Search the Community
Showing results for tags 'wireless'.
In 2015, the two SySS employees Matthias Deeg and Gerhard Klostermeier started a research project about the security of modern wireless desktop sets using AES encryption, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Thus, the two IT security consultants have been analyzing modern wireless desktop sets with AES encryption of the manufacturers Microsoft, Cherry, Logitech, Fujitsu, and Perixx for security vulnerabilities during the last couple of months. Up to now, several and partly critical security vulnerabilities have been found and were reported to affected manufacturers in the course of the SySS responsible disclosure program. The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks due to insecure implementations of the AES encrypted data communication. During this research project, SySS built a proof-of-concept device that can be used to remotely attack a computer system that is operated with an affected wireless desktop set via radio signals. The combination of replay and keystroke injection attack, for instance, allows an attacker from a safe distance to remotely attack computer systems with an active screen lock, for example in order to install malware when the target system is unattended. So far, the fourteen reported security advisories concerning modern wireless desktop sets with advertised AES encryption of different manufacturers deal with the following security vulnerability types: Unencrypted data communication Insufficient protection of code (firmware) and data (cryptographic key) Missing protection against replay attacks Insufficient protection against replay attacks Cryptographic issues allowing for keystroke injection attacks As the responsible disclosure process of eight of the reported security issues is completed according to our responsible disclosure policy, we publish the first results of our research project in form of the following eight security advisories concerning wireless desktop sets of the manufacturers Microsoft, Cherry, Logitech and Perixx: SYSS-2016-031: CHERRY B.UNLIMITED AES - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks SYSS-2016-032: CHERRY B.UNLIMITED AES - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key) SYSS-2016-038: CHERRY B.UNLIMITED AES - Cryptographic Issues (CWE-310), Keystroke Injection Vulnerability SYSS-2016-044: Logitech K520 (Keyboard of Wireless Combo MK520) - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks SYSS-2016-045: Perixx PERIDUO-710W - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key) SYSS-2016-046: Perixx PERIDUO-710W - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks SYSS-2016-047: Perixx PERIDUO-710W - Cryptographic Issues (CWE-310), Keystroke Injection Vulnerability SYSS-2016-059: Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack The other six security advisories, which amongst others affect a product of the manufacturer Fujitsu, will be publicly disclosed this August and September. Moreover, further results of our research project and technical details will be presented at the IT security conference Ruxcon (22./23. October 2016) and at the Handelsblatt Jahrestagung Cybersecurity 2016 (21./22. November 2016). Source: Syss View the full article
Surprise! Did you think Google's Wireless service was going to take a while to get here? According to The Wall Street Journal, the service could launch as early as tomorrow, Wednesday, April 22. Google has publicly talked about plans to launch an MVNO (mobile virtual network operator) wireless service in March and said the service would see the light of day in "the next few months." "Google Wireless" (not necessarily the official name) will resell network access to Sprint and T-Mobile, but with a few twists. The Journal says the system will seamlessly switch between T-Mobile, Sprint, and Wi-Fi (including for calls), depending on what is available, and that—get this—customers will only have to pay for the data they actually use, rather than purchase a set amount of data every month. View the full article