Wireless keyboards and mice vulnerable
In 2015, the two SySS employees Matthias Deeg and Gerhard Klostermeier started a research project about the security of modern wireless desktop sets using AES encryption, as there was no publicly available data concerning security issues in current wireless mice and keyboards.
Thus, the two IT security consultants have been analyzing modern wireless desktop sets with AES encryption of the manufacturers Microsoft, Cherry, Logitech, Fujitsu, and Perixx for security vulnerabilities during the last couple of months.
Up to now, several and partly critical security vulnerabilities have been found and were reported to affected manufacturers in the course of the SySS responsible disclosure program.
The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks due to insecure implementations of the AES encrypted data communication.
During this research project, SySS built a proof-of-concept device that can be used to remotely attack a computer system that is operated with an affected wireless desktop set via radio signals. The combination of replay and keystroke injection attack, for instance, allows an attacker from a safe distance to remotely attack computer systems with an active screen lock, for example in order to install malware when the target system is unattended.
So far, the fourteen reported security advisories concerning modern wireless desktop sets with advertised AES encryption of different manufacturers deal with the following security vulnerability types:
- Unencrypted data communication
- Insufficient protection of code (firmware) and data (cryptographic key)
- Missing protection against replay attacks
- Insufficient protection against replay attacks
- Cryptographic issues allowing for keystroke injection attacks
As the responsible disclosure process of eight of the reported security issues is completed according to our responsible disclosure policy, we publish the first results of our research project in form of the following eight security advisories concerning wireless desktop sets of the manufacturers Microsoft, Cherry, Logitech and Perixx:
- SYSS-2016-031: CHERRY B.UNLIMITED AES – Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks
- SYSS-2016-032: CHERRY B.UNLIMITED AES – Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)
- SYSS-2016-038: CHERRY B.UNLIMITED AES – Cryptographic Issues (CWE-310), Keystroke Injection Vulnerability
- SYSS-2016-044: Logitech K520 (Keyboard of Wireless Combo MK520) – Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks
- SYSS-2016-045: Perixx PERIDUO-710W – Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)
- SYSS-2016-046: Perixx PERIDUO-710W – Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks
- SYSS-2016-047: Perixx PERIDUO-710W – Cryptographic Issues (CWE-310), Keystroke Injection Vulnerability
- SYSS-2016-059: Microsoft Wireless Desktop 2000 – Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack
The other six security advisories, which amongst others affect a product of the manufacturer Fujitsu, will be publicly disclosed this August and September. Moreover, further results of our research project and technical details will be presented at the IT security conference Ruxcon (22./23. October 2016) and at the Handelsblatt Jahrestagung Cybersecurity 2016 (21./22. November 2016).