Breaking

This is Why Your Wireless Mouse Should Have a Tail and Your Presenter is a Fail

Puh…it’s been a long time since my last post, huh?
However, let’s get straight back to topic. Today, I want to issue a warning, especially in face of upcoming Troopers 2017 (less than two days to go, wooo! 10th anniversary!): be careful when using wireless equipment (presenters, mouses, keyboards,…), especially during Troopers, but also in daily use.

TL;DR Please take into account that you put your laptop at risk of being hacked by using wireless equipment during Troopers. This could lead to a full system compromise. Wirelessly. Attacks like keystroke injection or sniffing of latter and mouse movements are possible. This, e.g. applies to speakers, using wireless presenters (like Logitech R400/R800, old and new models), as also to any attendee or crew member who might use wireless mouses or keyboards. Be aware of this!

History / Now and Then:
Unfortunately, this topic wasn’t widely covered in the media, despite of its brisance.
It has never been so easy to get hacked remotely. You don’t even need a connection to the interwebs. It’s just by using your wireless presenter, mouse, keyboard, screen locker, whatsoever. Attacks have been around since a long time. IIRC, the first time I heard of such an attack was back in the 90’s. At the time, most of the wireless input devices were communicating at around 27 MHz. I believe it was in the early 2000’s when manufacturers came up with encryption. Later, they moved on to use the 2.4 GHz frequencies, as the 27 MHz either was forbidden or overcrowded in more and more countries and 2.4 GHz is allowed in most (or all?) countries.
Still, some used encryption, some didn’t. Some got hacked over the time, some didn’t. Yes, some (should I say many?) got hacked. It was in the media every now and then, but it never gained too much attention.
I think the most relevant projects to this day are the KeyKeriki v2.0 by Thorsten Schroeder and Max Moser, the work of Travis Goodspeed, the NRF Research Firmware by Bastille and also what Niels Teusink did.

Technical Part:
KeyKeriki, Goodspeed’s and Bastille’s work were all based on the NRF24 chipset by Nordic Semiconductors, while Teusink worked on Cypress Semiconductor chipsets like the CYRF69103.
Except of Bastille’s work, which is from last year (2016), all the other stuff was done back in 2010.
Bastille’s firmware, which is open source and easily usable on some Logitech Unifying dongles and Crazyradio PAs, was the basis for a number of attack tools (also open source). The latter can be used, in combination with a Ducky Script-like scripting language, to attack systems in a range of at least several meters. By using more efficient hardware, ranges of several hundred meters are possible. Devices could be used with a computer or even stand-alone. In my opinion, stand-alone devices are of imminent danger. They are usually smaller than the palm of your hand, could be dropped under a table or in bushes in front of a building and last for several days on battery, trying to sniff or inject keystrokes or mouse movements. More advanced devices might also have a feedback channel to the attacker via something like the GSM network. With regard to the costs: the whole of needed parts costs from 10 to 30 dollars, which makes such attacks very cost effective.

Impact:
Well, the impact. What do you think? Think about, what is possible by operating your computer by mouse and keyboard. You’re doing this right now? I’m certain of this. And be assured, an attacker’s intent won’t be surfing the web. Such a person could, e.g. drop shells/backdoors by injecting key strokes. In clear text, this means that an attacker is able of compromising your PC in a moment of inadvertence, while you’re talking to somebody or making coffee. The attack would just take a few seconds and open something like a reverse shell to the attacker. From this point, when the attack ran out successful, your computer would be compromised and the attacker could access all of your data. This might be your memories of last summer’s vacation, passwords of your social media accounts or business conversations and documents. But that’s by far not all: Your PC could just be the entry point for a much bigger attack on your whole company’s network. This could lead to loss of reputation and money, stolen intellectual property,…
It would also be possible to spy on you – passively. While most keyboards are encrypted and not every mouse is capable of acting as a HID keyboard device, an attacker could still sniff your mouse movements and have a first guess on your operating system, personal behaviours, etc.
In a follow-up post, I’ll give a short video demonstration on the impact to show how easy such an attack could be carried out.

Mitigating Controls:
What could you do to protect your intellectual property, your system, your corporate environment, your $anything?
1. Stop using wireless input devices.
Alas, this might be okay for keyboards, but more annoying if it hits your little, transportable laptop mouse and most annoying when it comes to your wireless presenter, which gives you freedom on stage while giving your awesome talk (about hacking things 😉
2. Patch devices and system.
Bastille provides some information on affected devices on their pages (Mousejack, Keyjack) and reactions from manufacturers. Unfortunately it is already known, that this list is by far not complete, as vulnerable implementations are spread over far more devices and also not only NRF24 devices are affected.
The only manufacturer which provides firmware updates for some of the devices is Logitech. Lenovo seems to exchange affected products on request with ones with a new firmware. Microsoft provides patches for the Windows operating system. (A click on the make’s name will lead you to the respective pages.)
I’m afraid that only few devices will get patched, as also only few people know about this topic. The other sad point is, that not every patch solves the problems. Some vulnerabilities stay, like the ones for Microsoft mouses. And also, not every vulnerable device was provided with patches, like the Logitech R400 presenter.
3. Filter input.
I will present possible approaches in another post. Here, just a short hint on what’s possible.
3.1 OS-based filtering
There are several solution approaches for the different operating systems. On Linux-based systems, this could be done with the aid of e.g. “ioctl” (here or here), where we will also release some PoC code soon. On Windows this could be done by manipulating the registry (remapping the scan codes) or by the use of additional software (e.g. KeyTweak, unfortunately no offical website).
3.2 Hardware-based filtering
I already have two concepts for hardware-based filters on my desk, more about this soon.

 

So, please be aware and have an awesome Troopers week 😉

See you at #TR17!
Stefan