-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-033 Product: Wireless Keyboard Set LX901 Manufacturer: Fujitsu Affected Version(s): Model No. GK900 Tested Version(s): Model No. GK900 Vulnerability Type: Cryptographic Issues (CWE-310) Keystroke Injection Vulnerability Risk Level: High Solution Status: Open Manufacturer Notification: 2018-10-19 Solution Date: - Public Disclosure: 2019-03-15 CVE Reference: CVE-2019-9835 Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Fujitsu Wireless Keyboard Set LX901 is a wireless desktop set consisting of a mouse and a keyboard. The manufacturer describes the product as follows (see [1]): "The Wireless Keyboard LX901 is a top of the line desktop solution for lifestyle orientated customers, who want only the best for their desk. This superb keyboard set offers ambitious users more functions, security and better features than a conventional interface device. It even includes 2.4 GHz technology and 128 AES encryption for security." Due to an insecure implementation of the data communication, the wireless keyboard LX901 is prone to keystroke injection attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacks by sending unencrypted data packets with the correct packet format to the receiver (USB dongle). The Fujitsu wireless keyboard itself only transmits keystrokes via AES-encrypted data packets with a payload size of 16 bytes using the 2.4 GHz transceiver CYRF6936 from Cypress Semiconductor (see [2]). However, the receiver (a.k.a. bridge) of the Fujitsu wireless desktop set not only processes keyboard data packets encrypted with the correct shared AES key contained in the keyboard and bridge firmware, but also unencrypted data packets with the data packet format described in the CY4672 PRoC LP Reference Design Kit by Cypress Semiconductor (see [3]). Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected Fujitsu LX901 wireless desktop set. In combination with the replay attack described in the SySS security advisory SYSS-2016-068 (see [4]), a keystroke injection attack allows to remotely attack computer systems with an active screen lock, for example in order to install malware when the target system is unattended. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The SySS GmbH could successfully perform keystroke injection attacks against the Fujitsu wireless desktop set LX901 using an in-house developed firmware for a 4-in-1 wireless module using a CYRF6936 transceiver (see [5]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution to the described security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-10-19: Vulnerability reported to manufacturer 2018-10-22: Fujitsu confirms receipt of security advisory 2018-10-25: Fujitsu asks for more information about the reported security issue 2018-10-26: Provided more information concerning the reported security vulnerability to Fujitsu 2018-10-29: Fujitsu asks for more information about the reported security issue and proof of attacks (replay and keystroke injection) 2018-10-30: Clarified some misunderstandings concerning the replay (SYSS-2016-068) and the keystroke injection (SYSS-2018-033) vulnerabilities, provided source code of a developed PoC tool, and provided videos with proof-of-concept attacks exploiting these two security issues 2019-03-15: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Fujitsu Wireless Keyboard Set http://www.fujitsu.com/global/products/computing/peripheral/accessories/input-devices/keyboards/wl-keyboard-lx901.html [2] Datasheet WirelessUSB LP 2.4 GHz Radio SoC (CYRF6936) http://www.cypress.com/file/126466/download [3] CY4672 PRoC LP Reference Design Kit http://www.cypress.com/documentation/reference-designs/cy4672-proc-lp-reference-design-kit [4] SySS Security Advisory SYSS-2016-068 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-068.txt [5] Banggood 4-in-1 RF Transceiver Module https://www.banggood.com/2_4G-CC2500-A7105-Flysky-Frsky-Devo-DSM2-Multiprotocol-TX-Module-With-Antenna-p-1048377.html [6] SySS Security Advisory SYSS-2018-033 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-033.txt [7] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ [8] SySS Proof-of-Concept Video: Fujitsu Wireless Keyboard Set LX901 Keystroke Injection Attack https://youtu.be/87jZKTTBdtc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlyL6w8ACgkQ2aS/ajSt TavPNg/9H2oVK0x77Ts7hKNAW2QhXF2swtWnEq93uwjaB376JEItKUlSYPhsqvof ImSyLpTGizrSwWJdQCl1b9RaB/D4OboqEAAcev/ORl0PfuGTpW0Yoa5JA4R0b5QX srMXyhDp1oZbc53M7Pt0L4yRfjwxU11ixme3hKh3EYSmaltVIpNQFMKX169cH+G+ rD3fP5J2I5rB2xPovWPSGApLmKBPH6CsTcWCjwRrKBa9Nay/kI3u0JOOJZsvjO2Y NXdB6GZcjt5MTCkWEU9qodHuUmFIU9mWdUs2wyn2FuloDhiKn+gQWjJ7zHrj0/LU OboJHN/7HM8rqc5Gnnspxtl4ODU8mpV2MnFuWgE8z+wdtANOcyOinw0Ea4DWUgns ZznJ6KinsI5Hz8zsUYGjObUMwez7RSD/jhlGMDHAteJB+Wx8kZOpf+jlCafEpSB0 4CvDeJqPN2QLRtIyhdfcDtu7W/ol95GzCLIAW1z9qXHQKSZo12SqQyWlEK/fIqNw HMELDJfOzhdf0haYv7v9VL8x05CBX6JAWrouktpR7kvHVVP5TSqaAIsfiPbG/m1x G15xjuTse/dzQediVq9P7TIy/nnNNLUvWaQQLcVXXxgsYFCWwLKnaUdwPe+VWl5e DJ7ASTf/B+91nCjDy0sqUBs9ktcKysTWP0AvsVcd2hQIWcaBqco= =RlSr -----END PGP SIGNATURE-----