Executive Summary

Summary
Title Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol
Informations
Name VU#981271 First vendor Publication 2016-02-24
Vendor VU-CERT Last vendor Modification 2016-03-01
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#981271

Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol

Original Release date: 24 Feb 2016 | Last revised: 01 Mar 2016

Overview

Wireless keyboard and mouse devices from multiple vendors use proprietary wireless protocols that are not properly secured.

Description

CWE-311: Missing Encryption of Sensitive Data

Multiple wireless input devices (keyboard and mouse) use a proprietary wireless protocol on the 2.4 GHz ISM band that lacks proper encryption. An attacker within wireless transmission range can inject keystrokes or read keystroke data, or cause the victim's device to pair with a new input device. Wireless range on these models varies but is typically a few meters within a home.

The researchers have released a website as well as advisories with more details.

This vulnerability does not impact Bluetooth devices.

Impact

An attacker within wireless transmission range can inject keystrokes on the victim's device, or cause the victim's device to pair with a new input device.

Solution

Update device firmware

According to the researcher, Logitech has released an updated firmware for their devices to address this issue. Please contact Logitech customer support for more information.

Users of other models should consider individual use cases and threat models when using the devices until an update is available.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
LogitechAffected-26 Feb 2016
AmazonUnknown-24 Feb 2016
DellUnknown-24 Feb 2016
HP Inc.Unknown-24 Feb 2016
LenovoUnknown-24 Feb 2016
Microsoft CorporationUnknown-24 Feb 2016
TecknetUnknown01 Mar 201601 Mar 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base2.9AV:A/AC:M/Au:N/C:N/I:P/A:N
Temporal2.6E:POC/RL:U/RC:C
Environmental1.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://github.com/RFStorm/mousejack
  • https://github.com/RFStorm/mousejack/tree/master/doc/advisories
  • https://www.mousejack.com/
  • http://cwe.mitre.org/data/definitions/311.html

Credit

Thanks to Marc Newlin of Bastille Threat Research Team for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:23 Feb 2016
  • Date First Published:24 Feb 2016
  • Date Last Updated:01 Mar 2016
  • Document Revision:30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/981271

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2016-03-02 05:28:51
  • Multiple Updates
2016-03-02 05:23:39
  • Multiple Updates
2016-02-26 21:29:49
  • Multiple Updates
2016-02-26 21:24:31
  • Multiple Updates
2016-02-25 13:26:21
  • Multiple Updates
2016-02-25 05:28:55
  • Multiple Updates
2016-02-25 05:24:29
  • First insertion