exploit the possibilities

Microsoft Surface Mouse WS3-00002 Insufficient Memory Protection

Microsoft Surface Mouse WS3-00002 Insufficient Memory Protection
Posted Oct 10, 2019
Authored by Matthias Deeg

SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Mouse can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.

tags | advisory
MD5 | a9e65a38ffe338de145865d9a8de30f2

Microsoft Surface Mouse WS3-00002 Insufficient Memory Protection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-035
Product: Surface Mouse
Manufacturer: Microsoft
Affected Version(s): WS3-00002
Tested Version(s): WS3-00002
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-07-31
Solution Date: -
Public Disclosure: 2019-10-10
CVE Reference: Not assigned yet
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft Surface Mouse is a Bluetooth Low Energy (LE) mouse.

The manufacturer describes the product as follows (see [1]):

"Sculpted for your hand and designed for an elegantly simple work space,
Mouse is the perfect partner to your docked Surface and Keyboard. It was
designed to match the sleek aesthetic and exceptional performance of
your Surface. The metal scroll wheel feels solid under your finger,
and the shape of the body fits perfectly in your hand."

Due to the insufficient protection of the flash memory of the mouse, an
attacker with physical access has read and write access to the firmware
and the used cryptographic key.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the embedded flash memory of the Bluetooth LE
Microsoft Surface Mouse can be read and written via the SWD (Serial Wire
Debug) interface of the used nRF51822 Bluetooth SoC [2] as the flash
memory is not protected by the offered readback protection feature.

Thus, an attacker with physical access to the mouse can simply read and
write the nRF51822 flash memory contents and either extract the
cryptographic key (Bluetooth LE Long Term Key), for instance to perform
further attacks against the wireless communication, or modify the
firmware.

However, even if the readback protection of the nRF51822 was enabled,
an attacker would be able to read and write the flash memory contents by
bypassing the security feature as described in [3] and [4] with
slightly more effort.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully read the nRF51822 flash memory contents of
the Microsoft Surface Mouse via the SWD interface using a SEGGER J-Link
PRO [5] debug probe in combination with SEGGER J-Link Commander and
extract the currently used cryptographic key (Long Term Key).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to Microsoft, the reported security issue does not meet
the bar for servicing via a security update [6].

The described security issue may be fixed in future versions of the
product.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-07-31: Vulnerability reported to manufacturer
2019-08-01: Microsoft confirms receipt of security advisory
2019-08-06: Microsoft responds that the reported issue does not meet
the bar for servicing via a security update
2019-10-10: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Microsoft Surface Mouse
https://www.microsoft.com/en-us/store/d/surface-mouse/8qbtdr3q4rpw
[2] nRF51822 Product Specification v3.1
https://infocenter.nordicsemi.com/pdf/nRF51822_PS_v3.1.pdf
[3] Kris Brosch, Include Security, Firmware dumping technique for an ARM Cortex-M0 SoC, 2015
https://blog.includesecurity.com/2015/11/NordicSemi-ARM-SoC-Firmware-dumping-technique.html
[4] Andrew Tierney, Pen Test Partners, NRF51822 code readout protection bypass - a how-to, 2018
https://www.pentestpartners.com/security-blog/nrf51822-code-readout-protection-bypass-a-how-to/
[5] Product website for Segger J-Link PRO
https://www.segger.com/products/debug-probes/j-link/models/j-link-pro/
[6] Microsoft Vulnerability Severity Classification for Windows
https://aka.ms/windowsbugbar
[7] SySS Security Advisory SYSS-2019-035
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-035.txt
[8] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAl2dwIIACgkQ2aS/ajSt
TasRjg//frPEnvmBaMNuASaKCD4ZWqqIf0YCTbgz8RGogjhhF1zwPTr28LZ4ZLoD
bclnPLKkmpDvRmKnQKRaxzKnzVB+WmV/ebT26Y4lTPoHT6EeBcVuTGoEM5mjoQ/8
W1a8Yo/PXnPCOJ3MCSc+fAPCkRrQRJJ91rcU3UCubIwS6NNAVtfZqcaBo+sKPdVD
1UflnpJxomzf0ls0bXfAdAMC5AOM10yOwGkABiIOujEdZN70iSvlUaUfu7yIbIL3
qAoCWl/EqBVt89Dqj7yspElOVTklVqj/iMkQKdcz0uaQtfJslnWAptgyiUz5aCF1
o1hYFpOAqH5O7cMHk2jrAxH/LMSX1mNB2RvCrWCoEA1K8tbI9oL1kYH0moWPjeoq
PRjznP1qyDC5KyxsDo5m+momVsLVarErLqN4fzplB8MNGxqAFyEfxnEC6N0qNxjq
O360sWcwOsupwQMHVM0fuwUPURzBEH3Lz/xVBd6fPE9ty2e2jVo4AYOJPh4PEvky
D1s3Mv391P2s9JVewqzgXss6RwPHb9Mf3e+6FhqPhjLfQ+lM2lpt/kPkDJFX0zGD
H5Z2RMG68gj188zzrh25zkWJvKeFp68dcBu++axKrIxeTQrH5aRo7FvtOLKnI/ch
Ei/RTaylMZpYtHzf7tJcgf0pnOeJySx3kxvy1OHJPWrvvqIw3as=
=V4eO
-----END PGP SIGNATURE-----

Comments (2)

RSS Feed Subscribe to this comment feed
quickbooks23

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info, I really thank you for sharing it.
For any query regarding for this quickbooks support and activation Some details, Just Visit My website
quickbooks-support-number.com

Comment by quickbooks23
2019-10-11 06:19:25 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    8 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close