Intel Remote Keyboard app discontinued in the face of critical vulnerability

Intel has asked users to uninstall the app as soon as possible.
Written by Charlie Osborne, Contributing Writer

A critical vulnerability which leaves users of the Intel Remote Keyboard app exposed to key jacking has prompted Intel to discontinue the software.

On Tuesday, the tech giant released a security advisory documenting the bug, which impacts the Intel Remote Keyboard, a mobile application for iOS and Android devices.

The vulnerability, CVE-2018-3641, is described as an unauthenticated keystroke injection flaw.

Deemed critical, the bug permits "escalation of privilege in all versions of the Intel Remote Keyboard [which] allows a network attacker to inject keystrokes as a local user," according to Intel.

Intel also revealed two additional vulnerabilities which impact the app. CVE-2018-3638, a vulnerability with a "high" danger rating, allows privilege escalation for authorized local attacks and allows attackers to execute arbitrary code as a privileged user.

The second vulnerability, CVE-2018-3645, permits local attackers to inject keystrokes into another remote keyboard session without permission.

All versions of the application are affected by these security flaws, and it does not appear that Intel intends to patch them.

Instead, users are asked to simply remove the application in order to stay safe from compromise.

"Intel has issued a Product Discontinuation notice for Intel Remote Keyboard and recommends that users of the Intel Remote Keyboard uninstall it at their earliest convenience," the company says.

The vulnerabilities were first discovered in March. Mark Barnes, Marius Gabriel Mihai, and @trotmaster99 from MRW Labs have been thanked for reporting the bugs and coordinating disclosure.

It is unusual for a company to take the step of discontinuation for software rather than create patches, however, according to an Intel spokesperson speaking to ThreatPost, "the discontinuation is not related to the security advisory" as the product was scheduled for termination anyway.

The software's page is still up but the keyboard's download page in Google Play appears to have been removed.

See also: Intel: Spectre-proof CPUs will ship in second half of 2018

It may simply be that with a scheduled discontinuation looming, the company -- which is currently coping with the fallout from the Meltdown and Spectre bugs -- chose to allocate its security and patch development teams to more important projects.

Earlier this week, Intel said the firm was dropping plans to patch a number of CPU families impacted by Meltdown and Spectre.

The reason behind abandoning fixes for some older hardware families is that repairs are impractical, or not widely supported.

While some Core, Celeron, Pentium, and Xeon-branded CPUs will not be fixed, Kaby Lake, Skylake, and Coffee Lake CPUs have already been patched.

10 things you didn't know about the Dark Web

Previous and related coverage

Editorial standards