luis@ringzero.net Luis Miras What Im Not Covering What I Will Be - - PDF document

luis ringzero net luis miras what i m not covering what i
SMART_READER_LITE
LIVE PREVIEW

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be - - PDF document

Nov 26, 2023 12 likes •726 views

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be Covering Attack Passive (Sniffing) authentication data sensitive data Active (Injection) Denial of Service Execution of arbitrary commands RF

slide-1
SLIDE 1

Luis Miras luis@ringzero.net

slide-2
SLIDE 2

What I’m Not Covering

slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6
slide-7
SLIDE 7

What I Will Be Covering

slide-8
SLIDE 8
slide-9
SLIDE 9
slide-10
SLIDE 10
slide-11
SLIDE 11
slide-12
SLIDE 12

Attack

  • Passive (Sniffing)

– authentication data – sensitive data

  • Active (Injection)

– Denial of Service – Execution of arbitrary commands

slide-13
SLIDE 13

RF

  • RF design is hard, not needed.
  • Scanners are not needed.
  • Devices come with TX and RX
  • circuits. (use them)
  • Think of TX and RX circuits as a

network socket.

slide-14
SLIDE 14

Let’s get HIDphy!!

slide-15
SLIDE 15

HID – human interface device

  • Keyboard

– HID codes similar to ps/2 scan codes

  • Mice

– Relative movements and buttons – Positional movement and buttons

slide-16
SLIDE 16
slide-17
SLIDE 17

Device Research

slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20
slide-21
SLIDE 21

Device Internals

slide-22
SLIDE 22
slide-23
SLIDE 23
slide-24
SLIDE 24
slide-25
SLIDE 25
slide-26
SLIDE 26
slide-27
SLIDE 27
slide-28
SLIDE 28

Device Reversing

slide-29
SLIDE 29

Communication

  • One way traffic (replay attacks!)

– except kb

  • No standard data protocol
  • Varied RF protocols and

frequencies.

– 27 Mhz – 900 Mhz – 2.4 Ghz

slide-30
SLIDE 30
slide-31
SLIDE 31

0111110 1010 1110 0110 0100 0111110 1010 1110 0110 0100

slide-32
SLIDE 32

0111110 1010 1110 0110 0100 0111110 1010 1110 0110 0100

slide-33
SLIDE 33

Reversing the protocol

  • One way messages must include

– Authentication data (serial number) – Data

  • Tap at the input to the TX Chip

– No noise or errors

  • Tap at the output of RX to verify

and build the sniffer.

slide-34
SLIDE 34
slide-35
SLIDE 35
slide-36
SLIDE 36
slide-37
SLIDE 37

Clock Clock Clock Clock Sync Sync Sync Sync

slide-38
SLIDE 38

Data Data Data Data

slide-39
SLIDE 39
slide-40
SLIDE 40

Reversing the Protocol

Page Down

0111110 1010 1110 0110 0100 1001 0101 0010 1000001

Page Up

0111110 1010 1110 0110 0100 1101 0101 0110 1000001

“Hide”

0111110 1010 1110 0110 0100 1011 0101 1010 1000001

slide-41
SLIDE 41

Reversing the Protocol

Page Down

0111110 0111110 1010 1110 0110 0100 1001 0101 0010 1000001 1000001

Page Up

0111110 0111110 1010 1110 0110 0100 1101 0101 0110 1000001 1000001

“Hide”

0111110 0111110 1010 1110 0110 0100 1011 0101 1010 1000001 1000001

slide-42
SLIDE 42

Reversing the Protocol

Page Down 1010 1110 0110 0100 1001 0101 0010 Page Up 1010 1110 0110 0100 1101 0101 0110 “Hide” 1010 1110 0110 0100 1011 0101 1010

slide-43
SLIDE 43

Reversing the Protocol

Page Down

1010 1110 0110 0100 1010 1110 0110 0100 1001 0101 0101 0010

Page Up

1010 1110 0110 0100 1010 1110 0110 0100 1101 0101 0101 0110

“Hide”

1010 1110 0110 0100 1010 1110 0110 0100 1011 0101 0101 1010

slide-44
SLIDE 44

Reversing the Protocol

Page Down

1010 1110 0110 0100 1001

1001 0101 0010 0010

Page Up

1010 1110 0110 0100 1101

1101 0101 0110 0110

“Hide”

1010 1110 0110 0100 1011

1011 0101 1010 1010

slide-45
SLIDE 45

Reversing the Protocol

header serial data serial data footer

0111110 xxxx xxxx xxxx xxxx xxxx xxxx xxxx 01001

slide-46
SLIDE 46

Attacks

slide-47
SLIDE 47

BYOM (bring your own MCU)

  • Ideally the original MCU would be

reprogrammed

– Most are OTP (One time programmable) – Can’t read them, security fuse blown

  • Our own MCUs are needed
slide-48
SLIDE 48

Sniffing at the chiplevel

slide-49
SLIDE 49
slide-50
SLIDE 50

Injecting at the chiplevel

slide-51
SLIDE 51
slide-52
SLIDE 52

Passive attacks

  • Needed to acquire authentication

data

  • Sensitive data from keyboards

(passwords)

  • Mouse data not very useful
slide-53
SLIDE 53

Active attacks

  • Attacks are HID type dependent

– Keyboards (including presenters) – Mice

slide-54
SLIDE 54

Active Keyboard Attacks

+ ‘R’ == (:

slide-55
SLIDE 55
slide-56
SLIDE 56
slide-57
SLIDE 57
slide-58
SLIDE 58

While at the cmd …

Echo data to a bat file Run the bat file

slide-59
SLIDE 59

Active Mouse Attacks

What can be done by being able to inject mouse movement and clicks?

  • Being able to see the screen.

(Attacking a live presentation)

  • Blind
slide-60
SLIDE 60

Accessibility for the Attacker

slide-61
SLIDE 61

Blind Attacks

  • No visual feedback.
  • Educated guessing
  • Mouse movement scripting
slide-62
SLIDE 62

Getting Feedback

  • Attempt to connect to controlled

webserver

  • Check logs
  • Readjust and reattack
slide-63
SLIDE 63

Microcontrollers

slide-64
SLIDE 64
slide-65
SLIDE 65
slide-66
SLIDE 66
slide-67
SLIDE 67

More MCU uses

  • Custom bit stream

sniffer/recorder/iterface

  • Custom bit generator driven by

software

slide-68
SLIDE 68

Future Work

  • Keyboards
  • Scripting interface
  • Software controlled bit generation
slide-69
SLIDE 69
slide-70
SLIDE 70

Summary

  • Find FCC ID info
  • Tap into data path.
  • Reverse the protocol
  • Inject/Sniff data using customized

MCUs

  • Client enforced security is still client

enforced security

slide-71
SLIDE 71

Questions?

luis@ringzero.net