Unpatched Fujitsu Wireless Keyboard Bug Allows Keystroke Injection

An unpatched high-severity vulnerability allows keystroke injections in Fujitsu wireless keyboards.

UPDATE

Fujitsu is stopping sales for its popular wireless keyboard after a researcher discovered it is vulnerable to keystroke injection attacks that could allow an adversary to take control of a victim’s system.

Researchers with Germany-based SySS reported on Friday that the high-severity vulnerability allows an attacker to send wireless keystrokes from 150 feet away, to a computer system running a Fujitsu Wireless Keyboard Set LX901.

“Fujitsu is aware of the recent media reports concerning a potential vulnerability affecting its Wireless Keyboard Set LX901,” Fujitsu recently told The Register. “Fujitsu is currently looking into the potential issue with the Wireless Keyboard Set LX901. As a precaution Fujitsu has already stopped direct and indirect sales of the Wireless Keyboard Set LX901.”

Researcher Matthias Deeg with SySS said that “exploiting the keystroke injection vulnerability also enables attacks against computer systems with an active screen lock. For example, to install malware when the target system is currently unused and unattended.”

Deeg told Threatpost that he reached out to Fujitsu but is currently “not aware of a solution to the described security issue.” Fujitsu did not respond to multiple requests for comment on the vulnerability from Threatpost. The vulnerability does not have a CVE number, but Deeg told Threatpost that he estimates it to have a CVSS score of 8.8, making it a high-severity flaw.

The Fujitsu Wireless Keyboard Set LX901 is a wireless desktop set, which supports Windows OS, and consists of a mouse and a keyboard.

The Fujitsu wireless keyboard transmits keystrokes to the desktop using radio frequency. These keystrokes are specifically transmitted  via AES-encrypted (Advanced Encryption Standard used for encryption) data packets, using a 2.4 GHz-range transceiver from Cypress Semiconductor (specifically called CYRF6936).

However, the receiver (which receives the transmitted keystroke data packets) of the wireless desktop processes unencrypted data packets, as well as those encrypted ones.

Due to this insecure implementation of the data communication, the wireless keyboard LX901 is vulnerable to keystroke injection attacks. To carry out such an attack an adversary would need to send unencrypted data packets with the correct packet format to the receiver.

fujitsu keyboard keystroke injection

Wireless Keyboard Set LX901

“Thus, an attacker is able to send arbitrary keystrokes to a victim’s computer system,” researchers said. “In this way, an attacker can remotely take control over the victim’s computer that is operated with an affected Fujitsu LX901 wireless desktop set.”

To carry out this attack, an attacker would need to be within the 2.4GHz wireless range, around 150 feet away, from an unlocked and unattended target computer. The unencrypted data packets sent to the wireless keyboard must also have the correct data packet format described in the CY4672 PRoC LP Reference Design Kit by Cypress Semiconductor – meaning the attacker would need to use another CYRF6936-based transceiver to send the unencrypted data packets.

“The first step in a real-world attack scenario would be reconnaissance,” Deeg told Threatpost. “An attacker would do some ‘war driving/walking’ and look for 2.4 GHz radio communication with the correct protocol matching Fujitsu wireless keyboards in order to find the correct SOP (start-of-packet code) and the used channel (radio frequency) of such devices.”

In a worst case scenario,  attackers could use the keystroke inject attack along with a replay attack previously discovered in the keyboards to unlock an active screen lock and install malware onto a targeted system while it is unattended.

A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Deeg discovered the replay attack in 2016. Fujitsu did not patch that bug, saying, “As we have already pointed out, we believe that the described scenario is not easy to perform under real conditions due to the radio protocol used.”

In a video, researchers showed how the PoC hardware device injected unencrypted keystrokes through RF communication.

The PoC device used in the video is a publicly available 4-in-1 wireless module with a specifically developed firmware, using the CYRF6936 WirelessUSB LP 2.4 GHz Radio SoC.

Researchers reported the vulnerability to Fujitsu on Oct. 16, 2018; on Oct. 22, 2018 Fujitsu confirmed receipt of the security advisory.

Keystroke injection attacks have garnered attention since 2016 when the Mousejack vulnerability raised awareness of the potential risks introduced by a wireless mouse or keyboard to the enterprise. In April 2018 Microsoft patched a Wireless Keyboard 850 Security Feature Bypass vulnerability (CVE-2018-8117); while in December 2018 Logitech patched a bug could have allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used its app.

This article was updated March 19 at 9am EST with a media statement from Fujitsu.

Suggested articles