of mice and keyboards on the security of modern wireless
play

Of Mice and Keyboards: On the Security of Modern Wireless Desktop - PowerPoint PPT Presentation

Dec 01, 2022 •274 likes •1.09k views

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE

  1. Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1

  2. Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE especially IT security – since his early days Ulm, Germany October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 2  Interested in information technology –  Studied computer science at the University of  IT Security Consultant since 2007

  3. Who am I? B. Sc. Gerhard Klostermeier IT Security Consultant OSCP especially when it comes to hardware and radio protocols Germany October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 3  Interested in all things concerning IT security –  Studied IT security at the University of Aalen,  IT Security Consultant since 2014

  4. Agenda 1. Short Introduction to Used Technology 2. Previous Work of Other Researchers 3. Overview of Our Research 4. Attack Surface and Attack Scenarios 5. Found Security Vulnerabilities 6. (Live) Demos 7. Conclusion & Recommendation 8. Q&A October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 4

  5. Short Introduction to Used Technology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 5

  6. Short Introduction to Used Technology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 6 Keyboard Mouse USB Dongle Software Defined Radio Crazyradio PA Logitech Unifying Receiver

  7. Short Introduction to Used Technology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 7 Keyboard Mouse USB Dongle mouse actions keystrokes

  8. Previous Work of Other Researchers 2011 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 8  KeyKeriki v1.0 and v2.0 by Dreamlab Technologies, 2010  Promiscuity is the nRF24L01+'s Duty, Travis Goodspeed,  KeySweeper, Samy Kamkar, 2015  MouseJack, Bastille Networks Internet Security, 2016

  9. Overview of Our Research October 22, 2016 Very fragmented research project due to more import Perixx PERIDUO-710W 5. Logitech MK520 4. Fujitsu Wireless Keyboard Set LX901 3. Cherry AES B.UNLIMITED 2. Microsoft Wireless Desktop 2000 1. of different manufacturers 9 Deeg & Klostermeier | Hacktivity 2016 things ™  Started as customer project back in April 2015  Tested different wireless desktop sets using AES encryption 

  10. Overview of Our Research October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 10

  11. Test Methodology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 11 1. Hardware analysis  Opening up keyboards, mice and USB dongles  Staring at PCBs  Identifying chips  RTFD ( Reading the Fine Documentation ™)  Finding test points for SPI  Soldering some wires and dumping flash memory

  12. Test Methodology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 12 2. Firmware analysis code  Loading dumped 8051 firmware in IDA Pro  Staring at disassemblies  Some more RTFD  Checking Nordic Semiconductor’s nRF24 SDK  Reading code, writing sample code, analyzing compiled sample

  13. Test Methodology October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 13 3. Radio-based analysis know what to do with the HackRF One and the USRP B200  Watching Mike Ossmann’s SDR video tutorials several times to  Some more RTFD  Browsing the web for valuable information about nRF24  Playing around with GNU Radio  Writing some Python scripts  Analyzing nRF24 data communication using NRF24-BTLE-Decoder  Changing tool set after Bastille releases MouseJack

  14. Identified Transceivers/SoCs Logitech MK520 nRF24 transceivers by Nordic Semiconductor nRF24LU1+ nRF24LE1H (OTP) Perixx PERIDUO-710W nRF24LU1+ nRF24LE1H (OTP) Microsoft Wireless Desktop 2000 nRF24LU1+ nRF24LE1 CYRF6936 October 22, 2016 CYRF6936 Fujitsu Wireless Keyboard Set LX901 nRF24LU1+ nRF24LE1 Cherry AES B.UNLIMITED USB Dongle Keyboard Product Name 14 Deeg & Klostermeier | Hacktivity 2016  Four of the five tested devices used low power 2.4 GHz  So far, we focused on nRF24 transceivers

  15. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 15 first had to read the datasheets – several times very popular for many kinds of projects, there is many more information and tools freely available on the Internet nRF24 transceiver’s flash memory nRF24 radio communication in combination with GNU Radio  As we had no prior experience with nRF24 transceivers, we  Nordic Semiconductor’s datasheets are very good  As low-cost nRF24 transceivers/transmitters/receivers are  For example nrfprog that we used to read and write the  Or NRF24-BTLE-Decoder that we initially used to decode

  16. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 16 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  17. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 17 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6) (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  18. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 18 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  19. RTFD – Read the Fine Datasheets October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 19 (Source: Nordic Semiconductor nRF24LE Product Specification v1.6) (Source: Nordic Semiconductor nRF24LE Product Specification v1.6)

  20. Hardware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 20 PCB back side of a Microsoft wireless keyboard

  21. Firmware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 21 SPI read and write access to a Cherry wireless keyboard

  22. Firmware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 22 SPI read and write access to a Cherry USB dongle (thanks to Alexander Straßheim)

  23. Firmware Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 23 Excerpt of annotated Cherry firmware disassembly (hal_aes_crypt) helpful in analyzing dumped firmware  IDA Pro and Nordic Semiconductor’s nRF24 SDK were very

  24. Radio-based Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 24 Simple GNU Radio Companion flow graph for use with modified version of NRF24-BTLE-Decoder

  25. Radio-based Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 25 modified version of NRF24-BTLE-Decoder  Started with GNU Radio, some Python scripts and a $ cat /tmp/fifo | ./nrf24-decoder -d 1 nrf24-decoder, decode NRF24L01+ v0.1 Address: 0xAD2D54CB8B length:11, pid:0, no_ack:1, CRC:0xAAB9 data:D149491545452AAA248925 Address: 0xAB5554B46B length:29, pid:1, no_ack:0, CRC:0xDFA5 data:D55AD4B55A956A554BDCDD6D5A956554ACAD55ACAD4AACA9555DF5F7D9 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 (...) Address: 0x5535D0A4B5 length:21, pid:1, no_ack:1, CRC:0x38C9 data:32C4B1A925A4D7252EACB29AC7354AC6C9425A552B Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 Address: 0x6BB7E29E31 length:16, pid:0, no_ack:0, CRC:0x2D58 data:0294EF5368E70FB11AB685B818819388 (...)

  26. Radio-based Analysis October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 26 release in February 2016 (many thanks to Marc Newlin) research-firmware  Used Bastille’s superior nRF24 tool set after MouseJack  Bitcraze Crazyradio PA  Bastille’s nrf-research-firmware  nrf24-sniffer and nrf24-scanner  Developed Python tools using Crazyradio PA and nrf-

  27. Encountered Problems & Solutions October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 27 the target device is very helpful and less time consuming  Software-defined radio has a steep learning curve  Some things were more difficult than they initially looked  e. g. simple replay attacks  Channel hopping is tricky  Timing issues  Correctly identifying chips is an art in itself (oh, it’s OTP)  Using a development board/kit with the same technology as  Availability of proper tool set makes a huge difference

  28. Attack Surface and Attack Scenarios October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 28 1. Physical access to wireless desktop set 2. Attacking via radio signals (OTA)  Extract firmware  Manipulate firmware  Extract cryptographic key material  Manipulate cryptographic key material  Exploiting unencrypted and unauthenticated radio communication  Replay attacks  Keystroke injection attacks  Decrypting encrypted data communication

  29. Found Security Vulnerabilities October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 29 1. Insufficient protection of code (firmware) and data (cryptographic key) 2. Unencrypted and unauthenticated data communication 3. Missing protection against replay attacks 4. Insufficient protection against replay attacks 5. Cryptographic issues

Recommend

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin

MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer) Wireless mice and keyboards 16 vendors

1.14k views • 86 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Philip

(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Philip

(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers Philip Marquardt et al. ACM Computer and Communications Security 2011 By Ren-Jay Wang CS598 - COMPUTER SECURITY IN THE PHYSICAL An old kind of attack

446 views • 17 slides
Writing a book on wireless security available online is like writing a book on safe Internet

Writing a book on wireless security available online is like writing a book on safe Internet

Agenda The purpose of this presentation is to: FIRST Technical Colloquium Uppsala, Sweden Give an overview of Wireless technology Highlight the security issues Securing Your associated with IEEE 802.11b Wireless LAN wireless LANs Suggest

413 views • 16 slides
Modern Wireless Networks Wireless Fundamentals ICEN 574 Spring 2019 Prof. Dola Saha 1

Modern Wireless Networks Wireless Fundamentals ICEN 574 Spring 2019 Prof. Dola Saha 1

Modern Wireless Networks Wireless Fundamentals ICEN 574 Spring 2019 Prof. Dola Saha 1 Wireless Digital Communication System Symbols Bits Digital Digital / RF Waveform Encoder Modulator Analog Module Wireless Channel Bits De-

1.35k views • 113 slides
Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014

Status of MICE and Spectrometer Solenoids MICE Oversight Committee Meeting RAL, 24 April 2014 Paul Soler on behalf of the MICE Collaboration Contents 1. Agenda of Meeting 2. Organisation 3. MICE general status by MICE-UK Work Package 4.

450 views • 26 slides
MICE IN ASTANA Astana is a modern city with a favourable environment attractive for tourists

MICE IN ASTANA Astana is a modern city with a favourable environment attractive for tourists

MICE IN ASTANA Astana is a modern city with a favourable environment attractive for tourists and comfortable for residents and guests of the Kazakh capital to live in. Astana became the capital of new Kazakhstan in 1998 for a variety of

726 views • 29 slides
Wireless Security for Hotspots & Home PCCW Feb, 2009 Ubiquitous Wireless Indoor &

Wireless Security for Hotspots & Home PCCW Feb, 2009 Ubiquitous Wireless Indoor &

Wireless Security for Hotspots & Home PCCW Feb, 2009 Ubiquitous Wireless Indoor & Outdoor Wireless Security for Home Provides all-in-one DSL modem with Wi-Fi capability to residential customers Simplify setup to the

354 views • 21 slides
Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion

Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion

Wireless Security Wireless Security Confidentiality Integrity Wireless Architecture Access Points Which AP? The Evil Twin Attack Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion Battery

785 views • 41 slides
Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE

Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE

Plans for MICE at RAL Paul Drumm WG3 Fact03 paul drumm, mutac jan 2003 1 MICE MICE Status - Yagmur Toruns Talk Scientific approval given Collaboration (incl. host lab) seeking funds Demands on Host Laboratory: Muon

608 views • 36 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
Wireless LAN Security Setup & Optimizing Wireless Client in Linux Hacking and Cracking

Wireless LAN Security Setup & Optimizing Wireless Client in Linux Hacking and Cracking

Wireless LAN Security Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux & freeBSD Securing & Managing Wireless LAN : Implementing 802.1x EAP-TLS

417 views • 29 slides
Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About It) Wade Trappe Agenda Agenda Tales from the Dark Side of Security Wireless in Particular Decomposing the Problem into Problems

697 views • 40 slides
Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will

Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will

Of Mice and Men BY John Steinbeck The film of Of Mice and Men is excellent and it will help you to understand what life on the ranch was like for the itinerant workers like George and Lennie. Remember though that you are taking a GCSE

328 views • 28 slides
Keyboards for Indic Languages Gihan Gihan D Dias ias Gihan Gihan D Dias ias University of

Keyboards for Indic Languages Gihan Gihan D Dias ias Gihan Gihan D Dias ias University of

Keyboards for Indic Languages Gihan Gihan D Dias ias Gihan Gihan D Dias ias University of Moratuwa Sri Lanka Keyboards Remains by far the most common text input method Easy to learn and use You can use it right away. Just

589 views • 34 slides
Keyboards, CRTs, LCDs and Noisy Computers R zvan Mus loiu-E. Part I Back to

Keyboards, CRTs, LCDs and Noisy Computers R zvan Mus loiu-E. Part I Back to

Keyboards, CRTs, LCDs and Noisy Computers R zvan Mus loiu-E. Part I Back to Keyboards Clarifications ... what exactly 1st, 2nd, and 3rd supervised feedback entail in the authors testing. There is a lot of

841 views • 73 slides
The Meetings, Incentives, Conferences & Exhibitions (MICE) Update Brad Williams Managing

The Meetings, Incentives, Conferences & Exhibitions (MICE) Update Brad Williams Managing

The Meetings, Incentives, Conferences & Exhibitions (MICE) Update Brad Williams Managing Partner Platinum DMC Collection 1 Agenda MICE Market The Destination The MICE Buyer Insights Overview Selection Process 2017 Global MICE

509 views • 27 slides
Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/ _______

795 views • 48 slides
Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe Breaking Down the Issues (summary) Breaking Down the Issues (summary) Wireless is easy to sniff. We still need encryption services and key management.

533 views • 13 slides
Wireless Security System 868 MHz RFID cards Vloit text Vloit text + Control Panel info

Wireless Security System 868 MHz RFID cards Vloit text Vloit text + Control Panel info

Wireless Security System 868 MHz Oasis is a wireless kit Sirens Wireless Security System 868 MHz RFID cards Vloit text Vloit text + Control Panel info Keypads ja-80_oasis_en_09_2011.ppt_c1 Wireless Security System 868 MHz Wireless

392 views • 16 slides
Wireless Network Security IT Security Ido Rosen ido@cs.uchicago.edu University of Chicago 5

Wireless Network Security IT Security Ido Rosen ido@cs.uchicago.edu University of Chicago 5

Introduction Wireless Network Security IT Security Ido Rosen ido@cs.uchicago.edu University of Chicago 5 March 2007 Ido Rosen Wireless Network Security Introduction Introduction 1 Overview Wireless LANs Ido Rosen Wireless Network

399 views • 8 slides
ECE590 Computer and Information Security Fall 2018 Wireless and Mobile Security Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Wireless and Mobile Security Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Wireless and Mobile Security Tyler Bletsch Duke University Adapted from Chapter 24: Wireless Network Security by Dr. Hossein Saiedian at Univ. Kansas, which in turn was adapted from

452 views • 27 slides
Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security Founded in 2006 Technical security services, MDR Me Ron Schlecht German word for BAD Ron.Schlecht@btbsecurity.com

432 views • 8 slides
Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The Humble Keylogger Malware Malicious Hardware In-Cable Devices Malicious Keyboards Supply Chain Attacks Malicious BIOS

591 views • 14 slides

More recommend