When analyzing the Protectimus SLIM TOTP hardware token, Matthias Deeg found out that the time used by the Protectimus SLIM TOTP hardware token can be set independently from the used seed value for generating time-based one-time passwords without requiring any authentication.
18da959eb49ff3d5b8d29ab92f7247fff8490774b451cce50831a03dc291d6c0
Zoom versions 5.4.3 (54779.1115) and 5.5.4 (13142.0301) temporarily shares other application windows not in scope for sharing.
8edd2952731c5406247e59a26f231a47d2274297902c48d382bde6e4e4477b3b
ABUS Secvest Hybrid module (FUMO50110) suffers an authentication bypass vulnerability. The hybrid module does not have any security mechanism that ensures confidentiality or integrity of RF packets that are exchanged between the ABUS Secvest alarm panel and the ABUS Secvest Hybrid module. Thus, an attacker can spoof messages of the ABUS Secvest Hybrid module based on sniffed status RF packets that are issued by the ABUS Secvest Hybrid module on a regularly basis (~2.5 minutes).
a68c00c7fb616a3cbbfa44b0ab74d7e727e98d5025f0aa73c1c04de2a4b77175
Inateck BCST-60 Barcode Scanner suffers from a keystroke injection vulnerability.
c50880f8974ac7beaee4a55dd46fc351b8ac265c434798d48f41fea5ac5aea77
SySS GmbH found out that the wireless desktop set Fujitsu LX390 is vulnerable to keystroke injection attacks as the used data communication is unencrypted and unauthenticated.
72e3a8a7ac3d4e50e3972e6d6918be3b7f2b6ca3eca7ea02e00dfe5635e73ab0
SySS GmbH found out that the wireless desktop set Fujitsu LX390 does not use encryption for transmitting data packets containing keyboard events like keystrokes.
428f12fda63193810aa96ae244938aed4cd7ce68fd0888dd83fb5f74b77cccf2
SySS GmbH found out that the wireless keyboard Fujitsu LX390 is prone to replay attacks. An attacker can simply sniff the data packets of the 2.4 GHz radio communication sent by the keyboard to the receiver (USB dongle) and replay the recorded communication data at will causing the same effect as the original data communication. A replay attack against the keyboard can, for example, be used to gain unauthorized access to a computer system that is operated with a vulnerable Fujitsu LX390 keyboard. In this attack scenario, an attacker records the radio communication during a password-based user authentication of his or her victim, for instance during a login to the operating system or during unlocking a screen lock. At an opportune moment when the victim's computer system is unattended, the attacker approaches the victim's computer and replays the previously recorded data communication for the password-based user authentication and thereby gets unauthorized access to the victim's system.
295b09287826516575c2c41b82ab9bd3db14c75832de107e4dc41a201729e311
SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Mouse can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.
933f2992509d7280ad24c43f072e8b31d6120616cedff0435434455cee6645f2
SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.
ddef568ac1a9b0a2ad733adb0361167469bb13ac9e72018fa9dd34b5b66a993a
SySS GmbH found out that the embedded flash memory of the Microsoft Designer Bluetooth Desktop keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.
a5148241981394c2a24fc78dd0e069153a14fc48069935d8f1b62a025fbcf8aa
Thomas Detert found out that the jamming detection of the ABUS alarm central does not detect short jamming signals that are shorter than normal ABUS RF messages. Thus, an attacker is able to perform a "reactive jamming" attack. The reactive jamming simply detects the start of a RF message sent by a component of the ABUS Secvest wireless alarm system, for instance a wireless motion detector (FUBW50000) or a remote control (FUBE50014 or FUBE50015), and overlays it with random data before the original RF message ends. Thereby, the receiver (alarm central) is not able to properly decode the original transmitted signal. This enables an attacker to suppress correctly received RF messages of the wireless alarm system in an unauthorized manner, for instance status messages sent by a detector indicating an intrusion. Version 3.01.01 is affected.
e98fe47d41ddf0ca24e6f78dac777943006f689fe3cefe75519fcbab7d77131d
Logitech R700 Laser Presentation Remote suffers from a keystroke injection vulnerability.
6a4c155c598e5dd5c41d5ef25f9ed7fe98bd2d4dbd53076fd0c72ba4e109a6e9
Inateck 2.4 GHz Wearable Wireless Presenter WP2002 suffers from a keystroke injection vulnerability.
ddfc5bd9422c9cfe8a75e29e8c97e871d0d3c6b22c85506d8f0b85ca5faf737d
Inateck 2.4 GHz Wireless Presenter WP1001 suffers from a keystroke injection vulnerability.
687416a505e7bc914fa93eb6f94e5c837f93d29e47c54bbe676761a24f78549c
Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.
bf19d9111516d40322d38739d39310498750019c2b579269ac24b9a2f7e683b3
Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.
95e944e33b6b49156158226e4700374427c35dfaaa04a226bf39cb8debb11f9a
Due to the use of a hard-coded cryptographic key, an attacker can put the integrity and confidentiality of encrypted data of all Siemens LOGO! 8 PLCs using this key at risk, for instance decrypting network communication during a man-in-the-middle attack.
fd53041141c43f3ef168910c3f5306ea1625eb1f860ca0581cc979bff7758f8c
Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way. Version 3.01.01 is affected.
9aa96c7e78ac0cc59dc8c9762e90be180a231028ffcc00fc5372b502ed7fcf6c
Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present and that the implemented rolling codes are predictable. By exploiting these two security issues, an attacker can simply desynchronize a wireless remote control by observing the current rolling code state, generating many valid rolling codes, and use them before the original wireless remote control. The Secvest wireless alarm system will ignore sent commands by the wireless remote control until the generated rolling code happens to match the window of valid rolling code values again. Depending on the number of used rolling codes by the attacker, a resynchronization without actually reconfiguring the wireless remote control could take quite a lot of time and effectless button presses. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.
1e8bdcc2aac5543c46a47138bfd7aaeba7d32444b036b9f6db96a45e4987806a
Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present at all. Thus, an attacker observing radio signals of an ABUS FUBE50014 wireless remote control is able to see all sensitive data of transmitted packets as cleartext and can analyze the used packet format and the communication protocol. For instance, this security issue could successfully be exploited to observe the current rolling code state of the wireless remote control and deduce the cryptographically weak used rolling code algorithm. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.
4fb6b1bb33c005b26a8192228bc5ffdcbbcb440ba5889e85c120133752973a41
Thomas Detert found out that the rolling codes implemented as replay protection in the radio communication protocol used by the ABUS Secvest wireless alarm system (FUAA50000) and its remote control (FUBE50014, FUB50015) is cryptographically weak.
92648a845f9e728c6b9724e16f7b0148e4f4b7d7c8d97744a46937db2cabc861
SySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacks by sending unencrypted data packets with the correct packet format to the receiver (USB dongle).
555e9592017214071d19547d41a4cd74d3f40548f4da4cae61826dbe7096f255
In this article, the authors want to present an example of exploiting a trust relationship between two technical devices that can put the confidentiality of sensitive data or the integrity of a computer system at risk. This trust relationship they exploit exists between two Bluetooth devices: On the one side a computer system you want to remain secure and you don't want to be compromised, for example your laptop, or your smartphone, and on the other side a Bluetooth device you usually do not consider worth protecting with special diligence as it simply is an output device of a specific kind and does not persistently store any of your valuable data locally, for example headphones.
b73346666342349f472c954f5a015752063415c14b1cc1ea74d10fb17608bf4a
This whitepaper is a case study that analyzes the security of modern bluetooth keyboards. In the course of this research project, SySS GmbH analyzed three currently popular wireless keyboards using Bluetooth technology that can be bought on the Amazon marketplace for security vulnerabilities. The following three devices were tested for security issues from different attacker perspectives: 1byoneKeyboard, LogitechK480, and MicrosoftDesignerBluetoothDesktop (Model1678 2017).
c3809eac9d774959095aaa64f57d5970b03ee8190b8247907992919c1953a04e
The Microsoft Surface Hub Keyboard is a wireless keyboard that can be used in combination with the digital whiteboard/collaboration system Microsoft Surface Hub. Due to an insecure implementation of the encrypted data communication, the Microsoft Surface Hub Keyboard is vulnerable to replay attacks with certain restrictions.
8364fa77aadd264937546204517a2bd848213645555137ac544d87e691dc1ac1