A German security researcher has discovered and released information on a flaw in an otherwise secure wireless keyboard that could allow an attacker to inject keystrokes and take over a computer.
Mathias Deeg with SySS in October found a flaw, CVE-2019-9835, in Fujitsu’s Wireless Keyboard Set LX901’s receiver that allows it to receive an act upon keystroke information coming from an unauthorized keyboard. Deeg discovered that while the LX901’s keyboard and USB dongle communicate in a secure fashion using 128 AES encryption, the dongle is also able to receive can process unencrypted keyboard data packets that are sent in the correct format.
“Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected Fujitsu LX901 wireless desktop set,” Deeg wrote in an advisory, adding that when this activity is combined with an earlier vulnerability disclosed n 2016 a keystroke injection attack allows to remotely attack computer systems with an active screen lock, for example in order to install malware when the target system is unattended, Deeg said.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.