When analyzing the Protectimus SLIM TOTP hardware token, Matthias Deeg found out that the time used by the Protectimus SLIM TOTP hardware token can be set independently from the used seed value for generating time-based one-time passwords without requiring any authentication.
18da959eb49ff3d5b8d29ab92f7247fff8490774b451cce50831a03dc291d6c0Zoom versions 5.4.3 (54779.1115) and 5.5.4 (13142.0301) temporarily shares other application windows not in scope for sharing.
8edd2952731c5406247e59a26f231a47d2274297902c48d382bde6e4e4477b3bABUS Secvest Hybrid module (FUMO50110) suffers an authentication bypass vulnerability. The hybrid module does not have any security mechanism that ensures confidentiality or integrity of RF packets that are exchanged between the ABUS Secvest alarm panel and the ABUS Secvest Hybrid module. Thus, an attacker can spoof messages of the ABUS Secvest Hybrid module based on sniffed status RF packets that are issued by the ABUS Secvest Hybrid module on a regularly basis (~2.5 minutes).
a68c00c7fb616a3cbbfa44b0ab74d7e727e98d5025f0aa73c1c04de2a4b77175Inateck BCST-60 Barcode Scanner suffers from a keystroke injection vulnerability.
c50880f8974ac7beaee4a55dd46fc351b8ac265c434798d48f41fea5ac5aea77SySS GmbH found out that the wireless desktop set Fujitsu LX390 is vulnerable to keystroke injection attacks as the used data communication is unencrypted and unauthenticated.
72e3a8a7ac3d4e50e3972e6d6918be3b7f2b6ca3eca7ea02e00dfe5635e73ab0SySS GmbH found out that the wireless desktop set Fujitsu LX390 does not use encryption for transmitting data packets containing keyboard events like keystrokes.
428f12fda63193810aa96ae244938aed4cd7ce68fd0888dd83fb5f74b77cccf2SySS GmbH found out that the wireless keyboard Fujitsu LX390 is prone to replay attacks. An attacker can simply sniff the data packets of the 2.4 GHz radio communication sent by the keyboard to the receiver (USB dongle) and replay the recorded communication data at will causing the same effect as the original data communication. A replay attack against the keyboard can, for example, be used to gain unauthorized access to a computer system that is operated with a vulnerable Fujitsu LX390 keyboard. In this attack scenario, an attacker records the radio communication during a password-based user authentication of his or her victim, for instance during a login to the operating system or during unlocking a screen lock. At an opportune moment when the victim's computer system is unattended, the attacker approaches the victim's computer and replays the previously recorded data communication for the password-based user authentication and thereby gets unauthorized access to the victim's system.
295b09287826516575c2c41b82ab9bd3db14c75832de107e4dc41a201729e311SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Mouse can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.
933f2992509d7280ad24c43f072e8b31d6120616cedff0435434455cee6645f2SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.
ddef568ac1a9b0a2ad733adb0361167469bb13ac9e72018fa9dd34b5b66a993aSySS GmbH found out that the embedded flash memory of the Microsoft Designer Bluetooth Desktop keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.
a5148241981394c2a24fc78dd0e069153a14fc48069935d8f1b62a025fbcf8aaThomas Detert found out that the jamming detection of the ABUS alarm central does not detect short jamming signals that are shorter than normal ABUS RF messages. Thus, an attacker is able to perform a "reactive jamming" attack. The reactive jamming simply detects the start of a RF message sent by a component of the ABUS Secvest wireless alarm system, for instance a wireless motion detector (FUBW50000) or a remote control (FUBE50014 or FUBE50015), and overlays it with random data before the original RF message ends. Thereby, the receiver (alarm central) is not able to properly decode the original transmitted signal. This enables an attacker to suppress correctly received RF messages of the wireless alarm system in an unauthorized manner, for instance status messages sent by a detector indicating an intrusion. Version 3.01.01 is affected.
e98fe47d41ddf0ca24e6f78dac777943006f689fe3cefe75519fcbab7d77131dLogitech R700 Laser Presentation Remote suffers from a keystroke injection vulnerability.
6a4c155c598e5dd5c41d5ef25f9ed7fe98bd2d4dbd53076fd0c72ba4e109a6e9Inateck 2.4 GHz Wearable Wireless Presenter WP2002 suffers from a keystroke injection vulnerability.
ddfc5bd9422c9cfe8a75e29e8c97e871d0d3c6b22c85506d8f0b85ca5faf737dInateck 2.4 GHz Wireless Presenter WP1001 suffers from a keystroke injection vulnerability.
687416a505e7bc914fa93eb6f94e5c837f93d29e47c54bbe676761a24f78549cDue to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.
bf19d9111516d40322d38739d39310498750019c2b579269ac24b9a2f7e683b3Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.
95e944e33b6b49156158226e4700374427c35dfaaa04a226bf39cb8debb11f9aDue to the use of a hard-coded cryptographic key, an attacker can put the integrity and confidentiality of encrypted data of all Siemens LOGO! 8 PLCs using this key at risk, for instance decrypting network communication during a man-in-the-middle attack.
fd53041141c43f3ef168910c3f5306ea1625eb1f860ca0581cc979bff7758f8cDue to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way. Version 3.01.01 is affected.
9aa96c7e78ac0cc59dc8c9762e90be180a231028ffcc00fc5372b502ed7fcf6cThomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present and that the implemented rolling codes are predictable. By exploiting these two security issues, an attacker can simply desynchronize a wireless remote control by observing the current rolling code state, generating many valid rolling codes, and use them before the original wireless remote control. The Secvest wireless alarm system will ignore sent commands by the wireless remote control until the generated rolling code happens to match the window of valid rolling code values again. Depending on the number of used rolling codes by the attacker, a resynchronization without actually reconfiguring the wireless remote control could take quite a lot of time and effectless button presses. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.
1e8bdcc2aac5543c46a47138bfd7aaeba7d32444b036b9f6db96a45e4987806aThomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present at all. Thus, an attacker observing radio signals of an ABUS FUBE50014 wireless remote control is able to see all sensitive data of transmitted packets as cleartext and can analyze the used packet format and the communication protocol. For instance, this security issue could successfully be exploited to observe the current rolling code state of the wireless remote control and deduce the cryptographically weak used rolling code algorithm. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.
4fb6b1bb33c005b26a8192228bc5ffdcbbcb440ba5889e85c120133752973a41Thomas Detert found out that the rolling codes implemented as replay protection in the radio communication protocol used by the ABUS Secvest wireless alarm system (FUAA50000) and its remote control (FUBE50014, FUB50015) is cryptographically weak.
92648a845f9e728c6b9724e16f7b0148e4f4b7d7c8d97744a46937db2cabc861SySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacks by sending unencrypted data packets with the correct packet format to the receiver (USB dongle).
555e9592017214071d19547d41a4cd74d3f40548f4da4cae61826dbe7096f255In this article, the authors want to present an example of exploiting a trust relationship between two technical devices that can put the confidentiality of sensitive data or the integrity of a computer system at risk. This trust relationship they exploit exists between two Bluetooth devices: On the one side a computer system you want to remain secure and you don't want to be compromised, for example your laptop, or your smartphone, and on the other side a Bluetooth device you usually do not consider worth protecting with special diligence as it simply is an output device of a specific kind and does not persistently store any of your valuable data locally, for example headphones.
b73346666342349f472c954f5a015752063415c14b1cc1ea74d10fb17608bf4aThis whitepaper is a case study that analyzes the security of modern bluetooth keyboards. In the course of this research project, SySS GmbH analyzed three currently popular wireless keyboards using Bluetooth technology that can be bought on the Amazon marketplace for security vulnerabilities. The following three devices were tested for security issues from different attacker perspectives: 1byoneKeyboard, LogitechK480, and MicrosoftDesignerBluetoothDesktop (Model1678 2017).
c3809eac9d774959095aaa64f57d5970b03ee8190b8247907992919c1953a04eThe Microsoft Surface Hub Keyboard is a wireless keyboard that can be used in combination with the digital whiteboard/collaboration system Microsoft Surface Hub. Due to an insecure implementation of the encrypted data communication, the Microsoft Surface Hub Keyboard is vulnerable to replay attacks with certain restrictions.
8364fa77aadd264937546204517a2bd848213645555137ac544d87e691dc1ac1
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed