Fujitsu LX wireless keyboards are susceptible to keystroke injections, SySS GmbH, a German pen-testing firm revealed today.
The attacks allow a threat actor to beam wireless radio signals to the keyboard’s receiver (USB dongle) and inject rogue keyboard presses on a user’s computer.
Fujitsu was notified of the vulnerability but has not released any firmware patches.
Bug caused by developer blunder
In a report published today, SySS GmbH security researcher Matthias Deeg said the vulnerability is not caused by the keyboard and its USB receiver using weak cryptography. In fact, the two components work via a properly secured communications channel.
Instead, the flaw resides with the USB receiver alone, which besides accepting the keyboard’s encrypted communications also accepts unencrypted data packets that use the format described in a demo design kit that Fujitsu devs appear to have left behind on the USB dongle.
Furthermore, Deeg says that if this keystroke injection attack is also paired with another older Fujitsu wireless keyboard “replay attack” he reported in 2016, a threat actor can “remotely attack computer systems with an active screen lock,” and plant malware on seemingly secure systems.
In an interview today, Deeg told ZDNet that he reported the flaw to Fujitsu in October last year, but has not heard from the company since October 30.
“In my communication with Fujitsu regarding the keystroke injection vulnerability, I did not receive any feedback regarding a patch for this security issue,” the researcher told us when when we inquired if Fujitsu intimated that a fix might be released in the future, even after his public disclosure.
Chances for a firmware patch are really slim. Deeg also told ZDNet that Fujitsu haven’t even patched the 2016 vulnerability, let alone provide a timeline for this last one.
In a response provided at the time and that Deeg shared with ZDNet, the company didn’t view patching the replay attack as a priority.
Thank you very much for your information about our wireless keyboard. As we have already pointed out, we believe that the described scenario is not easy to perform under real conditions due to the radio protocol used. As mentioned, our product is not destined to sell security, but convenience in the first place (without the security drawbacks of unencrypted wireless keyboards). Any new information and insights will be incorporated into the already planned successor product.
In a demo video the SySS security researcher published on YouTube, the researcher shows off a basic radio hardware rig for pulling off a keystroke injection attack.
The radio gear, as can be seen above, can be easily concealed underneath clothes and a threat actor can inject malware into unattended systems just by walking by targeted computers.
“I do not recommend using this vulnerable keyboard in an environment with higher security demands,” Deeg told us. “And I would advise not using it in exposed places where external attackers may come easily in the 2.4 GHz radio communication range of the wireless keyboard.”
“And if I was a company or a public authority and I didn’t trust the people having access to my premises, like employees, contractors, or visitors, I would also not use vulnerable keyboards with my computer systems,” Deeg said.
The researcher also added that the best mitigation would be for companies to deploy extensive controls of where wireless keyboards should be used.
Other models most likely impacted
Deeg tested only a Fujitsu LX901 wireless mouse and keyboard set, however he said that other LX models are most likely impacted as well.
“It is possible that the other available wireless desktop set Fujitsu Wireless Keyboard Set LX390 uses the same 2.4 GHz radio technology and is also affected by a keystroke injection and/or replay vulnerability. I have only tested the LX901, because in our previous research project “Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets” my colleague Gerhard Klostermeier and I only analyzed wireless desktop sets using AES encryption.”