mousejack injecting keystrokes into wireless mice
play

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | - PowerPoint PPT Presentation

Nov 15, 2023 •259 likes •1.14k views

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer) Wireless mice and keyboards 16 vendors

  1. MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

  2. Marc Newlin Security Researcher @ Bastille Networks

  3. ((Mouse|Key)Jack|KeySniffer) ● Wireless mice and keyboards ○ 16 vendors ○ proprietary protocols (non-Bluetooth) ○ 4 families of transceivers ● 16 vulnerabilities ○ keystroke sniffing ○ keystroke injection ○ many are unpatchable

  4. Types of vulnerabilities ● ● Keystroke Injection Forced Pairing ○ ○ Unencrypted, targeting mice Logitech Unifying dongles ○ ○ Unencrypted, targeting keyboards Keyboard disguised as mouse ○ ● Encrypted, targeting keyboards Malicious macro programming ● Keystroke Sniffing ○ Delayed keystroke injection ○ ● Unencrypted keyboards Denial of service ○ Crash USB dongle firmware

  5. Turns out everybody makes vulnerable devices... ShhhMouse

  6. Prior Research Thorsten Schroeder and Max Moser (2010) ● “Practical Exploitation of Modern Wireless Devices” (KeyKeriki) ● Research into XOR encrypted Microsoft wireless keyboards Travis Goodspeed (2011) ● “Promiscuity is the nRF24L01+’s Duty” ● Research into nRF24L pseudo-promiscuous mode functionality Samy Kamkar (2015) ● KeySweeper ● Microsoft XOR encrypted wireless keyboard sniffer

  7. How do mice and keyboards work?

  8. Peripherals send user input to dongle

  9. Dongle sends user input to computer

  10. An attacker can talk to your dongle...

  11. or eavesdrop on your unencrypted keyboard

  12. Background and Motivation

  13. "Since the displacements of a mouse would not give any useful information to a hacker, the mouse reports are not encrypted." - Logitech (2009)

  14. Initial Logitech mouse research ● USRP B210 SDR ● Logitech M510 mouse ● GNU Radio decoder ● Good for passive RX ● USB and CPU latency make two way communications tricky

  15. Burning Man to the rescue! (duh)

  16. NES controller internals ● Arduino Nano ● DC boost converter ● nRF24L01+ ● vibration motor ● WS2812B LED

  17. Logitech mouse hijacking NES controller

  18. “Village Adventure” by Marc Newlin IoT Village a Logitech mouse clicker did not like the hax

  19. NES Controller v2 (now with more things!)

  20. NES controller v2 internals ● Teensy 3.1 ● 5x nRF24L01+ radios ● 1x WS2812B RGB LED ● 500mAh LiPo battery ● microSD card reader ● OLED display

  21. OSK attack @ ToorCon ● Windows 8.1/10 ● Deterministically launch split OSK ● Keys are at known offsets from screen corners, assuming default DPI ● Slow, very slow

  22. Discovering that first vulnerability ● Logitech Unifying keyboards ● Unencrypted keystroke injection ● Is it really that easy?

  23. I’ll take one of each, please...

  24. Research Process

  25. Gather OSINT and implement SDR decoder ● ● FCC test reports SDR decoder ○ ○ Frequencies GNU Radio ○ ○ Modulation (sometimes) USRP B210 ● ○ RFIC documentation 2.4GHz ISM band ○ 500kHz, 1MHz, 2MHz GFSK ○ Physical layer configuration ○ Packet formats ● The Google ○ “How hack mice?” ○ “Why keyboard not encrypt?”

  26. Build out a protocol model 1. Generate some ARFz a. Move the mouse, click some buttons b. Type on the keyboard 2. What data is sent over the air, and when? a. Infer payload structures b. Observe protocol behavior (channel hopping, ACKs, crypto, etc)

  27. Look for low hanging fruit ● Wireless mice ○ All tested mice are unencrypted ○ Does it transmit keystrokes? ○ Does it send raw HID data? ● Wireless keyboards ○ Is the keyboard unencrypted? ○ Is it replay vulnerable?

  28. Fuzzing (poke it and see what breaks) ● usbmon / wireshark ○ USB sniffing to see what the dongle sends to the host computer ● xinput / magic sysrq ○ Disable xinput processing of target keyboards and mice ○ Disable magic sysrq to avoid those pesky unintended hard reboots ● fuzzer ○ NES controller, and later custom nRF24LU1+ firmware

  29. Nordic Semiconductor nRF24L

  30. Nordic Semiconductor nRF24L Family ● 2.4GHz GFSK transceivers ● 250kbps, 1Mbps, 2Mbps data rates ● 0-32 byte payloads, 8 or 16 bit CRC ● Vendor defined mouse/keyboard protocols Transceiver 8051 MCU 128-bit AES USB Memory nRF24LE1 Yes Yes No Flash nRF24LE1 OTP Yes Yes No OTP (no firmware updates) nRF24LU1+ Yes Yes Yes Flash nRF24LU1+ OTP Yes Yes Yes OTP (no firmware updates)

  31. nRF24L Enhanced Shockburst ● MAC Layer Functionality ○ Automatic ACKs ○ Automatic retransmit

  32. Common nRF24L Configuration ● “Standardized” properties ○ 2 Mbps data rate ○ 5 byte address length ○ 2 byte CRC ○ Automatic ACKs ○ Automatic retransmit ● Vendor specific properties ○ RF channels ○ Payload lengths

  33. Logitech Unifying

  34. Logitech Unifying ● ● Universal pairing Encryption ○ ○ Any mouse or keyboard can pair Mice are unencrypted with any dongle ○ Keyboard multimedia keys are ● Firmware update support unencrypted ○ Dongles support firmware updates ○ Regular keyboard keys are ○ Most mice/keyboards do not encrypted with 128-bit AES ● Transceivers ○ Key generation during pairing ○ nRF24LU1+ / nRF24LE1 (most common) ● Some Dell products are really Unifying ○ TI-CC2544 / TI-CC2543 (higher end) ○ Dell KM714 ○ All OTA compatible ○ Likely others

  35. Logitech Unifying Base Packet Format ● 5, 10, and 22 byte payloads ● 1 byte payload checksum

  36. Logitech Unifying Addressing ● Lowest octet is device ID ○ Defaults to 07 from the factory ● Device ID increments when you pair a new device ○ Re-pairing a device doesn’t change its ID ● Device ID 00 is reserved for the dongle

  37. Logitech Unifying Payload Addressing RF Address Payload Addressing Mode 11:22:33:44:07 (Dongle Address) 00:XX:XX:XX:XX Transmit to the address of a paired mouse and ignore the device index field 11:22:33:44:00 (Mouse Address) 07:XX:XX:XX:XX Transmit payload to the dongle address and use the device index field

  38. ACK Payloads (Dongle to Peripheral Cmds)

  39. Logitech Unifying ACK Payload Example [16.922] 9D:65:CB:58:4D 0040006E52 // keepalive, 110ms interval [16.923] 9D:65:CB:58:4D // ACK [17.015] 9D:65:CB:58:4D 0040006E52 // keepalive, 110ms interval [17.015] 9D:65:CB:58:4D // ACK [17.108] 9D:65:CB:58:4D 0040006E52 // keepalive, 110ms interval [17.108] 9D:65:CB:58:4D // ACK [17.201] 9D:65:CB:58:4D 0040006E52 // keepalive, 110ms interval [17.201] 9D:65:CB:58:4D // ACK [17.294] 9D:65:CB:58:4D 0040006E52 // keepalive, 110ms interval [17.294] 9D:65:CB:58:4D 00104D0014000000008F // ACK payload; requesting HID++ version [17.302] 9D:65:CB:58:4D 00514D00140405000000000000000000000000000045 // response (HID++ 4.5) [17.302] 9D:65:CB:58:4D // ACK [17.387] 9D:65:CB:58:4D 0040006E52 // keepalive, 110ms interval [17.387] 9D:65:CB:58:4D // ACK

  40. Logitech Unifying Dynamic Keepalives ● Keepalives are used to detect poor channel conditions ● Missed a keepalive? Change channels ● Mouse/keyboard dynamically sets keepalive interval ● Short interval when active, long interval when idle

  41. Logitech Unifying Keepalives - Example [20.173] 4C:29:9D:C6:09 00:C2:00:00:01:00:00:00:00:3D // mouse movement (implicitly sets keepalive interval to 8ms) [20.181] 4C:29:9D:C6:09 00:4F:00:00:6E:00:00:00:00:43 // no movement after 8ms, set keepalive interval to 110ms [20.189] 4C:29:9D:C6:09 00:C2:00:00:01:00:00:00:00:3D [20.196] 4C:29:9D:C6:09 00:C2:00:00:01:00:00:00:00:3D ... [20.282] 4C:29:9D:C6:09 00:C2:00:00:00:E0:FF:00:00:5F [20.289] 4C:29:9D:C6:09 00:C2:00:00:00:F0:FF:00:00:4F [20.297] 4C:29:9D:C6:09 00:4F:00:00:6E:00:00:00:00:43 // no movement after 8ms, set keepalive interval to 110ms [20.305] 4C:29:9D:C6:09 00:40:00:6E:52 // keepalive at 110ms interval [20.390] 4C:29:9D:C6:09 00:40:00:6E:52 [20.483] 4C:29:9D:C6:09 00:40:00:6E:52 ... [25.377] 4C:29:9D:C6:09 00:40:00:6E:52 [25.470] 4C:29:9D:C6:09 00:40:00:6E:52 [25.563] 4C:29:9D:C6:09 00:4F:00:04:B0:00:00:00:00:FD // after 5 seconds idle, increase keepalive interval to 1200ms [25.571] 4C:29:9D:C6:09 00:40:04:B0:0C // keepalive at 1200ms interval [26.533] 4C:29:9D:C6:09 00:40:04:B0:0C [27.486] 4C:29:9D:C6:09 00:40:04:B0:0C [28.439] 4C:29:9D:C6:09 00:40:04:B0:0C [29.392] 4C:29:9D:C6:09 00:40:04:B0:0C [30.345] 4C:29:9D:C6:09 00:40:04:B0:0C

  42. Logitech Unifying Pairing 1. Unifying software tells the dongle to enter pairing mode 2. Dongle listens to pairing requests on address BB:0A:DC:A5:75 3. Dongle times out if pairing doesn’t happen in 30-60 seconds 4. Device type and properties are sent during pairing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014 Paul Soler on behalf of the MICE Collaboration Contents 1. Agenda of Meeting 2. Organisation 3. MICE general status by MICE-UK Work Package 4.

450 views • 26 slides
Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV beyond using the same syringes/needles Messages Our main message for the safer injecting theme is: Use a sterile syringe and needle each time

252 views • 8 slides
Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE

1.09k views • 81 slides
Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE

Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE

Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE Status - Yagmur Toruns Talk Scientific approval given Collaboration (incl. host lab) seeking funds Demands on Host Laboratory: Muon

608 views • 36 slides
Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will

Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will

Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will help you to understand what life on the ranch was like for the itinerant workers like George and Lennie. Remember though that you are taking a GCSE

328 views • 28 slides
The Meetings, Incentives, Conferences & Exhibitions (MICE) Update Brad Williams Managing

The Meetings, Incentives, Conferences & Exhibitions (MICE) Update Brad Williams Managing

The Meetings, Incentives, Conferences & Exhibitions (MICE) Update Brad Williams Managing Partner Platinum DMC Collection 1 Agenda MICE Market The Destination The MICE Buyer Insights Overview Selection Process 2017 Global MICE

509 views • 27 slides
TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Mo:on Liang Cai and Hao Chen UC Davis Security Problems on Smartphones Old

264 views • 15 slides
MICE Governance Pierrick Hanlet 20 December 2013 Acronyms of Acronyms MICE: MICE: M uon I I

MICE Governance Pierrick Hanlet 20 December 2013 Acronyms of Acronyms MICE: MICE: M uon I I

MICE Governance Pierrick Hanlet 20 December 2013 Acronyms of Acronyms MICE: MICE: M uon I I onization C C ooling E E xperiment M MIPO: MIPO: M ICE ICE I I nternational nternational P P roject O O ffice M MEMO: MEMO: M ICE E E xperimental

804 views • 12 slides
MICE Status and Plans C. T. Rogers, on behalf of the MICE collaboration AST eC Intense Beams

MICE Status and Plans C. T. Rogers, on behalf of the MICE collaboration AST eC Intense Beams

MICE Status and Plans C. T. Rogers, on behalf of the MICE collaboration AST eC Intense Beams Group Rutherford Appleton Laboratory Overview Reminder of purpose and design of MICE Status of diagnostics Status of magnets Plans

760 views • 36 slides
operations and analysis Evolution of management of MICE project: MICE construction project:

operations and analysis Evolution of management of MICE project: MICE construction project:

K. Long, 13 November, 2013 Management of the MICE construction effort and interface to operations and analysis Evolution of management of MICE project: MICE construction project: Host laboratory: Substantial construction project

311 views • 12 slides
MICE (1) MICE Shigeru Ishimoto (KEK) (2) and (3)

MICE (1) MICE Shigeru Ishimoto (KEK) (2) and (3)

RCNP OCT-20, 2008 MICE (1) MICE Shigeru Ishimoto (KEK) (2) and (3)

908 views • 52 slides
MICE Demonstration of Ionisation Cooling Colin Whyte University of Strathclyde On behalf of

MICE Demonstration of Ionisation Cooling Colin Whyte University of Strathclyde On behalf of

MICE Demonstration of Ionisation Cooling Colin Whyte University of Strathclyde On behalf of the MICE collaboration RF Review 9th-10th Sept. 2015, Abingdon 1 Outline MICE Experiment STEP IV Partial Return Yoke Magnets and

515 views • 22 slides
Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting

Testing for the Unexpected: An Automated T ti f th U t d A A t t d Method of Injecting Faults for Engine Management Development M t D l t Scott James Applied Dynamics International Sh Shaun Fuller Pickering Interfaces F ll

353 views • 18 slides
CM38 Napa Valley P J Smith on behalf of the MICE target team MICE Overview 2 Target

CM38 Napa Valley P J Smith on behalf of the MICE target team MICE Overview 2 Target

MICE Target Mechanism CM38 Napa Valley P J Smith on behalf of the MICE target team MICE Overview 2 Target Mechanism Running on ISIS: A summary of running on ISIS. Future Run Plans. Software Updates. Replacement of patch/broken fibres.

580 views • 21 slides
Novel Application of Density Estimation Techniques in MICE Tanaz Angelina Mohayai, for the MICE

Novel Application of Density Estimation Techniques in MICE Tanaz Angelina Mohayai, for the MICE

Novel Application of Density Estimation Techniques in MICE Tanaz Angelina Mohayai, for the MICE Collaboration DPF 2017, Fermilab Contents Motivation Muon Ionization Cooling Muon Ionization Cooling Experiment (MICE) Novel Application of Density

309 views • 20 slides
The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne

The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne

The potential and viability of establishing a Supervised Injecting Facility (SIF) in Melbourne Professor Robert Power Burnet Institute Acknowledgements Traditional owners: W urundjeri Yarra Drug Health Forum Project team

633 views • 22 slides
Video recording lectures: blending the quarantini. Matthew Jones & Nick Sharples TALMO

Video recording lectures: blending the quarantini. Matthew Jones & Nick Sharples TALMO

Video recording lectures: blending the quarantini. Matthew Jones & Nick Sharples TALMO workshop: Engagement and Interaction. 3rd September 2020 October 2018 - maths stafg were issued with ipads, pencils + dongles. Workfmow: Prepare slides

750 views • 23 slides
Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera

Principles for secure design Some of the slides and content are from Mike Hicks Coursera course Making secure software Flawed approach : Design and build software, and ignore security at first Add security once the functional

830 views • 70 slides
Program Partitioning Program Partitioning for Secure E xecution for Secure E xecution Cha rle

Program Partitioning Program Partitioning for Secure E xecution for Secure E xecution Cha rle

Program Partitioning Program Partitioning for Secure E xecution for Secure E xecution Cha rle s W. O Do nne ll G. E dwa rd Suh Srini De va da s Se pte mb e r 24, 2004 4 th MI T CSAI L Co mpute r Arc hite c ture Wo rksho p

189 views • 15 slides
Fermilab LBNF CF Far Detector BSI Facilities Engineering Services Section 8/26/2015

Fermilab LBNF CF Far Detector BSI Facilities Engineering Services Section 8/26/2015

WIRING DEVICES POWER SINGLE LINE DIAGRAM FIRE ALARM SYMBOLS ABBREVIATIONS ABBREVIATIONS SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION SYMBOL DESCRIPTION R A, AMP AMPERE OC ON

313 views • 10 slides
Updates on Camera & Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera & Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco

Updates on Camera & Ground Plane Monitoring System Heng-Ye Liao, Charles Cadeau, Francesco Pietropaolo, Stephen Pordes, Serhan Tufanli HV system consortium meeting 07/10/2018 Signal Readout Port Port Item Number 1 Ground plane

302 views • 6 slides
Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012 Background Company WAREHOUSE IN 2008 Regulatory work Since 2008 Since 2010 Since 2011 Since 2011 UK USA Europe Singapore United Kingdom United

268 views • 22 slides
Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On

Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On Au Automotiv omotive Lior Yaari 28/11/2019 Techy Trainer at DeepSec 7 Years In Cyber Security Vulnerability Researcher Sec-Dev CS Teacher

1.28k views • 81 slides
Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami)

Lazy-Mode RF OSINT and Reverse Engineering Marc Newlin | @marcnewlin | TROOPERS18 $(whoami) Red Team @ Snap Former Wireless Security Researcher @ Bastille Networks Wireless CVEs in products from 21 vendors Radios

755 views • 64 slides

More recommend