Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Bastille Threat Research Team Tracking Number 13
Document version: 1.0
Overview
A vulnerability has been discovered that allows encrypted keystrokes to be injected
into a Lenovo Ultraslim keyboard’s dongle without knowledge of the encryption key.
Affected Platforms
The following products have been tested and shown to be affected:
- Lenovo Ultraslim Wireless Keyboard
- Lenovo Ultraslim Dongle (USB ID 17ef:6032)
Impact
The Lenovo Ultraslim keyboard encrypts RF packets, but the implementation makes it
possible to infer the ciphertext and inject malicious keystrokes.
Mitigation
Exploiting this vulnerability involves transmitting RF packets to a Lenovo Ultraslim dongle,
which requires physical proximity to the target computer.
Suggested Solutions
This vulnerability exists because the firmware on the dongle does not enforce incrementing
AES counters. In future revisions of the product, correctly implementing counter mode AES
by requiring that subsequent counters are incremented would mitigate this vulnerability.
Test Environment
Keystroke injection was tested using a nRF24LU1+ based USB dongle, transmitting to a Lenovo USB dongle.
Credits
Marc Newlin