of mice and keyboards on the security of modern wireless
play

Of Mice and Keyboards: On the Security of Modern Wireless Desktop - PowerPoint PPT Presentation

Dec 01, 2022 •274 likes •1.09k views

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE

  1. Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1

  2. Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE especially IT security – since his early days Ulm, Germany October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 2  Interested in information technology –  Studied computer science at the University of  IT Security Consultant since 2007

  3. Who am I? B. Sc. Gerhard Klostermeier IT Security Consultant OSCP especially when it comes to hardware and radio protocols Germany October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 3  Interested in all things concerning IT security –  Studied IT security at the University of Aalen,  IT Security Consultant since 2014

  4. Agenda 1. Short Introduction to Used Technology 2. Previous Work of Other Researchers 3. Overview of Our Research 4. Attack Surface and Attack Scenarios 5. Found Security Vulnerabilities 6. (Live) Demos 7. Conclusion & Recommendation 8. Q&A October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 4

  5. Short Introduction to Used Technology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 5

  6. Short Introduction to Used Technology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 6 Keyboard Mouse USB Dongle Software Defined Radio Crazyradio PA Logitech Unifying Receiver

  7. Short Introduction to Used Technology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 7 Keyboard Mouse USB Dongle mouse actions keystrokes

  8. Previous Work of Other Researchers 2011 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 8  KeyKeriki v1.0 and v2.0 by Dreamlab Technologies, 2010  Promiscuity is the nRF24L01+'s Duty, Travis Goodspeed,  KeySweeper, Samy Kamkar, 2015  MouseJack, Bastille Networks Internet Security, 2016

  9. Overview of Our Research October 22, 2016 Very fragmented research project due to more import Perixx PERIDUO-710W 5. Logitech MK520 4. Fujitsu Wireless Keyboard Set LX901 3. Cherry AES B.UNLIMITED 2. Microsoft Wireless Desktop 2000 1. of different manufacturers 9 Deeg & Klostermeier | Hacktivity 2016 things ™  Started as customer project back in April 2015  Tested different wireless desktop sets using AES encryption 

  10. Overview of Our Research October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 10

  11. Test Methodology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 11 1. Hardware analysis  Opening up keyboards, mice and USB dongles  Staring at PCBs  Identifying chips  RTFD ( Reading the Fine Documentation ™)  Finding test points for SPI  Soldering some wires and dumping flash memory

  12. Test Methodology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 12 2. Firmware analysis code  Loading dumped 8051 firmware in IDA Pro  Staring at disassemblies  Some more RTFD  Checking Nordic Semiconductor’s nRF24 SDK  Reading code, writing sample code, analyzing compiled sample

  13. Test Methodology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 13 3. Radio-based analysis know what to do with the HackRF One and the USRP B200  Watching Mike Ossmann’s SDR video tutorials several times to  Some more RTFD  Browsing the web for valuable information about nRF24  Playing around with GNU Radio  Writing some Python scripts  Analyzing nRF24 data communication using NRF24-BTLE-Decoder  Changing tool set after Bastille releases MouseJack

  14. Identified Transceivers/SoCs Logitech MK520 nRF24 transceivers by Nordic Semiconductor nRF24LU1+ nRF24LE1H (OTP) Perixx PERIDUO-710W nRF24LU1+ nRF24LE1H (OTP) Microsoft Wireless Desktop 2000 nRF24LU1+ nRF24LE1 CYRF6936 October 22, 2016 CYRF6936 Fujitsu Wireless Keyboard Set LX901 nRF24LU1+ nRF24LE1 Cherry AES B.UNLIMITED USB Dongle Keyboard Product Name 14 Deeg & Klostermeier | Hacktivity 2016  Four of the five tested devices used low power 2.4 GHz  So far, we focused on nRF24 transceivers

  15. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 15 first had to read the datasheets – several times very popular for many kinds of projects, there is many more information and tools freely available on the Internet nRF24 transceiver’s flash memory nRF24 radio communication in combination with GNU Radio  As we had no prior experience with nRF24 transceivers, we  Nordic Semiconductor’s datasheets are very good  As low-cost nRF24 transceivers/transmitters/receivers are  For example nrfprog that we used to read and write the  Or NRF24-BTLE-Decoder that we initially used to decode

  16. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 16 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  17. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 17 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6) (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  18. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 18 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  19. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 19 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6) (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  20. Hardware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 20 PCB back side of a Microsoft wireless keyboard

  21. Firmware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 21 SPI read and write access to a Cherry wireless keyboard

  22. Firmware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 22 SPI read and write access to a Cherry USB dongle (thanks to Alexander Straßheim)

  23. Firmware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 23 Excerpt of annotated Cherry firmware disassembly (hal_aes_crypt) helpful in analyzing dumped firmware  IDA Pro and Nordic Semiconductor’s nRF24 SDK were very

  24. Radio-based Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 24 Simple GNU Radio Companion flow graph for use with modified version of NRF24-BTLE-Decoder

  25. Radio-based Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 25 modified version of NRF24-BTLE-Decoder  Started with GNU Radio, some Python scripts and a $ cat /tmp/fifo | ./nrf24-decoder -d 1 nrf24-decoder, decode NRF24L01+ v0.1 Address: 0xAD2D54CB8B length:11, pid:0, no_ack:1, CRC:0xAAB9 data:D149491545452AAA248925 Address: 0xAB5554B46B length:29, pid:1, no_ack:0, CRC:0xDFA5 data:D55AD4B55A956A554BDCDD6D5A956554ACAD55ACAD4AACA9555DF5F7D9 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 (...) Address: 0x5535D0A4B5 length:21, pid:1, no_ack:1, CRC:0x38C9 data:32C4B1A925A4D7252EACB29AC7354AC6C9425A552B Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 (...)

  26. Radio-based Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 26 release in February 2016 (many thanks to Marc Newlin) research-firmware  Used Bastille’s superior nRF24 tool set after MouseJack  Bitcraze Crazyradio PA  Bastille’s nrf-research-firmware  nrf24-sniffer and nrf24-scanner  Developed Python tools using Crazyradio PA and nrf-

  27. Encountered Problems & Solutions October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 27 the target device is very helpful and less time consuming  Software-defined radio has a steep learning curve  Some things were more difficult than they initially looked  e. g. simple replay attacks  Channel hopping is tricky  Timing issues  Correctly identifying chips is an art in itself (oh, it’s OTP)  Using a development board/kit with the same technology as  Availability of proper tool set makes a huge difference

  28. Attack Surface and Attack Scenarios October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 28 1. Physical access to wireless desktop set 2. Attacking via radio signals (OTA)  Extract firmware  Manipulate firmware  Extract cryptographic key material  Manipulate cryptographic key material  Exploiting unencrypted and unauthenticated radio communication  Replay attacks  Keystroke injection attacks  Decrypting encrypted data communication

  29. Found Security Vulnerabilities October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 29 1. Insufficient protection of code (firmware) and data (cryptographic key) 2. Unencrypted and unauthenticated data communication 3. Missing protection against replay attacks 4. Insufficient protection against replay attacks 5. Cryptographic issues

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer) Wireless mice and keyboards 16 vendors

1.14k views • 86 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Philip

(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Philip

(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Philip Marquardt et al. ACM Computer and Communications Security 2011 By Ren-Jay Wang CS598 - COMPUTER SECURITY IN THE PHYSICAL An old kind of attack

446 views • 17 slides
Writing a book on wireless security available online is like writing a book on safe Internet

Writing a book on wireless security available online is like writing a book on safe Internet

Agenda The purpose of this presentation is to: FIRST Technical Colloquium Uppsala, Sweden Give an overview of Wireless technology Highlight the security issues Securing Your associated with IEEE 802.11b Wireless LAN wireless LANs Suggest

413 views • 16 slides
Modern Wireless Networks Wireless Fundamentals ICEN 574 Spring 2019 Prof. Dola Saha 1

Modern Wireless Networks Wireless Fundamentals ICEN 574 Spring 2019 Prof. Dola Saha 1

Modern Wireless Networks Wireless Fundamentals ICEN 574 Spring 2019 Prof. Dola Saha 1 Wireless Digital Communication System Symbols Bits Digital Digital / RF Waveform Encoder Modulator Analog Module Wireless Channel Bits De-

1.35k views • 113 slides
Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014 Paul Soler on behalf of the MICE Collaboration Contents 1. Agenda of Meeting 2. Organisation 3. MICE general status by MICE-UK Work Package 4.

450 views • 26 slides
MICE IN ASTANA Astana is a modern city with a favourable environment attractive for tourists

MICE IN ASTANA Astana is a modern city with a favourable environment attractive for tourists

MICE IN ASTANA Astana is a modern city with a favourable environment attractive for tourists and comfortable for residents and guests of the Kazakh capital to live in. Astana became the capital of new Kazakhstan in 1998 for a variety of

726 views • 29 slides
Wireless Security for Hotspots & Home PCCW Feb, 2009 Ubiquitous Wireless Indoor &

Wireless Security for Hotspots & Home PCCW Feb, 2009 Ubiquitous Wireless Indoor &

Wireless Security for Hotspots & Home PCCW Feb, 2009 Ubiquitous Wireless Indoor & Outdoor Wireless Security for Home Provides all-in-one DSL modem with Wi-Fi capability to residential customers Simplify setup to the

354 views • 21 slides
Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion

Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion

Wireless Security Wireless Security Confidentiality Integrity Wireless Architecture Access Points Which AP? The Evil Twin Attack Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion Battery

785 views • 41 slides
Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE

Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE

Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE Status - Yagmur Toruns Talk Scientific approval given Collaboration (incl. host lab) seeking funds Demands on Host Laboratory: Muon

608 views • 36 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
Wireless LAN Security Setup & Optimizing Wireless Client in Linux Hacking and Cracking

Wireless LAN Security Setup & Optimizing Wireless Client in Linux Hacking and Cracking

Wireless LAN Security Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux & freeBSD Securing & Managing Wireless LAN : Implementing 802.1x EAP-TLS

417 views • 29 slides
Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About It) Wade Trappe Agenda Agenda Tales from the Dark Side of Security Wireless in Particular Decomposing the Problem into Problems

697 views • 40 slides
Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will

Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will

Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will help you to understand what life on the ranch was like for the itinerant workers like George and Lennie. Remember though that you are taking a GCSE

328 views • 28 slides
Keyboards for Indic Languages Gihan Gihan D Dias ias Gihan Gihan D Dias ias University of

Keyboards for Indic Languages Gihan Gihan D Dias ias Gihan Gihan D Dias ias University of

Keyboards for Indic Languages Gihan Gihan D Dias ias Gihan Gihan D Dias ias University of Moratuwa Sri Lanka Keyboards Remains by far the most common text input method Easy to learn and use You can use it right away. Just

589 views • 34 slides
Keyboards, CRTs, LCDs and Noisy Computers R zvan Mus loiu-E. Part I Back to

Keyboards, CRTs, LCDs and Noisy Computers R zvan Mus loiu-E. Part I Back to

Keyboards, CRTs, LCDs and Noisy Computers R zvan Mus loiu-E. Part I Back to Keyboards Clarifications ... what exactly 1st, 2nd, and 3rd supervised feedback entail in the authors testing. There is a lot of

841 views • 73 slides
SemanticModeling Aquerylanguageforthe21 st century CliffordHeath

SemanticModeling Aquerylanguageforthe21 st century CliffordHeath

SemanticModeling Aquerylanguageforthe21 st century CliffordHeath Semantics Thesharedmeaningsofacommunity Expressedinfacts Here,amodelis: Standardforcomparison

969 views • 53 slides
1 The role of cpm in an ever-changing World Synod of the Trinity com/cpm Gathering 2 A Case

1 The role of cpm in an ever-changing World Synod of the Trinity com/cpm Gathering 2 A Case

1 The role of cpm in an ever-changing World Synod of the Trinity com/cpm Gathering 2 A Case Study Casey grew up in an large suburban congregation She identified a sense of call to ministry in high school She was mentored between high school

245 views • 5 slides
Participating in RIPE Policy Development RIR Bottom-up Model Rules POLICIES RIPE NCC LIRs

Participating in RIPE Policy Development RIR Bottom-up Model Rules POLICIES RIPE NCC LIRs

Participating in RIPE Policy Development RIR Bottom-up Model Rules POLICIES RIPE NCC LIRs PDP WGs RIPE Community Mailing Lists / RIPE Meetings 2 Working Groups Address Policy IPv6 Routing RIPE NCC Services Database

90 views • 6 slides
Ability-based design An overview Jacob O. Wobbrock, Ph.D. wobbrock@uw.edu @wobbrockjo 2

Ability-based design An overview Jacob O. Wobbrock, Ph.D. wobbrock@uw.edu @wobbrockjo 2

Ability-based design An overview Jacob O. Wobbrock, Ph.D. wobbrock@uw.edu @wobbrockjo 2 Ability assumptions All human-operated technologies contain embedded ability assumptions, whether explicit or implicit. Consider a touch screen.

552 views • 17 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

CSE 484 / CSE M 584: Computer Security and Privacy Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John

737 views • 40 slides
IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat

IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat

IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat vectors and potential mitigations based on issues and explainer at Privacy & Security repo

487 views • 31 slides
Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c)

Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c)

Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c) 2015, CC-BY-SA 3.0 2015-10-01 1 / 25 Intro Fuzzing Results 1 Intro Motivation USB Architecture 2 Fuzzing Obtaining

416 views • 23 slides

More recommend