Security Week 12: Keyboard Attacks

    When we wrote about vulnerabilities in NVIDIA drivers, it was worth mentioning that most of the time, an additional attack vector is added to your system not by video cards, but by wireless keyboards and mice. Recently, researchers from the German SySS team found a problem in the Fujitsu LX901 kit ( news , original report ).

    Experts found that the USB receiver communicates with the keyboard via an encrypted communication channel, but in addition it is able to receive unencrypted data, and in this mode it transfers keystrokes to the computer as if they were being executed on the original keyboard. This is far from the only vulnerability of such a plan; earlier they were found in devices of Microsoft, Logitech and many others. Solutions for the problem with the Fujitsu kit do not yet exist.

    Not the most informative video shows how characters are transmitted to a computer using a custom radio transmitter that can work at a distance of up to 150 meters. We used a Chinese universal radio module costing about $ 30, in which the firmware was modified. The key requirement for a successful attack is to use the same radio module (CYRF6936) as in the original receiver for the wireless keyboard. Data is transmitted in the same format, but without encryption and any authorization. The receiver configuration allows this.

    Result: The theoretical possibility of gaining full control over the system. The disadvantage of the attack is that the owner of the computer can notice it, but here you can take advantage of another vulnerability in the same keyboard (discovered in 2016,short description ). Although the data between the original keyboard and the receiver is encrypted, the attacker can intercept it during, for example, entering the password when the computer is unlocked, and replay it to penetrate the system.

    In response to a post about this earlier issue, Fujitsu replied that the likelihood of such an attack being successful was small. In general, they are right: there are still plenty of ways to hack into a computer without using radio modules and without having to be at a short distance from the attacked computer.

    Attacks on wireless keyboards and mice have been the focus of attention for years. One of the early studies in 2016 was conducted by Bastille Networks: then it turned out that the receivers of seven different manufacturers do not encrypt data transmitted by a wireless mouse. Communications with the keyboard are encoded, but the attacker can connect to the receiver under the guise of a mouse and transmit keystrokes - and it will work.

    Another vulnerability in Logitech keyboards was discovered late last year by the Google Project Zero team., and now it looks like problems in the NVIDIA drivers. As it turned out, the Logitech Options proprietary software can be controlled via the built-in web server with unreliable authorization, including sending a user to a prepared site with the ability to emulate arbitrary keystrokes. We wrote more about this issue in the blog .

    Another issue identified by Bastille Networks in 2016 concerns lesser-known keyboard makers who don't use encryption at all. This allows you to intercept keystrokes with understandable consequences. The same study noted that finding vulnerable devices is easy enough: this is true for the latest vulnerability in Fujitsu keyboards.

    You can end your review of potential problems with wireless keyboards with a series of tweets about an as yet unpublished study: it is argued that the Logitech Unifying receiver can transmit data in both directions. There is the possibility of exfiltration of data from a computer, which, for example, is not connected to the Internet at all. This option requires running a malicious program on the target system, but if the keyboard vulnerabilities mentioned above are not patched, it will not be difficult.

    Problems with wireless keyboards are unlikely to ever be exploited on a large scale, their potential, if used, is likely to be in targeted attacks. They have many limitations, but the result can be worth the effort.

    In 2016, Bastille Networks spokesman Chris Ruland speakingat the conference, Kaspersky Security Analyst Summit outlined the main problem of this class of attacks: system administrators and security experts often do not even have tools to identify such vulnerabilities. Meanwhile, in systems with a paranoid level of required security, it is perhaps worth transmitting any data only by wire.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: