Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
keyjack/doc/advisories/bastille-13.lenovo-ultraslim.public.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
50 lines (23 sloc)
1.17 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bastille Threat Research Team Tracking Number 13 | |
| Document version: 1.0 | |
| Overview | |
| A vulnerability has been discovered that allows encrypted keystrokes to be injected | |
| into a Lenovo Ultraslim keyboard’s dongle without knowledge of the encryption key. | |
| Affected Platforms | |
| The following products have been tested and shown to be affected: | |
| - Lenovo Ultraslim Wireless Keyboard | |
| - Lenovo Ultraslim Dongle (USB ID 17ef:6032) | |
| Impact | |
| The Lenovo Ultraslim keyboard encrypts RF packets, but the implementation makes it | |
| possible to infer the ciphertext and inject malicious keystrokes. | |
| Mitigation | |
| Exploiting this vulnerability involves transmitting RF packets to a Lenovo Ultraslim dongle, | |
| which requires physical proximity to the target computer. | |
| Suggested Solutions | |
| This vulnerability exists because the firmware on the dongle does not enforce incrementing | |
| AES counters. In future revisions of the product, correctly implementing counter mode AES | |
| by requiring that subsequent counters are incremented would mitigate this vulnerability. | |
| Test Environment | |
| Keystroke injection was tested using a nRF24LU1+ based USB dongle, transmitting to a Lenovo USB dongle. | |
| Credits | |
| Marc Newlin |