what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Surface Keyboard WS2-00005 Insufficient Memory Protection

Microsoft Surface Keyboard WS2-00005 Insufficient Memory Protection
Posted Oct 10, 2019
Authored by Matthias Deeg | Site syss.de

SySS GmbH found out that the embedded flash memory of the Bluetooth LE Microsoft Surface Keyboard can be read and written via the SWD (Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC as the flash memory is not protected by the offered readback protection feature.

tags | advisory
SHA-256 | ddef568ac1a9b0a2ad733adb0361167469bb13ac9e72018fa9dd34b5b66a993a

Microsoft Surface Keyboard WS2-00005 Insufficient Memory Protection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-034
Product: Surface Keyboard
Manufacturer: Microsoft
Affected Version(s): WS2-00005
Tested Version(s): WS2-00005
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-07-31
Solution Date: -
Public Disclosure: 2019-10-10
CVE Reference: Not assigned yet
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft Surface Keyboard is a Bluetooth Low Energy (LE) keyboard.

The manufacturer describes the product as follows (see [1]):

"Meticulously crafted, just like your Surface
Enjoy the solid feel of the keyboard under your fingers as you work.
And it pairs seamlessly with your Surface with Wireless Bluetooth - at a
range of up to 50 feet - and battery power to last a full year."

Due to the insufficient protection of the flash memory of the keyboard,
an attacker with physical access has read and write access to the
firmware and the used cryptographic key.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the embedded flash memory of the Bluetooth LE
Microsoft Surface Keyboard can be read and written via the SWD (Serial
Wire Debug) interface of the used nRF51822 Bluetooth SoC [2] as the
flash memory is not protected by the offered readback protection
feature.

Thus, an attacker with physical access to the keyboard can simply read
and write the nRF51822 flash memory contents and either extract the
cryptographic key (Bluetooth LE Long Term Key), for instance, to
perform further attacks against the wireless communication, or modify
the firmware.

However, even if the readback protection of the nRF51822 was enabled,
an attacker would be able to read and write the flash memory contents by
bypassing the security feature as described in [3] and [4] with
slightly more effort.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully read the nRF51822 flash memory contents of
the Microsoft Surface Keyboard via the SWD interface using a SEGGER
J-Link PRO [5] debug probe in combination with SEGGER J-Link Commander
and extract the currently used cryptographic key (Long Term Key).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to Microsoft, the reported security issue does not meet
the bar for servicing via a security update [6].

The described security issue may be fixed in future versions of the
product.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-07-31: Vulnerability reported to manufacturer
2019-08-01: Microsoft confirms receipt of security advisory
2019-08-06: Microsoft responds that the reported issue does not meet
the bar for servicing via a security update
2019-10-10: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Microsoft Surface Keyboard
https://www.microsoft.com/en-us/p/surface-keyboard/8r3rqvvflp4k
[2] nRF51822 Product Specification v3.1
https://infocenter.nordicsemi.com/pdf/nRF51822_PS_v3.1.pdf
[3] Kris Brosch, Include Security, Firmware dumping technique for an ARM Cortex-M0 SoC, 2015
https://blog.includesecurity.com/2015/11/NordicSemi-ARM-SoC-Firmware-dumping-technique.html
[4] Andrew Tierney, Pen Test Partners, NRF51822 code readout protection bypass - a how-to, 2018
https://www.pentestpartners.com/security-blog/nrf51822-code-readout-protection-bypass-a-how-to/
[5] Product website for Segger J-Link PRO
https://www.segger.com/products/debug-probes/j-link/models/j-link-pro/
[6] Microsoft Vulnerability Severity Classification for Windows
https://aka.ms/windowsbugbar
[7] SySS Security Advisory SYSS-2019-034
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-034.txt
[8] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAl2dwHkACgkQ2aS/ajSt
TauyRQ/8D9w9CfoM/yhoMzUqn//Rnbh5MfiTyUuZnl/UmBcAMz3sATOqFuB7/ZOb
CVr7JoWS8QoZ2LxsdTt8jSIfg9uBtrSLCUu4x8oHyvs7vysTULB3ITXxVMBAKh2z
1cntRe0RzS1Fbx6SNyFNwY5Jwma50v2Mpc/V+B8L8kjmB9Ijc5ztV/bMhrA/WCWO
hf8Rn0guhLoNMbIjMSPnVuwGrh7NxvDOlEfpAlpn4NsO/RWAIGcjzy0f0T1SztjP
KIFEQThrmCLS3SeRbVg3u1JcTWGiimL9JNRaiCOfcnf3TSsegjWLxoc4lNgrwMC6
dKZNYBEREycvYpGZiDXANFHhPimIkZcYLSQ14QqMpkCeRIUH7c2nrjDVHi141eOk
EO//qOn5WL0jahP7g3DY7rB4OkGWP2+4hJo056XXGYqgqqYzWrA4gMsVupTrvVz8
lR4T4AUSg6WKb0NoK8d2p/aBZF62XSXic9OCfYHnjI6xDCjL97r2kUrBHp4HNXIQ
tvHTAodGo/Tggk6req4W7+ABEKaG7xS4RV5OxQV+vk3QVW/DSCHgZK174cfXJFRT
jGP6rroeIv7Va6HZpJHTyiemGDw9qvskSPgqQ+17QYXLiGG3xynUuysaXpzXzHNU
vwuwM8QR7szT9f+YvG03NssFKOUA1NfOTSyrKoUL9QyYpMdNSUo=
=w7Vq
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close