED_AES.pdf [2] Product website for CHERRY B.UNLIMITED AES http://cherry.de/cid/wireless_keyboards_CHERRY_B_UNLIMITED_AES.htm?rdeLocaleAttr=en&WT.mc_id= [3] Website of Bus Pirate hardware tool http://dangerousprototypes.com/docs/Bus_Pirate [4] nrfprog Github repository https://github.com/nekromant/nrfprog [5] SySS Security Advisory SYSS-2016-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-032.txt [6] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Gerhard Klostermeier and Matthias Deeg of the SySS GmbH. E-Mail: gerhard.klostermeier (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7 E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXmxoGAAoJENmkv2o0rU2r8AkQAIZmeRn3i7P5XwBPDJxB4iLC gSR8dAY/MVztzAQ6PkZAjIbEPdS5yuXoCoPs1w/3UIRlPY/2X3whobyh9HuXpBbG C56nr6sa+tyGdTJfCAIVIDDkkMXPC0cI38aA0g6S3wii6JZe4HERwN0Kkw8MXsl8 XsBFK+LiIeHqAhtzor4MjzSWorEuVVYYk6LrDPXc3XWB0izdYwn3PJXoXtJzL7vS +xsoR4uhfXhsPkwILcYdrEaOBHYOezrBqEE3vsRcmXNhUKmY+6+UMfezYX2Oo9Eh yeFjmMQ2AaEroMQIdIgCNF9BNdW0WwuAXX3Zl32EkFDlCP1tRS7oaAvwUWt2gZf/ oKu0Du9VZgDCCCqHn4fQV1SKm9nvFQa06BatYBrYoF90ZLeaoBfQ5i0QzhSGcFn2 SZQ08in9A4yYCwgTr4IfJ3iC+th56FIbWidAqdBxWW5De5kUiLViHLxGdQRc0qHQ eSvpze8katJzHm3GMf+xLRBWY8hJuv5jCf2N3M0UBIKrnmVbdP2+RrNjPITg0tco qXejiyahHlDJeAiy1LaiyDJiqH6Yv5Ttf0zfDAScjPdbl0eNBT1jmWgBvog/oOyz y3xpEWt1cmCScOrHs2gvThWIJ3clwwpV4Vi+CyvS4UFc+2qP7zS7hbY26Smwfkdy w1WUGdWFuJS0FqIrH40F =rWBu -----END PGP SIGNATURE-----