Intel Tells Remote Keyboard Users to Delete App After Critical Bug Found

Intel said it is lights out for its Remote Keyboard app just as security researchers find three vulnerabilities that let local attackers inject keystrokes in sessions.

Intel said Tuesday it was putting the kibosh on a popular Android and iOS app called Intel Remote Keyboard after researchers discovered that local attackers can inject keystrokes into a remote keyboard session when in use.

The Intel Remote Keyboard product is an Android and iOS app that works in conjunction with Intel’s mini-PC platform called Next Unit of Computing (NUC) and with the chipmaker’s Compute Stick. NUCs are similar in size and function to Raspberry Pi systems. Compute Sticks are about the size of a large flash drive and are single-board computers used both in classrooms, kiosks and in some network computer environments.

The Intel Remote Keyboard app, introduced in June 2015, allows Android and iOS users to control their NUC and Compute Stick devices with their smartphone or tablet using the peer-to-peer network protocol Wi-Fi Direct.

On Tuesday, Intel warned of a critical escalation of privilege vulnerability (CVE-2018-3641) in all versions of the Intel Remote Keyboard that allows a network attacker to inject keystrokes as if they were a local user. The vulnerability received a Common Vulnerabilities and Exposure (CVE) score of 9.0 out of 10.

As part of the same advisory, Intel shared two additional Remote Keyboard vulnerabilities, both rated high. The bugs (CVE-2018-3645 and CVE-2018-3638) allow an “authorized local attacker to execute arbitrary code as a privileged user” and had CVE scores of 8.8 and 7.2, according to Intel.

In lieu of patches, Intel said it was discontinuing the product. According to the security bulletin, Intel said it “has issued a product discontinuation notice for Intel Remote Keyboard and recommends that users of the Intel Remote Keyboard uninstall it at their earliest convenience.”

An Intel spokesperson told Threatpost the product had already been scheduled for discontinuation, and the discontinuation is not related to the security advisory.

Despite being discontinued, Intel still maintains a Remote Keyboard product page for the app and it is still available for download via Apple’s App Store and Google Play. According to Google Play, the app has been installed over 500,000 times.

Intel said the vulnerabilities were first identified in mid-March. The company credits researchers @trotmaster99, Mark Barnes and Marius Gabriel Mihai for finding and disclosing the vulnerabilities.

Suggested articles