Unencrypted Mouse Packet

Similar documents
Compromising Computers through Wireless Mice and Keyboards. Marc

Wireless LAN Security (RM12/2002)

Logitech Advanced 2.4 GHz Technology With Unifying Technology

Developer & maintainer of BtleJuice. Having fun with Nordic's nrf51822

Bluetooth. Quote of the Day. "I don't have to be careful, I've got a gun. -Homer Simpson. Stephen Carter March 19, 2002

Unified RF Fuzzing Under a Common API: Introducing TumbleRF

Wireless Networking. Chapter The McGraw-Hill Companies, Inc. All rights reserved

Hacking UAVs: the integrity of Wi-Fi, Telemetry and RC links. Author: Mr. Xi Chen, Mr. Jeff Thomas

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Welcome to my presentation: Message Denial and Alteration on IEEE Low- Power Radio Networks.

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

KW41Z IEEE and BLE Coexistence Performance

Wireless Network Security Spring 2016

What can a small device do in modern industrial World.

CIS 700/002 : Special Topics : Bluetooth: With Low Energy comes Low Security

Wireless Technologies

Wireless Attacks and Countermeasures

Mobile Security Fall 2013

Ethical Hacking and Prevention

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Switched environments security... A fairy tale.

UART Thou Mad? An Introduction to the UART Hardware Interface. Mickey Shkatov. Toby Kohlenberg

Advanced Mobile Computing and Networking - CS 560. Wireless Technologies. Bluetooth. Bluetooth. Bluetooth. Bluetooth 7/3/2014.

Obstacle Avoiding Wireless Surveillance Bot

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

Wireless Network Security Spring 2015

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

White Paper for UC, Office & Contact Center Professionals. Bluetooth Security

Bluetooth. March 28, 2005 Patrick Lui


ELEC5616 COMPUTER & NETWORK SECURITY

Secure Communications Over a Network

Bluetooth Smart: The Good, The Bad, The Ugly... and The Fix

Hacking Traffic Control Systems (U.S, UK, Australia, France, etc.)

Security Concerns in Automotive Systems. James Martin

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Attacks on WLAN Alessandro Redondi

Message acknowledgement and an optional beacon. Channel Access is via Carrier Sense Multiple Access with

How Insecure is Wireless LAN?

[A SHORT REPORT ON BLUETOOTH TECHNOLOGY]

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CIT 380: Securing Computer Systems. Network Security Concepts

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

CSE 127: Computer Security Network Security. Kirill Levchenko

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Hacking the Fast Lane: security issues in p, DSRC and WAVE

Bluetooth: Short-range Wireless Communication

Naveen Kumar. 1 Wi-Fi Technology

Wireless Network Security

Security. Nelli Gordon and Sean Vakili May 10 th 2011

ON SECURITY OF BLUETOOTH WIRELESS SYSTEM. Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Network Access Flows APPENDIXB

Wireless technology Principles of Security

Wireless Security Security problems in Wireless Networks

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Laurent Butti BlackHat Europe

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Physical and Link Layer Attacks

ReDECTed Building an SDR based DECT sniffer. May 27 th, 2015 HITB HAXPO Marc Newlin

Product Specification

Overview of Security

NETWORK SECURITY. Ch. 3: Network Attacks

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Managing Rogue Devices

Advanced Help Guide. Wireless Signature Pads. Copyright 2018 Topaz Systems Inc. All rights reserved.

Sensor-to-cloud connectivity using Sub-1 GHz and

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

WZRDnet. A Low-Power Wireless Ad-Hoc Mesh Network for Austere Tactical Environments. February 14, 2018

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Clear Hat Consulting, Inc.

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments

Wireless Network Security Spring 2016

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Managing Rogue Devices

Leading the New Era of WiFi. Nighthawk AC1900 Smart WiFi Router Dual Band Gigabit. Data Sheet R7000

User s Manual. USB Bluetooth Dongle

Using Operator Interfaces to Optimize Performance of Industrial Wireless Networks

Detecting & Eliminating Rogue Access Point in IEEE WLAN

Mobile Security Fall 2013

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Wireless laser barcode collector User's Guide DC8050= wireless barcode collector scanner & wireless data collector

Chapter 5 Local Area Networks. Computer Concepts 2013

Computer Networks II Advanced Features (T )

Leading the New Era of WiFi. Nighthawk AC1900 Smart WiFi Router Dual Band Gigabit. Data Sheet R7000

The Anatomy of a Man in the Middle Attack

Man in the middle. Bởi: Hung Tran

Understanding Routers, Switches, and Network Hardware

Securing A Bluetooth Device

Leading the New Era of WiFi. Nighthawk AC1900 Smart WiFi Router Dual Band Gigabit. Data Sheet R6900

How to Build a Culture of Security

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS

ECCouncil Certified Ethical Hacker. Download Full Version :

SEEDS Industry Engagement Event

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Transcription:

MouseJack Injecting Keystrokes into Wireless Mice Marc Newlin Bastille Threat Research Team February 12, 2016 Abstract MouseJack is a collection of security vulnerabilities affecting non-bluetooth wireless mice and keyboards. Spanning seven vendors, these vulnerabilities enable an attacker to type arbitrary commands into a victim s computer from up to 100 meters away using a $15 USB dongle. Overview Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme. Wireless mice and keyboards work by transmitting radio frequency packets to a USB dongle plugged into a user s computer. When a user presses a key on their keyboard or moves their mouse, information describing the actions are sent wirelessly to the USB dongle. The dongle listens for radio frequency packets sent by the mouse or keyboard, and notifies the computer whenever the user moves their mouse or types on their keyboard. Unencrypted Mouse Packet In order to prevent eavesdropping, most vendors encrypt the data being transmitted by wireless keyboards. The dongle knows the encryption key being used by the keyboard, so it is able to decrypt the data and see what key was pressed. Without knowing the encryption key, an attacker is unable to decrypt the data, so they are unable to see what is being typed.

Encrypted Keyboard Packet Conversely, none of the mice that were tested encrypt their wireless communications. This means that there is no authentication mechanism, and the dongle is unable to distinguish between packets transmitted by a mouse, and those transmitted by an attacker. As a result, an attacker is able to pretend to be a mouse and transmit their own movement/click packets to a dongle. Spoofed Unencrypted Keyboard Packet Problems in the way the dongles process received packets make it possible for an attacker to transmit specially crafted packets which generate keypresses instead of mouse movement/clicks. Common Transceivers Nordic Semiconductor makes the popular nrf24l series of transceivers used in most of the devices vulnerable to MouseJack. The nrf24l transceivers provide a mechanism to wirelessly transmit data between two devices, but the functionality that turns mouse clicks and keypresses into bytes sent over the air is implemented by each vendor. From a research standpoint, this means that the same tools and procedures can be used to evaluate products from different vendors.

Software Defined Radio Decoder The nrf24l transceivers support multiple data rates, address lengths, packet formats, and checksums. To accommodate this, the initial research was performed using a USRP B210 software defined radio, coupled with a custom GNU Radio block designed to decode all of the possible packet configurations. This proved fruitful, but there were drawbacks to using an SDR. None of the tested devices employ frequency hopping in the traditional sense, but they all change channels to avoid interference from other 2.4GHz devices (Bluetooth, WiFI, etc). The channel hopping is generally unpredictable, and software defined radios are slower to retune than the nrf24l radios. This makes it difficult for an SDR based decoder to observe all of the transmitted packets. When a mouse transmits a movement packet to a dongle, the dongle replies with an acknowledgement packet telling the mouse that the movement packet was received. The mouse waits for a short period before determining that the packet it transmitted was lost, which can be as short as 250 microseconds. Due to USB latency and processing overhead, the SDR based decoder is unable to transmit ACKs within the narrow timeout window, so two way communication between an SDR and dongle/mouse isn t a viable option. Enter the NES Controller The SDR decoder made it possible to figure out the formats of the data being transmitted over the air, but reliable two way communication would be necessary to start evaluating the devices for potential weaknesses. Parallel to the MouseJack research, I was building an Arduino/nRF24L based NES controller as part of a Burning Man project. I went with the nrf24l because they are inexpensive and easy to use, but quickly connected the dots with the MouseJack project and decided to build an NES controller that could spoof wireless mice. MouseJack NES Controller

The nrf24l chips do not officially support packet sniffing, but Travis Goodspeed documented[1] a pseudo-promiscuous mode in 2011 which makes it possible to sniff a subset of packets being transmitted by other devices. This enables the NES controller to passively identify wireless mice and keyboards without the need for an SDR. The NES controller proved to be an excellent platform for learning about the behavior of mouse communication protocols. As opposed to passively collecting data, the NES controller translates d-pad arrows into mouse movement packets, and A/B buttons into left and right clicks. In order to achieve a smooth user experience, it was necessary to create a model of the packet timing and specific behavior expected by the dongle. The concept worked well, and I brought the NES controller to DEF CON in 2015[2] which demonstrated the viability of controlling previously unseen wireless mice at will. Despite being a marked improvement over the SDR decoder, the NES controller was not without problems. Running off of battery power made it impractical to use amplified transceivers, limiting the practical range to around 10 meters. Crazyradio PA Dongles The Crazyflie[3] is an open source drone which is controlled with an amplified nrf24l based USB dongle called the Crazyradio PA[4]. This is equivalent to an amplified version of the USB dongles commonly used with wireless mice and keyboards. Modifying the Crazyradio PA firmware to include support for pseudo-promiscuous mode made it possible to distill the packet sniffing and injection functionality down to a minimal amount of Python code. Fuzzing Crazyradio PA USB Dongle The Crazyradio PA dongles made it possible to implement an efficient and effective fuzzer. Mouse and keyboard USB dongles communicate user actions to the operating system in the form of USB HID packets, which can be sniffed by enabling the usbmon kernel module on Linux. The implemented fuzzer takes advantage of this by transmitting RF packets to a mouse/keyboard dongle attached to the same computer, monitoring USB traffic for generated USB HID packets. Anytime mouse movement or keypresses are sent to the operating system,

the recently transmitted RF packets are recorded for analysis. Fuzzing variants of observed packet formats and behaviors yielded the best results. Vulnerabilities Specifics of the discovered vulnerabilities vary from vendor to vendor, but they generally fall into one of three categories. 1. Keystroke injection, spoofing a mouse When processing received RF packets, some dongles do not verify that the type of packet received matches the type of device that transmitted it. Under normal circumstance, a mouse will only transmit movement/clicks to the dongle, and a keyboard will only transmit keypresses. If the dongle does not verify that the packet type and transmitting device type match, it is possible for an attacker to pretend to be a mouse, but transmit a keypress packet. The dongle does not expect packets coming from a mouse to be encrypted, so it accepts the keypress packet, allowing the attacker to type arbitrary commands on the victim s computer. 2. Keystroke injection, spoofing a keyboard Most of the tested keyboards encrypt data before transmitting it wirelessly to the dongle, but not all of the dongles require that encryption is used. This makes it possible for an attacker to pretend to be a keyboard, and transmit unencrypted keyboard packets to the dongle. This bypasses the encryption normally used by the keyboard, and allows an attacker to type arbitrary commands on the victim s computer. 3. Forced pairing Before a wireless keyboard or mouse leaves the factory, it is paired with a dongle. This means that it knows the wireless address of the dongle, and in the case of a keyboard, the secret encryption key. Some vendors include the ability to pair new devices with a dongle, or pair an existing keyboard or mouse with a new dongle. If a dongle is lost, for example, this means that the user only needs to purchase a new dongle, instead of an entirely new set. To prevent unauthorized devices from pairing with a dongle, it will only accept new devices when it has been placed into a special pairing mode by the user, which lasts for 30-60 seconds. It is possible to bypass pairing mode on some dongles and pair a new device without any user interaction. In the case where a victim only has a mouse, but is using a dongle vulnerable to keystroke injection by spoofing a keyboard, an attacker can pair a fake keyboard with the dongle, and use it to type arbitrary commands on the victim s computer.

Anatomy of an Attack Carrying out a MouseJack attack does not require specialized or expensive equipment, and can be done with a $15 USB dongle. First, the attacker identifies a target wireless mouse or keyboard by listening for RF packets transmitted when a user is moving/clicking the mouse or typing on the keyboard. Attacker Identifying a Victim s Mouse or Keyboard If necessary, the attacker now force-pairs a fake keyboard with the victim s dongle. Attacker Force-Pairing a Fake Keyboard with the Victim s Dongle Finally, the attacker transmits keypress packets to type a series of commands into the victim s computer. This can include downloading a virus or rootkit, transferring files off of the victim s computer, or anything else the attacker could do if they were physically typing on the computer s keyboard.

Attacker Injecting Keystrokes into the Victim s Dongle Mitigation There are two basic types of nrf24l chips used by keyboards, mice, and dongles: one-timeprogrammable, and flash memory. One-time-programmable devices cannot be updated once they leave the factory, but flash memory devices can. For non-updateable devices, which represent the majority of those tested, there is no mechanism to secure a vulnerable device short of unplugging the USB dongle from the computer. For devices with updated firmware available from the manufacturer, it is recommended to install the update before continuing to use the affected mouse or keyboard. References 1. Goodspeed, Travis. (February 7, 2011). Promiscuity is the nrf24l01+'s Duty. Retrieved from http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html 2. Newlin, Marc. (October 24, 2015). Hacking Wireless Mice with an NES Controller. Presented at ToorCon 17, San Diego, CA, 3. Bitcraze AB. (2016). Crazyflie 2.0. Retrieved from https://www.bitcraze.io/crazyflie-2/ 4. Bitcraze AB. (2016). Crazyradio PA. Retrieved from https://www.bitcraze.io/crazyradiopa/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback