The app, available for iOS and Android, allows an attacker to inject keystrokes.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Three critical security flaws in the Intel Remote Keyboard application can allow an attacker to inject keystrokes and execute code on a connected machine.
- Intel has opted to discontinue the app instead of updating it, and users are directed to uninstall it right away. Alternative apps are available for both iOS and Android, and affected machines can still be connected to with wireless keyboards and mice.
A critical flaw in the Intel Remote Keyboard app for iOS and Android has led to the decision by Intel to discontinue the app, and the company advises all users to uninstall it as soon as possible.
Used in conjunction with Intel Next Unit of Computing (NUC) mini PCs and flashdrive-sized Intel Compute Stick, the Intel Remote Keyboard allowed users to control the small-form machines from a smartphone.
The security advisory from Intel cites three separate CVEs affecting the app, and instead of issuing fixes for the bugs Intel has pulled it completely. An Intel spokesperson told Threatpost that the app was scheduled for discontinuation and its happening now was unrelated to the flaws.
SEE: Network security policy (Tech Pro Research)
NUC and Compute Stick users who rely on the Intel Remote Keyboard are out of luck for now—there is no word from Intel on the release of a new version, and as of this writing the app has been pulled from both the Apple App Store and Google Play.
The Remote Keyboard app allows users to connect to the NUC or Compute Stick using the Wi-Fi Direct protocol, which allows peer-to-peer connections between compatible devices. Wi-Fi Direct has had security issues in the past, though there's nothing to indicate Intel's flaw is due to the protocol instead of the Remote Keyboard app.
An escalation of privilege attack both remote and local
The three flaws mentioned by Intel paint a bleak picture of the Remote Keyboard's security.
CVE-2018-3641 allows a network attacker to inject keystrokes as a local user, CVE-2018-3645 allows a local attacker to inject keystrokes into another remote keyboard session, and CVE-2018-3638 allows an authorized local attacker to execute arbitrary code as a privileged user. The vulnerabilities were rated (out of 10) a 9.0, 8.0, and 7.2, respectively, on the CVE risk scale.
The three flaws affect all versions of the Intel Remote Keyboard, which may explain why Intel has decided to discontinue it instead of issuing a fix—the bug may be deep enough in the app's code that trying to fix it would necessitate a redesign.
With the Intel Remote Keyboard app officially dead, NUC and Compute Stick users will have to make do with a wireless keyboard and mouse or another remote keyboard application, of which there are several for both iOS and Android available in their respective app stores.
- 27 ways to reduce insider security threats (free PDF) (TechRepublic)
- Intel Remote Keyboard app discontinued in the face of critical vulnerability (ZDNet)
- Got an old PC? Find out whether you will get Intel's latest Spectre patch (TechRepublic)
- Intel: We now won't ever patch Spectre variant 2 flaw in these chips (ZDNet)
- Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre (TechRepublic)