Security Week 12: keyboard attacks
When we wrote about the vulnerabilities in NVIDIA drivers, it was worth mentioning that most often an additional attack vector to your system is added not by video cards, but by wireless keyboards and mice. Recently, researchers from the German SySS team discovered a problem with the Fujitsu LX901 bundle ( news , original report ).
Experts found out that the USB receiver communicates with the keyboard over an encrypted communication channel, but in addition it is able to receive unencrypted data, and in this mode sends the keystrokes to the computer as if they were executed on the original keyboard. This is not the only vulnerability of such a plan, they were previously found in the devices of Microsoft, Logitech and many others. The solution to the problem with the Fujitsu kit does not yet exist.
Not the most informative video shows how characters are transmitted to a computer using a custom radio transmitter capable of operating at a distance of up to 150 meters. The Chinese universal radio module cost about $ 30 was used, in which the firmware was modified. A key requirement for a successful attack is the use of the same radio module (CYRF6936) as in the original receiver for the wireless keyboard. Data is transmitted in the same format, but without encryption and any authorization. The configuration of the receiver allows it.
Result: the theoretical possibility of obtaining complete control over the system. The disadvantage of the attack is that the owner of the computer may notice it, but here you can take advantage of another vulnerability in the same keyboard (discovered in 2016, a brief description ). Although the data between the original keyboard and the receiver is encrypted, an attacker can intercept it during, for example, entering a password when the computer is unlocked, and replay it to enter the system.
')
In response to a message about this earlier problem at Fujitsu, they responded that the probability of a successful attack was small. In general, they are right: there are still plenty of ways to hack a computer without using radio modules and without having to be a short distance from the attacked computer.
Attacks on wireless keyboards and mice have been the object of attention for more than a year. One of the early studies in 2016 was conducted by Bastille Networks: then it turned out that the receivers of seven different manufacturers do not encrypt the data transmitted by the wireless mouse. Communications with the keyboard are encoded, but the attacker can connect to the receiver as a mouse and transmit keystrokes - and this will work.
Another vulnerability in Logitech keyboards was discovered at the end of last year by the Google Project Zero team , and now it looks like problems in NVIDIA drivers. As it turned out, Logitech Options proprietary software can be managed through the embedded web server with unreliable authorization, including sending the user to a prepared site with the ability to emulate arbitrary keystrokes. More on this issue we wrote in the blog .
Another problem identified by Bastille Networks in 2016 concerns the less well-known manufacturers of keyboards that do not use encryption at all. This allows you to intercept keystrokes with clear consequences. In the same study, it was noted that finding vulnerable devices is easy enough: this is also true for the most recent vulnerability in Fujitsu keyboards.
You can end the review of potential problems with wireless keyboards with a series of tweets about a study that has not yet been published: it is argued that data can be transmitted to both sides through a Logitech Unifying receiver. It becomes possible to exfiltrate data from a computer, which, for example, is not connected to the Internet at all. This option requires running a malicious program on the target system, but if the keyboard vulnerabilities mentioned above are not patched, it is not difficult.
Problems with wireless keyboards are unlikely to ever be used on a large scale, their potential, if used, will be more likely in targeted attacks. They have many limitations, but the result can be worth the effort.
In 2016, a representative of Bastille Networks, Chris Ruland, speaking at the Kaspersky Security Analyst Summit conference, identified the main problem of this class of attacks: system administrators and security specialists often do not even have the tools to identify such vulnerabilities. Meanwhile, in systems with a paranoid level of required security, it is probably worth transmitting any data only by wire.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.
Experts found out that the USB receiver communicates with the keyboard over an encrypted communication channel, but in addition it is able to receive unencrypted data, and in this mode sends the keystrokes to the computer as if they were executed on the original keyboard. This is not the only vulnerability of such a plan, they were previously found in the devices of Microsoft, Logitech and many others. The solution to the problem with the Fujitsu kit does not yet exist.
Not the most informative video shows how characters are transmitted to a computer using a custom radio transmitter capable of operating at a distance of up to 150 meters. The Chinese universal radio module cost about $ 30 was used, in which the firmware was modified. A key requirement for a successful attack is the use of the same radio module (CYRF6936) as in the original receiver for the wireless keyboard. Data is transmitted in the same format, but without encryption and any authorization. The configuration of the receiver allows it.
Result: the theoretical possibility of obtaining complete control over the system. The disadvantage of the attack is that the owner of the computer may notice it, but here you can take advantage of another vulnerability in the same keyboard (discovered in 2016, a brief description ). Although the data between the original keyboard and the receiver is encrypted, an attacker can intercept it during, for example, entering a password when the computer is unlocked, and replay it to enter the system.
')
In response to a message about this earlier problem at Fujitsu, they responded that the probability of a successful attack was small. In general, they are right: there are still plenty of ways to hack a computer without using radio modules and without having to be a short distance from the attacked computer.
Attacks on wireless keyboards and mice have been the object of attention for more than a year. One of the early studies in 2016 was conducted by Bastille Networks: then it turned out that the receivers of seven different manufacturers do not encrypt the data transmitted by the wireless mouse. Communications with the keyboard are encoded, but the attacker can connect to the receiver as a mouse and transmit keystrokes - and this will work.
Another vulnerability in Logitech keyboards was discovered at the end of last year by the Google Project Zero team , and now it looks like problems in NVIDIA drivers. As it turned out, Logitech Options proprietary software can be managed through the embedded web server with unreliable authorization, including sending the user to a prepared site with the ability to emulate arbitrary keystrokes. More on this issue we wrote in the blog .
Another problem identified by Bastille Networks in 2016 concerns the less well-known manufacturers of keyboards that do not use encryption at all. This allows you to intercept keystrokes with clear consequences. In the same study, it was noted that finding vulnerable devices is easy enough: this is also true for the most recent vulnerability in Fujitsu keyboards.
You can end the review of potential problems with wireless keyboards with a series of tweets about a study that has not yet been published: it is argued that data can be transmitted to both sides through a Logitech Unifying receiver. It becomes possible to exfiltrate data from a computer, which, for example, is not connected to the Internet at all. This option requires running a malicious program on the target system, but if the keyboard vulnerabilities mentioned above are not patched, it is not difficult.
Problems with wireless keyboards are unlikely to ever be used on a large scale, their potential, if used, will be more likely in targeted attacks. They have many limitations, but the result can be worth the effort.
In 2016, a representative of Bastille Networks, Chris Ruland, speaking at the Kaspersky Security Analyst Summit conference, identified the main problem of this class of attacks: system administrators and security specialists often do not even have the tools to identify such vulnerabilities. Meanwhile, in systems with a paranoid level of required security, it is probably worth transmitting any data only by wire.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.
Source: https://habr.com/ru/post/444268/
All Articles