CVE-2019-12503
Description
Due to unencrypted and unauthenticated data communication, the wireless barcode scanner Inateck BCST-60 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Inateck/BCST-60description
Patches
Vulnerability mechanics
Root cause
"Unencrypted and unauthenticated 2.4 GHz radio communication allows arbitrary keystroke injection into the USB receiver."
Attack vector
An attacker captures and analyzes the unencrypted 2.4 GHz radio packets exchanged between the barcode scanner and its USB receiver to reverse-engineer the protocol [ref_id=1]. Using a compatible radio dongle (e.g., Crazyradio PA with nrf-research-firmware), the attacker then crafts and transmits arbitrary keystroke packets to the victim's USB receiver [ref_id=1]. No authentication or encryption protects the data communication, so the receiver accepts these injected packets as legitimate scanner input [CWE-310]. The attack can be performed remotely when the target system is unattended, allowing the attacker to install malware or take control of the victim's computer [ref_id=1].
Affected code
The advisory does not identify specific functions, files, or code paths. The vulnerability lies in the unencrypted and unauthenticated 2.4 GHz radio communication protocol used between the wireless barcode scanner (Inateck BCST-60) and its USB dongle receiver.
What the fix does
No patch or fix has been published by the manufacturer. The advisory states that the solution status is "Open" and that SySS GmbH is not aware of a solution for this reported security vulnerability [ref_id=1]. To remediate the issue, the wireless communication protocol would need to implement encryption and authentication to prevent unauthorized devices from injecting keystroke packets into the receiver.
Preconditions
- configThe victim's computer must have the Inateck BCST-60 USB receiver plugged in and active
- networkThe attacker must be within radio range of the victim's USB receiver (2.4 GHz)
- inputThe attacker needs a compatible radio dongle (e.g., Crazyradio PA) with custom firmware to send crafted packets
- authNo authentication or encryption is required; the receiver accepts any validly formatted packet
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/155503/Inateck-BCST-60-Barcode-Scanner-Keystroke-Injection.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Nov/30mitremailing-listx_refsource_FULLDISC
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-027.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.