Fujitsu Wireless Keyboard Plagued By Unpatched Flaws

Two high-severity flaws, discovered in a popular Fujitsu wireless keyboard set, could allow attackers from a short distance away to “eavesdrop” on passwords entered into the keyboards, or even fully takeover a victim’s system.

Making matters worse, the impacted Fujitsu wireless keyboard LX390 reached end-of-life in May 2019 – meaning that a patch is not available and affected users are instead urged to replace their keyboards entirely.

“Fujitsu has released two new wireless keyboard sets named LX410 and LX960 that are not affected by the described security issue,” said Matthias Deeg, researcher with Germany-based SySS, in an advisory sent to Threatpost on Wednesday. “SySS recommends replacing LX390 wireless keyboard sets used in environments with higher security demands, for instance with one of the newer successor models LX410 or LX960.”

The Fujitsu Wireless Keyboard Set LX390 desk set consists of a mouse and a keyboard. The wireless keyboard transmits keystrokes to the desktop wirelessly using a 2.4 GHz-range transceiver.

It’s that data communication between the wireless keyboard and desktop where the vulnerabilities stem from; the LX390 does not use encryption for transmitting data packets that contain keyboard events, like keystrokes. Instead, the keyboard aims to secure any communicated data using a mechanism called “data whitening,” which essentially scrambles the data in a certain configuration.

However, because the data isn’t encrypted, it can still be accessed and analyzed by an attacker who is up to 150 feet away (the typical reach of devices using 2.4 GHz radio frequency).

Researchers were able to sniff out and analyze the radio communication using a software tool (the Universal Radio Hacker), to then unscramble the data-whitening configuration. That allowed them to view the data packet contents – which, Deeg said, could lead to two proof-of-concept (PoC) attacks.

First of all, with access to the data packets, researchers were able to scope out keystrokes, such as passwords being entered into the wireless keyboard (CVE-2019-18201).

“With this knowledge, an attacker can remotely analyze and decode sent keyboard events of a Fujitsu LX390 keyboard as cleartext, for instance keystrokes, and thus gain unauthorized access to sensitive data like passwords,” said Deeg.

In another PoC attack, researchers were able to launch keystroke injections (CVE-2019-18200), which is an attack where hackers could send their own data packets to the wireless keyboard device, which in turn generates keystrokes on the host computer (which would need to have a screen that’s already unlocked and unattended).

Attackers from the short distance away could use keystroke injection attacks for all sorts of malicious purposes – the worst being the installation of malware, including dangerous rootkits. In order to send data packets in this proof-of-concept attack, researchers used a software-defined radio in combination with an in-house developed software tool utilizing GNU Radio.

Both flaws were reported to the manufacturer in April 2019. Fujitsu did not immediately respond to a request for comment from Threatpost.

It’s not the first Fujitsu wireless keyboard flaw to be found; in March Fujitsu stopped sales for its popular wireless keyboard after a researcher discovered it is vulnerable to keystroke injection attacks that could allow an adversary to take control of a victim’s system.

These types of attacks have garnered attention since 2016, when the Mousejack vulnerability raised awareness of the potential risks introduced by a wireless mouse or keyboard to the enterprise. In April 2018, Microsoft patched a Wireless Keyboard 850 security feature bypass vulnerability (CVE-2018-8117); while in December 2018 Logitech patched a bug could have allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used its app.

“According to our research results of the last three years, several wireless input devices like wireless desktop sets and wireless presenter using proprietary non-Bluetooth 2.4 GHz communication had some severe security issues allowing for replay, keystroke injection, and sometimes even keystroke sniffing attacks,” Deeg told Threatpost.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming freeThreatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.”Click here to register.