A flaw in the Fujitsu Wireless LX901 Keyboard has been discovered by security researchers in Germany.
As a result of the weakness, hackers are able to penetrate the victim's computer in order to infect it with a malware that could allow them to steal data - including passwords, credentials, credit card details, and other sensitive information.
The vulnerability was discovered by researchers at the firm SySS, who found that they were able to send data to the insecure USB dongle that the wireless keyboard uses to communicate with the computer.
The Fujitsu keyboard in question relies on a proprietary radio communication protocol that functions in the 2.5 GHz range. The researchers discovered that although the mouse and keyboard send data encrypted using strong AES-128 cryptography, the dongle itself actually also accepts unencrypted messages delivered from unauthenticated sources.
Explaining how the vulnerability might be exploited, Tom Van de Wiele, Principal Security Consultant at the cybersecurity firm F-Secure told ProPrivacy.com:
The attacker could type out code or a program that can then be executed to connect the computer to the attacker’s infrastructure and take over the computer e.g. the attacker injects “push on start button”, “type cmd and executed command ABC
This way, everything that a normal user can do with the computer, an attacker can now perform as well, be it blind. The attacker can then create an outbound channel with the attacker infrastructure on the internet and is able to compromise the computer and the network it resides on.
As the list of attack prerequisites is quite high, the probability of this being exploited on a massive scale is low and certainly not the lowest hanging fruit but still possible. In some cases, it can be interesting for a targeted attacker with physical presence e.g. think about unmanned and unlocked computer based cash registers in shops, receptionist or hotel PCs and other unmanned and potential unlocked workstations.
Lead researcher Matthias Deeg has gone on the record to explain that Fujitsu was given five months to find a solution to the problem - before the findings were published last Friday.
Unfortunately, no solution to the exploit has been found - meaning that the only way to protect against hackers is to keep the USB dongle away from any possible radio-based attackers.
For most home users with this model of Fujitsu keyboard, the dangers are pretty low. Despite this, anybody living in proximity to many other houses may want to think twice about continuing to use the keyboard.
For businesses that may have one or more of these keyboards, the level of risk increases, with the potential of a massive cyber attack a real possibility.
Cyber Security Expert Jarno Niemelä warned:
In general, it is a very good idea to avoid wireless devices, be that mouse or a keyboard, as basically all receivers are universal, and can pass both mouse and keyboard events. So even if you think you just have a wireless mouse, it is very likely that the attacker is able to send keystrokes over it.
If one absolutely wants to use a wireless mouse or keyboard, use relatively new Bluetooth devices. Unlike these proprietary protocols, especially latest versions of Bluetooth are about as secure as wireless can be.