A German security researcher has discovered and released
information on a flaw in an otherwise secure wireless keyboard that could allow
an attacker to inject keystrokes and take over a computer.Mathias Deeg with SySS in October found a flaw, CVE-2019-9835,
in Fujitsu’s Wireless Keyboard Set LX901’s receiver that allows it to receive an
act upon keystroke information coming from an unauthorized keyboard. Deeg discovered
that while the LX901’s keyboard and USB dongle communicate in a secure fashion
using 128 AES encryption, the dongle is also able to receive can process
unencrypted keyboard data packets that are sent in the correct format.“Thus, an attacker is able to send arbitrary keystrokes to a
victim's computer system. In this way, an attacker can remotely take control
over the victim's computer that is operated with an affected Fujitsu LX901 wireless
desktop set,” Deeg wrote in an advisory,
adding that when this activity is combined with an earlier vulnerability
disclosed n 2016
a keystroke injection attack allows to remotely attack computer systems with an
active screen lock, for example in order to install malware when the target
system is unattended, Deeg said.SySS reported that it successfully completed a proof of
concept of the attack and performed a keystroke injection attack against the
keyboard.SySS informed Fujitsu of the problem in October 2018 and while the two companies have exchanged information concerning the vulnerabilitiy a patch has not been issued and SySS said it is not aware of any other solution that could rectify the problem.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds