back to article NUC, NUC! Who's there? Intel, warning you to kill a buggy keyboard app

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage. Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Remote Keyboard …

  1. Phil Kingston

    Have to wonder if this is linked to this interesting story from yesterday: http://www.abc.net.au/news/2018-04-06/porn-site-pornhub-displayed-on-perth-yagan-square-touchscreen/9624428

    1. Anonymous Coward
      Anonymous Coward

      Probably lucky I always find out about these bugs too late...

  2. John Smith 19 Gold badge
    Unhappy

    "“inject keystrokes as a local user”," into an app designed to control embedeed PC's.

    That would be a bit of a biggie, wouldn't it?

    Looks like it got as much Quality Assurance as the software running on the Intel Management Engine.

    Although unlike that PoS you can turn this off.

    1. phuzz Silver badge

      Re: "“inject keystrokes as a local user”," into an app designed to control embedeed PC's.

      I use some NUCs as Point Of Sales terminals.

      So literally PoS in my case.

      1. lifetime security

        Re: "“inject keystrokes as a local user”," into an app designed to control embedeed PC's.

        Double PoS

  3. herman

    VNC on Linux???

    Use the Secure Shell on Linux. That is what it is for.

    1. Chemist

      Re: VNC on Linux???

      "Use the Secure Shell on Linux. That is what it is for."

      Depends on what you need to do. I usually use ssh but if i want a secure vnc session I then use tunneling for vncviewer

    2. Anonymous Coward Silver badge
      Facepalm

      Re: VNC on Linux???

      If you want a shell, sure use SSH.

      If you want a graphical console session, use VNC (over SSH tunnelling, natch).

      Bear in mind that they're targeting the digital signage market, so what's actually displayed on the screen is important.

      1. John Robson Silver badge

        Re: VNC on Linux???

        But with SSH you can fire up x11vnc trivially...

    3. K

      Re: VNC on Linux???

      2 words - Chrome RemoteDesktop .. OK, maybe that should be 3 words.

      It works great, I've got a couple of VMs at home that I use for development (Linux / Python IDE etc) and couple of build boxes for my open source projects. I can access these boxes from anywhere in the world, do a bit of coding etc, all without the faff.

      Though I should stress, these boxes sit in a segmented network. with a next-gen Firewall sitting in front of them.

      1. Peter27x

        Re: VNC on Linux???

        It's probably safer to continue with the Intel remote keyboard that use Chrome Remote Desktop Google Slurp Tool

  4. Adam 52 Silver badge

    VNC

    Maybe it's just me, but I've never managed to get VNC working properly. I can just about get the console to display remotely on a good day but if I try to spawn a new desktop for each login I always end up with people seeing each others desktops or not being able to get back to their old one. And you have to create huge great holes in the firewall. Then when it is connected it's really sluggish. OK for some remote admin but not really usable for day to day work.

    I don't suppose there's a Linux rdp server is there? A quick search didn't find one.

    1. cynic 2

      Re: VNC

      Look for xrdp.

      1. Paul 129
        Angel

        Re: VNC

        X2go was another interesting system (did have issues with apps using opengl, but could just about watch movies over it). I find myself using xrdp at the moment though.

        Also note there are a number of interesting python libraries to automate actions within vnc sessions.

        Each solution, good in a number of ways, but no single one can do it all.

    2. Chemist

      Re: VNC

      "And you have to create huge great holes in the firewall"

      Solved by ssh tunneling

  5. Anonymous Coward
    Anonymous Coward

    Off topic but an interesting bit of Intel trivia

    The Chinese phone manufacturer "Alcatel" aka "TCL" partnered with McAfee and Intel and created an Android application called "Hi Security Lite - Antivirus, Booster" which has recently won the (not so) prestigious Android Blacklist award at androidblacklist.org.

    https://androidblacklist.org/2017/07/27/virus-cleaner-hi-security-antivirus-booster/

    From what I've heard the Intel portion of the app was used to scan the users network connections and other internet related functions.

    Portions of the apps TCL related software that was flagged as "snake oil" by androidblaclist.org was pushed on to users devices without warning or permission along with the now infamous Facebook Graph API.

  6. Anonymous Coward
    Anonymous Coward

    VNC on Linux

    Agree with all the comments about ssh......but isn't MINIX running in there....somewhere?

    1. Dan 55 Silver badge
      Holmes

      Re: VNC on Linux

      Indeed. I wonder who was responsible for putting that on every one of their CPUs?

    2. Denarius

      Re: VNC on Linux

      Yes as this august publication stated a month or so back. What baffles me is that Intel owned a very good real time OS development tool in WindRiver systems or could use a well tested stable reliable realtime OS, QNX. Why use an OS theory training example ? Not knocking Minix either. Just is it the right tool for the job question ?

      1. Doctor Syntax Silver badge

        Re: VNC on Linux

        "Just is it the right tool for the job question ?"

        Reading the stories about that some weeks ago ISTR that binary size was significant. Maybe Minix could be got down to size & the others couldn't.

  7. Dan 55 Silver badge

    Reinventing the wheel the Intel way

    You'll be amazed at what happened next!

    1. onceuponatime

      Re: Reinventing the wheel the Intel way

      Something about the Emperor running around in new clothes and a car with square wheels.

  8. Reg T.

    It's Intel.

    What did you expect? Keep buying their garbage, there's a good lad.

  9. DCFusor

    xtightvnc or xrdp

    Due to an autostart (systemD) issue when raspberry pies went to Stretch, I ran xrdp on a pi 3 b+ for awhile.

    A very short while - it works, but it stinks badly - it's 10x (at least) slower than tightvnc, and just worse looking at equivalent quality settings.

    My issue with vncserver being started endlessly in a loop by systemD when started the "old safe way" was fixed by making a desktop file in /etc/xdg/autostart and I'm glad to be back to that - it works great and works with most of the vnc viewers out there. I use Remmina on Linux usually.

    RealVNC, bundled with the pi, is a piece of crap that only works with their viewer, which in turn only works with their server. With the 10's of pies around here automating things, no way am I going with something different for each one...especially not something that kinda begs for bucks to work right.

    Yes, tunneling though SSH works, especially if you're willing to do the new almost-required key set foolery. Not much point if you're just going to say "ok, just connect unverified" anyway.

  10. Deltics
    Pint

    Why not simply make this vulnerability abundantly clear and then leave users to make up their own minds ?

    I have a NUC which is in an accessible situation in my living room and I use this app for convenient control from my phone without having to reach for RDP via a laptop and or struggling with the non-mouse/soft-keyboard disconnect that a tablet provide. Plugging in a mouse and keyboard into the front-firing USB-A's is easier than that.

    Which also provides an attack vector for anyone wishing to "inject keystrokes" or indeed mousey gestures, that removing this app will not address.

    Yes, if anyone can get on my wifi from outside the house then this is a greater attack surface than physical access to my NUC, but securing my wifi is a separate problem which, if adequately addressed, surely renders attack vectors which depend on that access moot ? No ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like