exploit the possibilities
Showing 1 - 25 of 85 RSS Feed

Files from Matthias Deeg

First Active2014-09-01
Last Active2019-11-30
Inateck BCST-60 Barcode Scanner Keystroke Injection
Posted Nov 30, 2019
Authored by Matthias Deeg

Inateck BCST-60 Barcode Scanner suffers from a keystroke injection vulnerability.

tags | advisory
advisories | CVE-2019-12503
MD5 | 2f8c9162b901ac5d76f1e0fc4594de46
Fujitsu Wireless Keyboard Set LX390 Keystroke Injection
Posted Oct 23, 2019
Authored by Matthias Deeg

SySS GmbH found out that the wireless desktop set Fujitsu LX390 is vulnerable to keystroke injection attacks as the used data communication is unencrypted and unauthenticated.

tags | advisory
advisories | CVE-2019-18200
MD5 | 46f8039bc3143237160c82d81a99144c
Fujitsu Wireless Keyboard Set LX390 Missing Encryption
Posted Oct 23, 2019
Authored by Matthias Deeg

SySS GmbH found out that the wireless desktop set Fujitsu LX390 does not use encryption for transmitting data packets containing keyboard events like keystrokes.

tags | advisory
advisories | CVE-2019-18201
MD5 | 9da9fdcb531ffd979cce3d19c995049a
Fujitsu Wireless Keyboard Set LX390 Replay Attacks
Posted Oct 23, 2019
Authored by Matthias Deeg

SySS GmbH found out that the wireless keyboard Fujitsu LX390 is prone to replay attacks. An attacker can simply sniff the data packets of the 2.4 GHz radio communication sent by the keyboard to the receiver (USB dongle) and replay the recorded communication data at will causing the same effect as the original data communication. A replay attack against the keyboard can, for example, be used to gain unauthorized access to a computer system that is operated with a vulnerable Fujitsu LX390 keyboard. In this attack scenario, an attacker records the radio communication during a password-based user authentication of his or her victim, for instance during a login to the operating system or during unlocking a screen lock. At an opportune moment when the victim's computer system is unattended, the attacker approaches the victim's computer and replays the previously recorded data communication for the password-based user authentication and thereby gets unauthorized access to the victim's system.

tags | advisory
advisories | CVE-2019-18199
MD5 | ce4fab29d187678de3f4e3aa69d4200f
Microsoft Surface Mouse WS3-00002 Insufficient Memory Protection
Posted Oct 10, 2019
Authored by Matthias Deeg

SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Mouse can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.

tags | advisory
MD5 | a9e65a38ffe338de145865d9a8de30f2
Microsoft Surface Keyboard WS2-00005 Insufficient Memory Protection
Posted Oct 10, 2019
Authored by Matthias Deeg

SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.

tags | advisory
MD5 | a44a9d7054814563ee60e5bc1d7f4c0a
Microsoft Designer Bluetooth Desktop Insufficient Memory Protection
Posted Oct 10, 2019
Authored by Matthias Deeg

SySS GmbH found out that the embedded flash memory of the Microsoft Designer Bluetooth Desktop keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.

tags | advisory
MD5 | 365bea94eda75754b0953a458af3d0b5
ABUS Secvest 3.01.01 Unchecked Message Transmission Error Condition
Posted Jul 27, 2019
Authored by Matthias Deeg, Thomas Detert

Thomas Detert found out that the jamming detection of the ABUS alarm central does not detect short jamming signals that are shorter than normal ABUS RF messages. Thus, an attacker is able to perform a "reactive jamming" attack. The reactive jamming simply detects the start of a RF message sent by a component of the ABUS Secvest wireless alarm system, for instance a wireless motion detector (FUBW50000) or a remote control (FUBE50014 or FUBE50015), and overlays it with random data before the original RF message ends. Thereby, the receiver (alarm central) is not able to properly decode the original transmitted signal. This enables an attacker to suppress correctly received RF messages of the wireless alarm system in an unauthorized manner, for instance status messages sent by a detector indicating an intrusion. Version 3.01.01 is affected.

tags | advisory, remote
advisories | CVE-2019-14261
MD5 | 76815f6211ebd7667925f44206c9f69c
Logitech R700 Laser Presentation Remote Keystroke Injection
Posted Jun 4, 2019
Authored by Matthias Deeg

Logitech R700 Laser Presentation Remote suffers from a keystroke injection vulnerability.

tags | advisory, remote
advisories | CVE-2019-12506
MD5 | f6158b619e1d4cef9e82cf78e3d41034
Inateck 2.4 GHz Wearable Wireless Presenter WP2002 Keystroke Injection
Posted Jun 4, 2019
Authored by Matthias Deeg

Inateck 2.4 GHz Wearable Wireless Presenter WP2002 suffers from a keystroke injection vulnerability.

tags | advisory
advisories | CVE-2019-12504
MD5 | 22551a63ec568072d3c74ae1f282fd6c
Inateck 2.4 GHz Wireless Presenter WP1001 Keystroke Injection
Posted Jun 4, 2019
Authored by Matthias Deeg

Inateck 2.4 GHz Wireless Presenter WP1001 suffers from a keystroke injection vulnerability.

tags | advisory
advisories | CVE-2019-12505
MD5 | 6cd4e96f339734270088fdd808cf413c
Siemens LOGO! 8 Recoverable Password Format
Posted May 29, 2019
Authored by Matthias Deeg, Manuel Stotz

Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.

tags | exploit
advisories | CVE-2019-10921
MD5 | b5aed95f8320a2434b4a7b43717410e3
Siemens LOGO! 8 Missing Authentication
Posted May 29, 2019
Authored by Matthias Deeg, Manuel Stotz

Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.

tags | exploit
advisories | CVE-2019-10919
MD5 | f7f1ffbdb5fa41cf7eca9cafe7712678
Siemens LOGO! 8 Hard-Coded Cryptographic Key
Posted May 29, 2019
Authored by Matthias Deeg, Manuel Stotz

Due to the use of a hard-coded cryptographic key, an attacker can put the integrity and confidentiality of encrypted data of all Siemens LOGO! 8 PLCs using this key at risk, for instance decrypting network communication during a man-in-the-middle attack.

tags | exploit
advisories | CVE-2019-10920
MD5 | 4330b5de50580fa8cbb6b1b239b95b10
ABUS Secvest 3.01.01 Cryptographic Issues
Posted May 2, 2019
Authored by Matthias Deeg, Gerhard Klostermeier

Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way. Version 3.01.01 is affected.

tags | advisory
advisories | CVE-2019-9861
MD5 | aa338cacabd821ca894b76e32ad5f5c1
ABUS Secvest Remote Control Denial Of Service
Posted Mar 25, 2019
Authored by Matthias Deeg, Thomas Detert

Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present and that the implemented rolling codes are predictable. By exploiting these two security issues, an attacker can simply desynchronize a wireless remote control by observing the current rolling code state, generating many valid rolling codes, and use them before the original wireless remote control. The Secvest wireless alarm system will ignore sent commands by the wireless remote control until the generated rolling code happens to match the window of valid rolling code values again. Depending on the number of used rolling codes by the attacker, a resynchronization without actually reconfiguring the wireless remote control could take quite a lot of time and effectless button presses. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.

tags | advisory, remote
advisories | CVE-2019-9860
MD5 | 1af146c7db6df9a5a723c3e54422b6a1
ABUS Secvest Remote Control Eavesdropping Issue
Posted Mar 25, 2019
Authored by Matthias Deeg, Thomas Detert

Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present at all. Thus, an attacker observing radio signals of an ABUS FUBE50014 wireless remote control is able to see all sensitive data of transmitted packets as cleartext and can analyze the used packet format and the communication protocol. For instance, this security issue could successfully be exploited to observe the current rolling code state of the wireless remote control and deduce the cryptographically weak used rolling code algorithm. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.

tags | advisory, remote, protocol
advisories | CVE-2019-9862
MD5 | b2b4808a3fad1c892d13370b57e31fc4
ABUS Secvest 3.01.01 Insecure Algorithm
Posted Mar 25, 2019
Authored by Matthias Deeg, Thomas Detert

Thomas Detert found out that the rolling codes implemented as replay protection in the radio communication protocol used by the ABUS Secvest wireless alarm system (FUAA50000) and its remote control (FUBE50014, FUB50015) is cryptographically weak.

tags | advisory, remote, protocol
advisories | CVE-2019-9863
MD5 | 8f7e85eca96ef000dfb687ba5821c543
Fujitsu LX901 GK900 Keystroke Injection
Posted Mar 15, 2019
Authored by Matthias Deeg

SySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacks by sending unencrypted data packets with the correct packet format to the receiver (USB dongle).

tags | advisory
MD5 | be5d36b96d4f2705e625f64190c28a98
Rikki Don't Lose That Bluetooth Device
Posted Jul 11, 2018
Authored by Matthias Deeg, Gerhard Klostermeier

In this article, the authors want to present an example of exploiting a trust relationship between two technical devices that can put the confidentiality of sensitive data or the integrity of a computer system at risk. This trust relationship they exploit exists between two Bluetooth devices: On the one side a computer system you want to remain secure and you don't want to be compromised, for example your laptop, or your smartphone, and on the other side a Bluetooth device you usually do not consider worth protecting with special diligence as it simply is an output device of a specific kind and does not persistently store any of your valuable data locally, for example headphones.

tags | paper
MD5 | ca29bc7edd73c43f926cb262ce678f74
Case Study: Security Of Modern Bluetooth Keyboards
Posted Jun 22, 2018
Authored by Matthias Deeg, Gerhard Klostermeier

This whitepaper is a case study that analyzes the security of modern bluetooth keyboards. In the course of this research project, SySS GmbH analyzed three currently popular wireless keyboards using Bluetooth technology that can be bought on the Amazon marketplace for security vulnerabilities. The following three devices were tested for security issues from different attacker perspectives: 1byoneKeyboard, LogitechK480, and MicrosoftDesignerBluetoothDesktop (Model1678 2017).

tags | paper, vulnerability
MD5 | 066966c0a18d2c6ee4c885c5fb48bd21
Microsoft Surface Hub Keyboard Replay
Posted Jan 30, 2018
Authored by Matthias Deeg

The Microsoft Surface Hub Keyboard is a wireless keyboard that can be used in combination with the digital whiteboard/collaboration system Microsoft Surface Hub. Due to an insecure implementation of the encrypted data communication, the Microsoft Surface Hub Keyboard is vulnerable to replay attacks with certain restrictions.

tags | advisory
MD5 | 514b6aba1a5ec8c2a7181198929fe797
Microsoft Windows Hello Face Authentication Bypass
Posted Dec 19, 2017
Authored by Matthias Deeg, Philipp Buchegger

Microsoft Windows 10 offers a biometric authentication mechanism using "near infrared" face recognition technology with specific Windows Hello compatible cameras. Due to an insecure implementation of the biometric face recognition in some Windows 10 versions, it is possible to bypass the Windows Hello face authentication via a simple spoofing attack using a modified printed photo of an authorized person.

tags | advisory, spoof
systems | windows
MD5 | 27d01277917e11c6b9cd575274f17600
Of Mice And Keyboards
Posted Jun 1, 2017
Authored by Matthias Deeg, Gerhard Klostermeier

Whitepaper call Of Mice and Keyboards. This write up gives you an overview on the security of modern wireless desktop sets.

tags | paper
MD5 | 82baeb29b56fe4569ce8c6faa36623bc
HP Wireless Mouse Spoofing Issue
Posted May 16, 2017
Authored by Micha Borrmann, Matthias Deeg

HP ERK-321A is a wireless desktop set consisting of a mouse and a keyboard.

tags | advisory
MD5 | c2aa6929abe16f687a30bf704401e63e
Page 1 of 4
Back1234Next

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close