“In the popular series of wireless keyboards Fujitsu LX390 found two dangerous vulnerabilities.
According to researchers from the company SySS, exploitation of vulnerabilities allows nearby attackers to “spy” passwords entered on the keyboard, or even to seize control of the system.
Compounding the situation is the fact that developers stopped supporting the Fujitsu LX390 wireless keyboard in may 2019, and the vulnerability will remain uncorrected. Users are strongly advised to completely replace the devices with a different model.
The Fujitsu Wireless Keyboard Set LX390 consists of a mouse and a wireless keyboard that transmits keystrokes to the desktop wirelessly using a 2.4 GHz transmitter. The problem affects the mechanism of information transmission, because LX390 does not use encryption to transmit data packets that contain information about keystrokes, etc. data Protection is carried out using the so-called mechanism of “bleaching data streams” (data whitening). Because the data is not encrypted, it can still be accessed and analyzed by an attacker up to 45 meters away.
Through access to data packets, researchers were able to identify keystrokes such as passwords entered on a wireless keyboard (CVE-2019-18201).
As part of another attack (CVE-2019-18200), researchers were able to initiate keystrokes (a so-called keystroke injection attack), which allowed them to install malware.
Fujitsu was alerted to these vulnerabilities in April 2019.
The company has released two new models of wireless keyboards-LX410 and LX960, not subject to the described problems.
Recall that this is not the first problem found in Fujitsu keyboards this year.
In March, researchers discovered a vulnerability in the Fujitsu Wireless Keyboard Set LX901 for Windows, taking advantage of which attackers can initiate keystrokes and take control of the vulnerable system.”
FAIL! “Fujitsu stops selling the popular wireless Keyboard set LX901”
these three vulnerabilities relate to a lack of protection against Replay attacks, a lack of encryption of sensitive data transmitted via radio communication and the possibility of Keystroke Injection attacks.”