BG - Injectyll-HIDe: Hardware Implants at Scale

all right everybody thank you for coming out tonight uh we have two first-time speakers they've got 12 years in the opsec territory uh and they're super excited to be out here uh one's from arizona one's from minnesota so obviously it's ice and fire um so we've got jonathan fisher from minnesota and we've got jeremy miller from arizona he's the local boy over here um and they're excited to talk to you about injectal and hyde which is very heavy metal so i kind of love it but without any further ado these are your speakers thank you for coming

all right before we begin can i get a show of hands of how many people actively use hardware implants today in their engagements or their testing we got one do we have two no just one all right well hopefully by the end there will be more than just one so with that i'd like to introduce our talk inject on the hide pushing the future of hardware implants to the next level who are we my name is jonathan fisher i have over six years in the infosec community all that's been on the offensive side of things prior to that i had over a decade of experience designing implementing and programming industrial control systems and off highway

control systems for machines such as bulldozers cranes things of that nature and in my spare time i like researching hardware rf and iot security [Music] and hello my name is jeremy miller i have over 12 years of information security experience i've worked on red and blue teams done a bit of security research and engineering and work in different industries such as retail finance hosting and life sciences so a bit of a work disclaimer this security project is based on our own research and not on behalf of our employers okay so what is this talk about we're going to go over why we decided to build our own usb implants and there's already great commercial and open source

tools out there the journey of building the implant so we're going to go from the c2 that we built to the hardware we designed and the software itself and the biggest one we're going to go over what does the implant do what makes it so unique compared to everything else out there start off we'll begin why are hardware attacks so prevalent today when there's plenty of other attack vectors so the biggest one is they're great for man middling a device so if you need to get in the middle like a keyboard or a mouse or a monitor it's still a pretty great covert way to do that also it's amazing to gain access to infrastructure or even just data so you

could have a hardware hardware implant that actually allows you to pivot around the network um secretly or maybe you just want to interface with like a storage device and exfiltrate data through there lastly hardware attacks are amazing for bypassing security controls so if you're trying to download a payload and it's getting caught like a firewall or a waf or something you know if you're pulling it locally through like a serial line or something a lot of vdr tools and network tools are not going to catch that so it's a great way to do this there are plenty of implants out there now both commercial and open source we'll kind of run through some of them

so looking at this image a lot of these should be pretty familiar especially like the key croc mac5 the omg cable by mg and even the usb ninja these are great for um just like education security or maybe using on an engagement there are other implants like the key log those are usually used for a little more nefarious reasons maybe a tech non-technical person wants to actually like spy on someone so a lot of good commercial ones a couple points about these so because they're commercial they're going to be pretty unique or innovative and features you know they're they're selling a product so they need something kind of special about them to grab you also as long as people are buying these

devices they're going to continue to support them and usually the hardware and the software is be pretty stable a downside of the commercial device though is they are closed source so if you're using these on like a critical infrastructure some kind of engagement where you have sensitive data you may not want to because you're not able to fully audit the software or even the c2 if it's not something that you're running yourself the other aspect of these is the open source implants so some of these are they're definitely not new to the security industry i'd say last like 20 years these are pretty familiar they've been released at defcon or maybe a certain government leak has like involved the

creation of them but these are some of them for sure open source ones are amazing because they allow us to audit and learn from them so we feel comfortable we're confident in using them in engagements secondly such as our project they pivot with innovation so there's been things like a lot of the bad usb or the nsa playset were actually inspiration to us to make this implant and kind of a downside if people are not actively using these tools and engagements support kind of fizzles out so kind of one of the minor downsides i'd say so with these commercial and open source ones why would we still want to create our own a big one is

we actually want to learn how to create the hardware itself the pcb because we had special devices we wanted to implant so we had these keyboards and we want to have a custom pcb that would fit in the encasing also we did not want to rely on the victim's infrastructure so some of these implants are mounted middle devices rely on the victim's 802.11 network or maybe they actually use another protocol that's commonly sniffed for that brings us to a next point we wanted to use an entirely different osi physical layer that was not common to this another big one is if we did create something like this we wanted to make it open source so

as we felt comfortable using it maybe other people would as well so when they improve upon it and they can audit it you know it's kind of a back and forth security check in that sense and lastly we didn't just want to implant or compromise a few devices you know we want to implant 10 20 50 devices and we wanted a c2 that would support all of that

all right so now that we know why we built it let's talk about the one we actually built we affectionately dubbed this injectal and hide at the core of our implant is the same d21 chip in fact we use two of these chips one reads in the head packets from the head device and the other one relays them back out to the target and the nice thing about these chips are we can flash them with the arduino boot loader which allows us to then program program them with the arduino ide and you leverage the standard libraries in arduino and use the forms too if we need any help and these chips are unique in that they

have extra serial communication lines that are software enabled they refer to them as circom in the documentation but this allows us to add extra features as we need like audio visual sensors and extra radios memory things of that nature so the next most important part on this device is the xb3 radio now this is made by digi international and the reason we chose to go with this radio is because it allows us to do mesh networking or rf so this is how we really achieve that scalability through the um through the mesh network and with the mesh network the more devices we add the larger our attack network gets and we can even shape it to

go around obstacles as needed something you can't do with uh 802.11 ap and the mesh networking allows us to send broadcast messages to all the excuse me all the implants at once or even just one at a time if we want and digi incorporates the authentication and encryption in their setup software for the radio so we don't have to worry about adding that on our own all right besides the radio we also implemented some storage features for our first run of implants we decided to go with the microsd card the reason we did this was it's cheap it's easy to replace if we fry it and readily available but we know in the future it's got limited right cycles we want to

expand on that we want to shrink our footprint so we're looking at nand flash memory for uh future development all right so now that we know what's on the board let's talk about how it's evolved over time we started with the proof of concept we knew we wanted to build an implant we knew we wanted to use off-the-shelf components to try it out ourselves so what you see here on the bottom are two boards both running the same d21 chips the first board is on the left is the trinket m0 now at the time this was the smallest um off the shelf commercial board that we could get for footprint and on the right is the arduino nano 33

iot board and this was a brand new release when we started this and the nice thing about this is it came wired with extra serial ports on it and it also had built-in ble functionality so those two components were what we would implant in the keyboard keeping our device small and allowing us a wireless x-fil path out of the keyboard but this still didn't achieve our desired goal in doing the expandable or scalable networking so we had to find something to bridge that gap and that board was the sparkfun xb3 thing plus board and this board allowed us to bridge the ble to the digimesh network and we could program this with micropython and so

it's fairly simple to operate and then we just doubled up for the c2 board and that worked we got a working prototype out of it it was great except that there was a noticeable lag and the time the victim would press on the key to when they would see the keystroke we're talking half a second three quarter second we figured that was enough for us to start looking at our keyboard and figure out what was going on so we figured the victim would too so after some troubleshooting we figured out that the problem lied in what we called the extender the thing that bridged between the two wireless communication protocols so to solve that we added a second board

we added a second nano board and did all the translation of the ble on that and then just communicated over uart to the sparkfun things board and that worked we got rid of the delay by doing that and here you can see this is what the extender would look like on a breadboard it's got the arduino nano 33 board on the left and it's got the sparkfun thing board on the right and it's kind of hard to see in the wires but on the top there there is a blue and a white wire now those are the uart lines and the reason that's significant is because this did not work right out of the box

the documentation from sparkfun says that the uart should work but it doesn't if you go into the arduino forms they refer you to a special library for the arduino chip to interface with it but it's got to be over spi now we figured it out and i'd love to say we did it on purpose in fact we even claimed we did but the solution to this problem was to short out the i2c bus to allow the uart bus to take over we reached out to digi and they told us it shouldn't work but it does we just felt like it wasn't the proper solution for a long-term uh prototype so we decided to strip the board down to

what we really needed and that was the digi radio and so that brought us to the next prototype we just used a digi radio straight to the c2 and we already had the processing and the logic in the nanoboard so we could just stick with the arduino and the extender and that worked worked just fine it did everything we wanted but there's a few things we didn't like about it i'll get to those in a second here you can see what it would look like with the extender and the radio and the thought process here is that it wouldn't be so bad if you stuck it behind like a monitor and you had the implant in the

keyboard but it's still extra devices you have to implant and it still increases your chance of getting caught especially with the ble because the ble is noticeable with anybody with a smartphone and a free app so we opted to drop that all together and just go straight xp from the implant itself now this increases the size of the footprint but we felt that uh it created less complexity in the overall design and allowed for a much stealthier implant itself so now what you see here is the trinket m0 the arduino nano 33 the xp radio and then another xp radio for the c2 and this is also the phase at which we dropped in the microsd card for

our storage and this is what you'll see today on the pcb itself um only with commercial products but obviously this is a lot to criminate a keyboard most people notice a bulge at the keyboard at this point so we decided to keep going with it and show you a little bit about what it does look like with the commercial products here might be a little hard to see but down here is the xb radio this is the keyboard controller to an arduino or sorry a trinket m0 and then it's a little harder to see but there's another trinket m0 up here somewhere and that was before we had the micro sd card and didn't need the extra lines but this

was a proof of concept for getting it inside as an implant into a keyboard and here with this beautiful wiring job that i'll take credit for is the breadboard with the actual components on so you can see it's a little bit of a mess to try and cram in but again we have the arduino board we have the sd card we have the trinket and then we have the radio down there so the next logical phase for us was to do what we did with the sparkfun board and strip it down to just the components we needed which were just the same d21 chips and we did that it worked well uh the only thing we had to do different at

this point was we had to flash the dev boards with the arduino boot loader itself so we could then just program the chips just like any other board and that worked we had no issues but again we're not going to fit that into the keyboard you would definitely notice that and we're going the wrong direction if you didn't notice it would just shoulder surf and take your password that way if we wanted it so again this works we got stripped down there's extra components on these boards to allow for noise reduction voltage regulation and things of that nature so the next step for us was to break this down to just the chip level and so we brought

this down to a prototyping board where we hard wired everything so on the left is the sd card breakout we have the two usb in and out we have test sockets here for the two same d21 chips so we can just drop raw chips in and wire straight to the pins here we have serial wire debugging ports so we could flash the chips on the fly and debug them and then we got the radio right there and that's the top of the board we had all the extra stuff on the bottom so this is where the capacitors the crystals the resistors and stuff lie it's all underneath and this gave us enough confidence that we could then

proceed with our pcb design since we got it ironed out which components we needed to give us a stable connection and that gives you the layout that you have today on the pcb this is the production model of the inject on high board so all you have to do is add the radio sd card and you can drop that into a keyboard or any device and relay out to the c2 running just the xb radio now that you know what we put on the board let's talk about what the board does we've covered a little bit about the mesh but this board can also do keystroke injection through standard arduino libraries and because we're handling the

keystrokes as they come in we can also sniff them as well but with the sd card we can also add the ability to record the keystrokes as they come through and we offer the reverse shell over the mesh network which we'll talk about a little bit it's a unique concept and we exfil data over the mesh network the same way we also offer a key press timer this gives you an idea of when we last detected a key press to better let you know how live this implant might be if a keyboard is actually connected to it and we implemented some other features as well that we thought were useful from other implants now you're asking yourself how do we

interface with this well it's pretty simple we wrote a custom c2 with python and all you need to do is import the digi library the bless library and then connect a xp radio over usb to it and you're off and running all right all right i've got a demo to show you

okay so i'm going to pause a few times during the demo or just not show it up no all right technical difficulties

there we go okay so in this demo we're going to go over actually starting the c2 the python script and connecting to the c2 radio um and this one we're actually going to pick the com port and then the baud rate the radio itself kind of hard to see but it's a terminal starting a python script it's going to ask what the com port is for the radio and then we pick the baud rate so this is you can see it the menu for the c2 itself and all the functions we have so the next thing we're going to do is the important part and that's having the c2 actually look for all the implants in the network

this is done through the digi rf mesh network

so what we're going to do is we're going to select the option for scanning for implants

so it's a 10 second timer and then if you can kind of see right here that's the mac address or the address of the implant itself so if it was able to find more it would show up on this list and then we have a different way of formatting that as well so you can actually name it like hr keyboard or finance keyboard something like that so once we identified what implants are in our vicinity we can activate it so that's option four i believe so i'm gonna pick the implant that i found activate it and then to actually see if it's a running implant i'm gonna get the status of it which we'll talk about later

but it'll return the status of the implant itself and then a pretty common feature of these type of devices is the actual keystroke recording so on the left side it's going to be the victim the bottom right is the victim typing and you'll see in the top right as they're typing they can in real time they'll see the keystrokes

and then with the live recording mostly recording to the actual sd card itself so in this case you can tell the implant to continuously record the keystrokes and write it to the sd card so again the left side is going to be the victim and the right to the c2 itself

okay so the c2 is going to list the files on the sd card remotely we'll see it in a second here to see but you can see those two files on there so i'll grab the actual keystroke file number one and it's downloading over the mesh network now and then locally on the right side is going to be the c2 the attacker and you can see the keystrokes the spaced out you can see those return lines for all that so we are working on that we also save the head scan codes so if you you know weren't translating them correctly if it was a different language you have the raw codes to decipher from there

and yeah that's the keystroke recording live and setting up the implants

all right i gotta find the x help me there okay yeah cool

all right so now that we know a little bit about what it does let's get into some more depth here so our design goal was covert and scale one network and by doing this um we have some authentication encryption now this is done by digi uh the authentication is like zigbee you have to have a network id you have to have a sleep mode timeout and or a setting and then you also have to have the channel right unlike zigbee there's no pan id you can set the zero with this one but they also offer encryption now depending on the radio model you have you can do aes 128 or aes 256 encryption you just

enter the key and so that's one way we were able to scale or secure our network then we have the mesh networking part which lets us scale it up to an enterprise level compromise instead of just one offs and then the other benefit to the mesh networking is that we are able to extend the range like we talked about but this radio actually doesn't use zigbee it uses digimesh this is a proprietary protocol with digi and it's a little different than zigbee in the fact that you don't have a controller every device that gets put down with digimesh is its own router so makes provisioning really easy every device can be identical when you drop it in

just with a different name and then digimesh allows you to get up to a thousand nodes at one time without any alteration to the network itself and like we mentioned before we can control them all from one c2 with the global broadcast if we want or we can just do individual commands and these radios so the xb3 pro that we're using right here can get up to two miles line of sight indoors it can get up to 300 feet with obstructions and if you go sub gigahertz with another model line from them with the right power and the right antennas these radios are designed for things like oil rigs and they can actually reach out to 65 miles

so for those that don't know what a mesh network is this kind of gives you an idea the c2 is in the middle and every node is a router so if we want to send a message all the way to the farthest end point it will go through the other nodes and this allows us to self-heal if a device goes down they'll find another path and this is how we can also shape it around obstructions like concrete barriers or walls so we talked about joining the network we've talked about encrypting it but we also implemented an enable feature so let's say somebody discovers that we're there and they want to interact with us by replaying a message our device needs

to have an enable message first before it will respond to anything without that it'll just be passive and send keystrokes through and once it's enabled then it looks for very specific commands user definable and that will trigger the modes that you wanted to go through [Music] so the with any kind of manual device this is how we achieve the keystroke injection sniffing and recording so right now john mentioned we have the two cmd 21 chips so how it works is one acts as the usb host and this is what the actual hit device itself interfaces with first and we use a project called usb metamorph and this project was actually made for people that want to develop like

joysticks or really cool keyboards with you know special buttons it's a great project is able to take hit codes very fast and translate them to an actual character that we're looking for so what happens is that first sam-d-chip will send over that charcoal to the usb client chip that's kind of the brains of the implant so not only will just pass over the um actual hid code to the victim's computer you know so it's achieved pass-through on that sense it sniffs it so this interfaces with the sd card as well so it's saving data it also interfaces with the radio itself so that's where it's getting its commands and sending everything back to the c2

okay so we talked about some of the modes this can be in i don't know if you saw in the demo we actually got the status of an implant and returned three different things this is one of the modes it returns so insomnia mode at a high level is a mouse jiggler so what happens is it moves back and forth this one's pretty cool the way we developed it because if you're staring at the screen you're not going to recognize that it's doing this it also doesn't give you that drunk and mouse feeling of you know you move to the right and it slides over there that does not exist so it's pretty cool and the purpose of this is to keep the

computer from going to sleep and by default this mode is turned off by default so you can do a mass turn on insomnia mode you can spit pick specific implants it just depends as mentioned we have a status update so this is kind of how we see if the implant is working if it responds back with these statuses so the important ones are currently recording keystrokes and do you have insomnia mode turned on the other important feature and we use this for injection to give us confidence in when to throw a powershell script in is we can see when the last time they pressed a key on the keyboard which is pretty useful and since we have an sd card we do story

memory management so from the c2 over the mesh network we can actually push new injection scripts so we don't need access to the sd card to load things locally we can do that remotely we can also enumerate the sd card this is important because we like to know if we're recording keystrokes what kind of artifacts are on there and we want to see what kind of injection scripts already have on there as well and a typical memory management we can erase data if needed that's important for the next feature so if we feel that the device has been compromised in any way we can send a command to go into the go dark mode so what that does is it actually

disables all functionality on the implant itself so it'll turn off the keystroke recording a sounding mode and it'll wipe whatever storage is on there so in this case it wipes the sd card itself and it goes into like a sleep mode so it'll wait for us to re-enable it with a specific command one of the features that we mentioned before is we actually do our reverse shell through the digi rf network itself so we don't rely on the victim we don't rely on any other network infrastructure at all so what happens when you plug in the implant itself not only does it create the hid device it will open up a general com port as well

and you can actually name let alone the hit and the com port you can change the vip pit for this so if you have a specific one you want to mask yourself as you can what happens is and this is where the other functions like the last key press insomnia mode help we like a rubber ducky style we push the powershell payload to the victim so emulates the keystrokes and what the powershell script does is it attaches itself to that con port opens it up and it kind of listens so from the c2 you can attach yourself to that com port over the digi uh mesh network and do like a who am i or something that

relates it to the powershell process that's hiding in the background and when it executes it'll send it back through the mesh network to your c2 so it doesn't rely on the victim's infrastructure at all using that same idea as we we actually steal data through that com port as well we have a data expo script so it utilizes the exact same com port that we open along with the uh hit device it will run a powershell script so from the c2 kind of like how you would scp your ftp of file you give it the full remote path on the victim's machine that you want to steal a file with this is done like through your

reconnaissance you did through the reverse shell it will grab the contents of the file base64 g zip it and then it'll pass in chunks the limitation of the actual packet size of the the radio itself which is 256 bytes and you can set this within the script and it'll pass it over the back to the digi mesh network to the c2 itself and because it's base64 and gzips the integrity of the you know those characters is very important if you're missing a character your file is destroyed so error handling is done not only on the radio side or if it's missing a packet or it's out of order it'll ask to resend it but powershell kind of has like a

cynic method that we use to verify that we sent the correct amount of bytes and you don't necessarily have to run this as a brand new script you can utilize the reverse shell that you previously opened all right

all right so here's the c2 video with the uh we're going to start with the reverse shell it's kind of hard to see but here we're selecting to launch a script and we're going to push the reverse shell script and as we do that we go in we select our target we select our script and then here you're going to see the keystroke injection pop up and then hide in the background as a process now that it's created the reverse shell over the com port we're going to go back and connect to the com port through a different option and then we're going to once connected we're going to enumerate the file system and look for a target

file that we want to exfil

there we can see we're listing the file system [Music] we find a file called loot.txt and so now we're going to go and attempt to data x fill that file

so here we're going to launch our data excel script again we're going to choose our target and then we're going to give it the file path to the file that we want x fill and then we're going to name it what we want it to be saved as locally and it's going to launch the script here

and then you're going to see some messages as the data comes back verifying the base64 encoding of the file that we

received now we're going to open it up and look for the file ourselves and check the text

and that proves out our successful data excel path over the mesh c2

okay so now you've seen the high functionality of the implant itself how does it meet our needs so like most implants and types these types of devices um this is a great way to have persistence to a victim so hopefully if the they restart their computer or the powershell process dies we can just redeploy it through that implant a keyboard the c2 activity itself is not using their network or the victim's infrastructure at all we're using our own for injecting powershell scripts it's kind of the worst thing is you're trying to push a powershell script while they're looking at their computer it's going to freak out most people here so with the two different functions of

insomnia mode which helps prevent their computer from going to sleep and the last key press we have pretty high confidence that we can time a a good attack and with this type of implant if we need to extend the range then we just throw in more implants and they don't necessarily necessarily need to be implanted devices the radio itself can interface with like a usb charger or something it only needs 3.3 volts so we could plant repeaters around if we needed to all right does anyone here i don't know if we ask this in the beginning actually do any war walking or look for rogue networks in their organization no oh one person or curious do you look

for like rogue iot networks or just like 802.11. okay we're curious it's we hope you know this this kind of brings discussion that it should be beyond looking at you know ssids and hidden ssid networks we should be looking at all rogue networks and especially iot type networks like this so one of the biggest defenses obviously is war walking looking around your network for stuff like that or your location if you're in a really isolated area that's pretty easy to do like a distribution center or maybe a data center but if you work like in a retail store that's going to be pretty difficult to do obviously the next one is you can tamper tape your devices that's it may be a

little extreme depending on your location but if you're working a pretty critical infrastructure it's definitely a good idea and the biggest one that we believe is you should buy your devices from trusted vendors so there's actually been stuff in the news the last few years where people are buying stuff from like third-party bidding websites or marketplaces and they're noticing that like maybe this keyboard seems built a little differently than ones they bought originally so if you're able to buy you know especially like your peripherals maybe cameras monitors mouses keyboards buy them from the source that you trust so we've shown you at a high level the version one that we have this is already spinning up ideas of how

we can do things differently soon so we want to add another device to the implant kind of like a microphone mostly an audio sensor we think this will be like the trifecta of timing a good time for throwing in a powershell script so the idea is if you know you're keeping the computer from going to sleep if you know the last time you hit their keyboard if you're able to monitor sound and find like a static level a baseline you might know if someone's talking near them or you know you want to make sure no one's looking at the computer screen pretty much solar monitors okay

oh okay that's a good point because we thought about if they're at their desk just texting on their phone and moving around we wanted we wanted to detect that as well so okay good to know we also need a smaller footprint so this works with the kiwi keyboards we want to implant right now but we have plenty of ways we can reduce the footprint so the first one is the radio itself um due to availability we're using one of the pretty big antenna as you saw in one of the screenshots and we can actually move to a micro which is about 60 smaller in size storage we use an sd card uh breakout which is pretty big we can move to nand

flash which would reduce that by like eighty percent and the next spot is um the debug pins are nice like the j tag pins and our swd for reflashing it but if we remove those that's going to reduce the footprint as well also as you saw the windows exfol script and the data exfil right now we're working on porting those to linux and mac as well and you know we're not totally tied down to the the digi mesh rf um radios are amazing but they're very expensive when we started doing this two years ago i think they've doubled in price since then and you can't even really get them anymore unfortunately um so we're looking at using other

radios such as like laura or something and that's not the only hardware we're looking at replacing we also have the rpi 2040. so right now we're using two samd21 chips as the host and the client chipset we can actually use the arpai 2040 and that'll take care of that can actually act as host and client at the same time it contains 48 pins so we'll have enough space to talk to our other peripherals too so looking at doing that and yeah so i want to give a special thank you to the eff they kind of helped us um give guidance on how to release this safely without getting in trouble i also want to thank soldier fortran and redfish for

mentoring us on this this is our first talk so we didn't really know a good way to organize this and present it so they helped a ton thank you we also have our contact information up here so this presentation we're going to release i'm sure it'll be on the b sides media server hopefully so on the left side our personal information on the right is the actual injectal and hyde account as well we set up a discord so we're hoping people want to use this um and yeah we set up a discord at chat live and the most important source i would say is our github so this contains everything from the c2 source to the schematics for the pcb

we have schematics for enclosures now if you don't want to put it inside a keyboard and the actual arduino code as well so it contains everything so this isn't our last talk we're actually going to be in hardware hacking village on friday at three o'clock this is going to be a deeper technical it's going to kind of go into more of the prototypes that we built and uh issues that we had we're also going to be at defcon demo labs where you can actually play around with this so we'll have a c2 setup and a couple implants and we're hoping we can kind of mess with the range and show people what it can do

and yeah and we do actually have you want to talk about the twitter and releasing the pcds yeah sure so we do have a few pcbs that have everything but the radio on them right now so they got the same d21 chips everything's like capacitors and everything's on the board themselves and we will give away a few of them if you guys want to interact with us on twitter ask questions or retweet whatever well come find us at hardware hacking village and we'll hand them out to you guys all right is there any questions concerns

2.4 yards but also can do sub gears as well so she asked what um frequency this was on for the radio so 2.4 but as jonathan mentioned it can go to sub gigahertz as well presumably the the range is related to power it's really impossible to you know what's the easiest on the 3.3 volt but what's the approach that you're going to pull right now we're using the usb 2.0 line so you're looking at 500 milliamps which is enough to get it out of the keyboard and i have actually went half a block with mine through a basement and been able to relay out and then your real limitation is your initial exit vector out of your keyboard or your

implant after that you can drop a repeater in and give it extra power give it a better antenna if you can hide it well and then you can really start covering some range that way yes yeah i've had very good luck with laura at 900 megahertz using the sx 1276 chips i've actually gotten some miles up okay as far as i was doing it across the head screw one side the other medium they kind of come to power and you actually get two pieces of input from the text so and sure the one i was using was i was actually using on the health side of the esp32s

okay yeah and that's nice part about this design is that we just use the serial connection so we can pivot through radios as we see fit or as we want to adapt to whatever environment we want to be in yes how long it's pretty it's pretty quick so how easy and how fast can you actually implant a device so if you have good soldering skills it's not very difficult on the what you need is access to the actual keyboard controller so it's just usb pretty much ground power and d plus d minus so what we showed you some of those pictures we actually had usb headers on there but we implanted those headers don't exist so we just kind of route

them through the board itself so it depends if you've never soldered before you're probably going to break a few keyboards with controllers but it's not too difficult and then to add on that too we're working on a design where some keyboards have the header pins already on so the nice thing about releasing the full pcb design through like easy eda or things of that nature is that you can go in and design your own so you can actually drop header pins on where you can just disconnect the controller you know put your own header pins on so then it's just plug and play at that point any other questions keystroke yesterday and logging can you

do both simultaneously yes yep um the question was can you do live keystroke recording and uh snipping and recording at the same time you can in fact when we do the live sniffing it records it on the c2 for us so you don't have to enable that individually and then when you go look at your loot files or whatever it will tell you live keystroke and it will label it with the mac or the appropriate name that was assigned to the implant at that time what's the cost the cost what are your connections uh the chips themselves run about four bucks so you're looking at two chips the pcbs if you get them made were they like

two three bucks four ten it was uh for 100 pcbs or like 30 bucks so it's not horrible the the most expensive part is the radio itself so that's why we're exploring other options the radio used to be 20 bucks 25 bucks now it's like 60 so it's just that's just the chip shortage show so we're just trying to migrate around it and find alternatives at this point yes do you have any of the boards here we do yes we can hand them out if you guys would like to take a look at them or come find us after we can pass them off quickly i think we've got enough time right

cool any other questions does it matter where in the uh does it need to be closer to the actual keyboard matrix or the surgery i'm thinking about the little uh what they're made of the metal colors that they go on the ends oh yeah so it's the controller we're worried about the most and the ones that we're implanting there's actually a few models we implanted um where the mic where the the keyboard controller sits is pretty big in most keyboards so it sits flush with that and that's all we really care about cool yeah we hope to see you guys this week uh hardware hacking village and defcon labs and like i said we have pcbs

to hand out if you're interested in if you really think you'll actually use use these on engagements um you know we'll talk to you we have some that are pre-built so love to talk to you guys all right thank you