Updated A German security researcher has revealed that one model of Fujitsu wireless keyboard will accept unauthenticated input, despite the presence of AES-128 encryption.
Matthias Deeg discovered that the LX901 would respond to unencrypted but correctly formatted keystroke commands broadcast nearby. The set is normally shipped as a keyboard, mouse and receiver combination.
"The Fujitsu wireless keyboard itself only transmits keystrokes via AES-encrypted data packets with a payload size of 16 bytes using the 2.4GHz transceiver CYRF6936 from Cypress Semiconductor," Deeg wrote in an advisory about the flaw, later confirming to The Register that he really did mean that the keyboard's paired receiver was accepting unencrypted inputs from an unauthenticated source.
Provided the unencrypted messages conformed to the spec published by Cypress with a related reference design, the bridge would happily accept them and pass them to the host as if they were legitimate input from the user, Deeg found. He used an off-the-shelf RF transceiver module to generate the plaintext commands.
Deeg said he first notified Fujitsu in late 2018, giving them 45 days to respond. Cypress end-of-lifed the reference design Deeg had used in January this year, though all the download links for the documentation and firmware were still live at the time of writing.
The practical impact of this vuln will be relatively small. As Deeg himself pointed out, the keyboard runs at 2.4GHz, meaning practical applications of the attack are limited to Wi-Fi range – assuming, that is, your attacker is not the sort of agency that can get away with very high power outputs without attracting attention from the authorities. To make it a practical threat rather than an embuggerance, the attacker also needs to be able to see your screen.
Deeg's company, SySS GmbH, revealed a similar flaw in wireless keyboards two years ago.
Mitigation is easy: sit with your back against the wall. And use a wired keyboard.
Fujitsu had not yet commented by the time of publication. ®
Updated to add
A Fujitsu mouthpiece told The Register: "Fujitsu is aware of the recent media reports concerning a potential vulnerability affecting its Wireless Keyboard Set LX901. Fujitsu is currently looking into the potential issue with the Wireless Keyboard Set LX901. As a precaution Fujitsu has already stopped direct and indirect sales of the Wireless Keyboard Set LX901."