A Practical Supply Chain Hack: Blinking RGBs for fun & profit - Dale Nunns | BSides Cape Town 2023

hi uh thanks for coming to my talk officially I think the title is a practical supply chain hack blinking rgbs for Fun and Profit I prefer um just thinking of it as the Shaggy Dog hacking story and you'll see why uh who am I I'm Dale um I'm by day A Team need and Senior software developer at structur uh building Big Data things in my free time I take a lot of stuff apart and I'm probably most famous for tweeting lots and lots of pictures of homemade pizza um I'm also a regular speaker here at B science and I've spoken at Dev com and I always describe myself as a jack of all trade serial skill collector and high

functioning hoarder I always tell the joke I'm not too sure about that high functioning part I'm not a nation state hacker I'm not employed by a three-letter agency I'm not here to sell you anything tools services or anything like that I'm not even in impc um um whoops and I'm just the guy who takes things apart if you at would I tell you I don't know maybe um this talk is not about scaring you it's about showing you a whole new world so uh what is the supply chain that's sort of the fancy version but basically you can think of it as the process that uh is required to take something from a manufacturer to an in

person and I always like to think of it uh blurring those lines slightly and thinking of it as there's a mini supply chain when I place an order on take a lot that takes the item from the take a lot warehouse and delivers it at my house and that kind of thing now what is a supply chain hack the idea here is you intercept this somewhere along the line and you do something to the thing and you hack it so that you can gain credentials through it uh so that you can take over something those kind of things now uh in 2018 I gave a lightning talk with the catchy title called let's talk implants when sience matters and

what happened was this talk was all about this I don't remember if anyone remembers this this was like the big news supposedly some Chinese hackers had put a little thing on a motherboard somewhere and they were stealing all the things and these boards were in AWS and Azure and Google and it was the end of the world and everything else and I think about 6 months later it all vanished and nothing really happened um but like I say these supply chain hacks have been around for a long time in the cold war in the 1970s the Russians modified typewriters so what they did was these were typewriters being used by the US Embassy and they essentially put a bug inside

the typewriter so that it could track every key that you pressed and it would beam them to a little van outside and then they knew what was being done um the NSA turned this into essentially a mini covert business um they had this is a picture from their ant catalog uh it's a awesome browse through if you do find it got leaked quite a while ago now um but this has got a whole bunch of these cool little bug-like devices that allow you to catch what's flowing through USB cables What's um they've got special things that you can put into certain models of Cisco routa and all this kind of thing and again the idea here is you

you pick up the device before reaches the end point and you go and shove your little thing inside and then you can capture again credentials Secrets whatever you want to or you can insert your own into the thing and you capture it that way um the NSA did this um this one's kind of well known um they upgraded a bunch of Cisco Hardware that was meant for certain people and in this case they just patched the phway so what they would do is they'd intercept the deliveries patch them Rebox them up and then ship them out to the client and again it allowed them a back door into various systems so my question always been can I

build one of these things can I do this so like I say I don't do this because it's easy um because I thought it would be so um yeah let's let's try do this so I've got some basic constraints it needs to be cheap I need minimal tools and equipment and skills to be able to do this it needs to be easy reproducible I don't want to have something where you need a special set of things and it needs to be really hard to detect ideally it needs to be practical it needs to be something I could do or that someone in this audience could do I don't want it to be something that like

I you need electron microscopes or scanning electron beams and all kinds of other crazy equipment or um custom Fab house to make your little implant chips and most importantly I need to be able to sneak it past my wife because if I buy any more Electronics or any more tools she's going to kill me so I got a few simple simple questions here hands up who have you has used a wir USB keyboard okay great who's typed something on their keyboard they need to keep secret okay and who of you would like a free RGB gaming keyboard yeah exactly okay so why keyboards they cheap uh they're easily available everyone uses them you type your secrets on them

and most importantly my wife won't find a few of them arriving too suspicious H after she sees this she's going to change her mind so this is how a modern keyboard works okay I know I've simplified it a lot but basically it's got a bunch of switches and those switches are hooked up to a little chip and the little chips also normally hooked up to a bunch of Blinky lights and then the USB is hooked up to that and all this chip does is it scans through these things works out which buttons have been pushed translates that into USB head commands uh which is called stands for USB what human interface device I think it is and then sends those across out

the USB so when you push a button on your keyboard all you're doing is closing a switch and like I said that little chip does all this translating now in the old days long time ago 20 30 years ago those chips had no software on them they were hardcoded they were built they were shipped like that and you couldn't change what's on them the thing is nowadays that's expensive and it's cheap to have microcontrollers that can run code it's cheaper to do that than Custom Electronics the other thing is people want features people want blinking lights you want gaming macros that you can program onto your keyboard you want all those nice new features and

so it's gotten cheaper just to put a random chip into one of these keyboards and ship it out so here's my plan I'm I'm going to change the firmware on the chip I'm then going to put that chip back into the keyboard I'm then going to ship that keyboard to some unsuspecting person perhaps someone who attends my talk and then something's going to happen and I'm going to make money this is a brilliant idea don't you think yeah I mean how hard could it be like I say every one of my talks probably has the slide in it so now we get to part two and this is why I've called it the the Shaggy Dog

story most of the time I always think that all my projects all my talks go A to B it's a simple straight line I come up with the idea and it works in reality it looks more like that and as you see we didn't come out at B we came out at X which is just slightly adjacent so this whole talk got started because of this keyboard it's the fox Ray Chronos keyboard it's about 200 and something Rand at the time on take a lot I bought it because I wanted to try out one these smaller keyboards and it's okay I don't know much about keyboards it goes clicky clicky when I type and I

liked it it just had one problem the keyboard mapping is stupid so if you want to use the arrow keys you have to press multiple Keys multiple times to put it into Arrow key mode and then you can't get it out and it gets really frustrating trying to use this thing so I thought well I'll do what I normally do I'll open it up and I'll see if I can change that so I took this thing part and I do this for pretty much all the electronics I buy nowadays I take things they arrive at my house I test them out and the next thing I do is I open them up and take photos inside just

so that I have a record and I start googling it so this is the processor on this particular keyboard um I say it appears to be made by this mysterious company called shine Tech I can't find anything about this thing I can find that out about this other chip which is also made by them and carries a similar name but every everything about this chip is a mystery um and there's a bunch of other people who are also looking for it and every time I've tweeted and asked about this chip everyone refers me back to that same data sheet I think I've now got like 40 people told me about that same Lonesome sheet and yes for those of

you who want to use the AI tools chat GPT doesn't seem to understand this either and doesn't can't find me a data sheet what's worse is I can't find a software update from Fox Ray so part of the other way you can do this is you can get the software update and you can reverse engineer the soft updat and you can build your own thing and maybe figure out the architecture and things like that and you can go that way to building it but like I say no one seems to release one for this if you happen to ever come across any software for this particular keyboard in particular one that does a firmware update please let

me know I've got a few keyboards now with this chipset um I won't give you an exact number of how many keyboards CU my wife's going to look at this talk um so while Googling I stumbled across qmk for those of you if if you've ever built a custom keyboard you'll know about this project it runs on arduino's teens and the Raspberry Pi Pico and these crazy people who wire their own keyboards love this software so what it allows you to do is you put this on the Chip And you wire up your own keyboard thing and then you can type and you can build your own keyboard now I'm lazy um so I haven't

bothered trying to build my own keyboard but I stumbled across the software in Googling I also found this now this is a port of qmk to the Sonic microcontroller in particular the Sonic SN 32 microcontroller which is an arm cortex m0 it's a seriously powerful chip for what it's doing um it's got plenty of storage and everything else and the Sonic qmk project supports uh key keyboards by keyron um and red dragon along with a few other um manufacturers not all of their keyboards but any of their USB keyboards um the ones that use Bluetooth use a comp completely different one and I did find there's a project called I think it's called zmk which is based on zepha um which allow

which supports some of the Bluetooth ones um now when I was saying about the controller this is what happens and this is why it's so hard to figure out what who makes what on the left there is The Branding of the chips so for example evision hfd and Sonics are the three manufacturers that um the Sonic qmk supports and then you got the chip sets uh the next column there and then but those are actually all SN 32 microcontrollers what's happened is the company sonx has basically licensed or sold or they've been swept from the factory floor no one really knows and those chips make their way out to these other ones branded as something else and

people have just found this by pure luck and that um some of these you will find data sheets for some you won't some you can find information about some you can't um and it's all sort of um you know tea leaves in a teacup crystal ball go stare at the sky and take a guess um there's not a lot of like hard concrete information out there um so like I say qmk supports or Sonic's qmk supports the red dragon keyboard so I thought well I'll go buy this keyboard This is similar to that fox one but the nice thing is it supports qmk this will be a fun thing and I had in the back of my

mind I could turn it into a bit of a talk maybe for B science or something like that this will be a fun project so I bought one of these keyboards and it's nice this just one problem so it uses the vision VSS 11k 28a which it turns out isn't supported by Sonic qmk and the only reason I discovered that is you see the W at the end there yeah this is a newel model so what happened was to cut costs they put a different chip in this thing and so now it's all different and there's no data sheets for this bsk 11 so now what so like I say different keyboard I can't make that happen all I

can find online is hint that this chip is an 8051 based chip but that's about it and there's no software updates available for the Red Dragon k630 w there is for the k630 but that's the old model the keyboard not the new one it's okay I I'm good at Google so I found this file this is a software update for a totally different model of red dragon keyboard but it happens to use the same chipset so I took that and I thought well I'll I'll run it what could go wrong so I ran it on my machine with the keyboard plugged in stupidly and guess what it did it immediately put the keyboard into bootloader mode and I

can't get it out of bootloader mode because the software is different and if I unplug the keyboard and plug it back in it remembers it's in bootloader mode so now have a 300 and something rank keyboard that I've already opened and taken apart and put back together stuck in bootloader mode I don't think Take A lot's going to want to take it back especially not off spoken about yeah so okay but when I plug it in it shows up now as this micro deer CH triple 5 and it no longer mentions evision okay well let's Google that so wch is a company they manufacture chips and they're probably best known if you mess around with uino and things

like that they best known for the CH 343g which is this USB to serial translate and serial converter um wch have a whole range of these microcontrollers that they sell some are based on risk 5 some are arm cortex M microcontrollers and unfortunately the one that I have the ch5 is none of those it's it's a 8051 or precisely it's an enhanced 8051 which means they threw a few extra instructions in and it runs a little bit faster but otherwise it's based on Tech from sort of the 80s um it's not listed anywhere on their site but in theory from what I found it is supported by sdcc which is a open source compiler for a c compiler So in

theory I could write software for this thing so this is now sort of where I'm sitting is okay so what's next well it's simple I'll reverse engineer the software update um and then I'll figure out the protocol to program the keyboard then I'll find and set up the build environment and then I'll reverse engineer the keyboard wiring and I'll write some new firmware that's my plan problem is I had to speak yeah because I had already submitted the talk and I didn't have a lot of time and I do own a flux capacitor I have a box broken ones unfortunately some idiot went and put wrote basic to run on these things so um they don't work properly

okay so what do you do when you need to now have a talk and you don't have enough time it's simple you pivot your talk now like I say I am a high functioning hoarder I have lots and lots of junk and like all of us I have boxes of these things so if I went and rummaged around my boxes and I found this the Marvo K 6901 now I bought this keyboard for 59 R I was like chatting to stepen I see it's actually 49 not 59 at Cash Converters about 3 years ago I have no idea why I bought it I say for reasons I bought it because there was a mechanical keyboard and it

looked like it could be useful at some point and it was cheap so it came home with me it's been in that cupboard for a while um but but I did my usual thing I'd taken it apart and i' taken photos of the inside so I knew more or less what was in it and the good thing is it's got a vision K VS1 k15a which is based on the Sonic 32f 268 arm cortex m0 board which is supported by Sonic qmk okay so now I can use the Sonic um bootloader app that comes flasher app and I can put the keyboard into bootloader mode I can then upload a specific bootloader so what happens is they've written their own

boot loaders for these chips because the ones that got shipped with the tips chips are very very dodgy and so they recommend you use their one I did have to do a bit of messing about and I will share all the code but I had a change things cu the app doesn't support this keyboard um but I've managed to do that and I managed to get a bootload onto it which is great then I spent many many hours listening to C shanties with my multimeter carefully figuring out which wires connect to which puts so this is one of the most important things you have to do when you're trying to reverse engineer these keyboards is you have to

to figure out which switch goes to where and you build this whole Matrix of all these things and once you got that you can convert that over into code so okay now what so once I've done this I buil my firmware and I now have firmware working on this device but that's kind of boring right so what I did then was I thought well what about this idea what happens if I ship you a keyboard with a key logger in it and log every single keystroke you press now normally this would be hard to do but I've got a keyboard and you got to type stuff on it so all I need to do is log it so the

cool thing is Sonic's qmk is really really easy to add stuff to so what I did here is on every key press I take the key that you've pressed and I write it to a variable IM memory and that's it and then when you press magic key string I dump all those keys back out the the thing so now what happens is it means that you can type a message on your keyboard and I can say turn up a little capacha thing and I can say please type magic string year and I can then send all the keys that you've pressed back through that little window and send it off to my website and you won't know

this has happened other than the fact that I've typed all the keys but if you're not looking you don't see this and remember I've made no Hardware modifications to this keyboard all I've done is replace the firmware on it that's it now in theory I could have done this to my red dragon keyboard as well but I just don't have time to do it but as long as you got the data sheets you could do this to most USB keyboards and there's no way to find out that it's been done because none of the software there's no keys there's no protection there's no digital signing of the firmware there's nothing you don't like no one even publishes any of this

information so you wouldn't know if the keyboard you have right now has a built-in key logger there's no way to tell so okay let's try and do this live now please those of you we can make some sacrifices to the demo Gods let's see if this works um okay so I'm going to take my little trusty keyboard here I'm sorry I'm going to have to do the sideways but uh hello world okay there we go I've typed something so now we putting my magic key code um up up down down left right left right A B oh

no ah there we go and there's all the keys the rest now I can just take this ah ah and I can say well let's call it besides. txt and I can just

run

uh don't type live so there is all my key presses decoded as you can see this is space uh space test hello world and it's even decoded my magic key string there we go so like I say um that's it can this be improved so at the moment I'm only logging 100 Keys the problem is I have limited storage space on a keyboard or on this particular keyboard so the thing is gamers in particular like mapping LEDs and doing fancy displays and like having multiple key maps so to store that what they now do is they put chips in for storage little flash chips and Flash is interesting because it's very very expensive to have small flash strips so

now what they do is they're going to put fourm flash chips in these things because it's cheap now foreg is a lot of characters you could log to and you could write to those from the controller so in theory I could log everything to nonvolatile flash storage and leave it on there so even if I can't convince you to type my magic key in to get all your secrets I could just come and borrow your keyboard or steal it or have someone else steal it or ask for it to come back for I don't know security reasons or something like that and hey Presto so how do you uh protect yourself from this kind of thing well it's simple

you go and stick hot glue in all your USB port um no seriously well you say that so the interesting thing is um IBM thinkpads or Lenovo thinkpads also use a Sonic SN 32 or sn8 depending on the model of key as their keyboard controller for the laptop keyboard so in theory you could reprogram that inside of your laptop and still do all the key logging and yeah good luck getting that replaced easily and so like I said this is a it's a sort of a complicated one how do you you can't secure yourself against this it's going to be an auditing nightmare so please don't go and tell your compliance people that this thing

is possible cuz I don't want to have to explain to some poor guy you know look yes it's possible but you know only worry about the nation states don't worry you know no one's going to do this for our information but yeah so that's it that's my talk um you can find me on well what was Twitter _ nuns you can find me on LinkedIn or on um masterdon uh all of this will eventually land up getting written up on my website xr. co. Za um the slides will be there as well I will release my uh Fork of qmk Sonics with all the key logging um if you guys want to play with it just don't

call me when you break your keyboards um otherwise like I say I will eventually get those red dragon the chip on there reverse engineered um it I have to now I own three of the three different red dragon keyboards all of which are lying in pieces on my workbench I don't think Take A lot's going to believe me when I send it back going I didn't do anything I promise so yeah um for those of you doing the scavenger hunt um there's a Code also thanks very much for coming to my talk if you have any questions fire [Applause] away two questions I think the the first one is is it if you have a keyboard to

just dump the firmware to at least look at it so you yes some of them you can um I haven't so uh the Sonic ones yes because they support swd so they haven't locked the they haven't locked the firmware or anything so if you've got an swd programmer and you know the P out you can actually dump the firmware on them the the other ones I'm not sure the the wch ones use some weird wacky program that I don't have um so I don't know how dumpable they are but yes so the Arm based ones is relatively easy assuming they haven't locked it you just need an swd programmer figure out the pan out and you can dump them and then you can

reverse engineer and it's it's arm code so it's relatively easy to to reverse engineer um it becomes problematic when it's like 851s or some obscure thing that no one's heard of um and that that's the frustrating part about doing this is's a lot of time it's actually probably is an arm or something nice but you can't find anything all I can find is you know some sort of gibberish thing on some random site where they happen to mention it and you're sort of looking there going squinting going that might be arm I don't know and that's all I know about it so yeah it's like I say tea leaves seem to be the way you figure the stuff

out any other questions another quick one um have you looked at like uh the possibility of um exting the data with the ls yes so I know my talk title promised blinking of LEDs um because of time constraints um I didn't get the LEDs blinking on this one so currently none of the LEDs work but in theory and I played with it on other devices is you because you can toggle all the LEDs and stuff like that um some keyboards have speakers in them now this is supposedly a thing um so you could probably um send it via audio out as well um also the interesting thing is um you can send other commands so there's people who on

certain custom keyboards they've implemented uh midi over the USB so you can play musical instruments and stuff so you literally just put in a key combination and switches your keyboard into midi mode and now it's a you know music and stuff like that um you can do anything so there's people who've written Mouse control software so you can control a uh you can control your cursor and pretend to be a mouse from your keyboard it doesn't do it through windows or whatever this something I didn't mention is this hack will work on a Windows machine Linux machine Macos you name it anything that supports the usb hid protocol technically I can catch all the key presses as long as you're

typing in on my keyboard um and so like you could write something they just catch the stuff in between uh I was looking originally at implementing as much of the stuff that the little USB rubber duckies do I was looking to see could I Port all of that onto these and in theory you could like I said it's time constraints but you could basically turn a full keyboard that is physically unmodified into a USB rubber ducky if you wanted to um and that's why I say like it starts getting a bit interesting then because you can do all kinds of cool things like this no one can know no one's going to notice I mean you can

pass it through an x-ray machine it doesn't show up you can look at the thing until you actually analyze the firmware you're not going to know that it's different and you can do all that just through the USB connector I've taken this thing apart just because I had to map out the keyboard but otherwise you don't have to take it apart you can do all of this over USB and so now if I want to do like a proper fancy attack well what I do is I find out that Steven over here has ordered a new keyboard on take aot and I just go and grab the take a lot driver just before he shows up offer the guy

100 Rand and say hey give me that keyboard for 5 minutes thanks plug it into my laptop reprogram it put it back in the box and give it to Steven as long as I've been reasonably got reasonably good papercraft skills and you don't notice that I've you're not going to know and that's the thing it's like that's how this whole thing works is you're just replacing the software you can x-ray it you can take it apart you can inspect it you're not going to know your supplier might not know that the software has been changed so you know you you just have to catch it somewhere in the pipeline of Landing up at the customer and you swap the

[Music] software lat stage but USB devices like said you do mouse it's all different ends so you can set up the network endp and the and then make yes but I think that gets done on the rubber duck is one of those things do that something like that already one of those devices do it I've seen it yeah just checked the system6 and um framework laptops um both use qmk yeah so yeah of them yeah and like I said qk I just used it cuz I don't have to code like I I literally added two little bits and I can log all the keys um there's actually people who do this um so I didn't know that like um typing speed is

competitive and people are like big into this thing so what a lot of people do is they log every key press so that they can build these things that show which keys are being like a heat map which key is being pushed the most and then based on that they can rebuild the keyboard so that they um increase their typing speeds um this is the problem is like there's a whole Rabbit Hole of things this is why my talk isn't as fancy as I would have liked because you start googling these things and then you get into this Rabbit Hole of like I say YouTube videos I've watched way too many things about people making custom

keyboards now and I've read way too many articles about like custom keyboard building and stuff like that I'm never going to build a custom keyboard but I have logged many many hours of careful study of them uh and that I still have no idea what the difference between a blue and a red and a green and a purple switch are um they all just go clicky clicky as far as I can tell but that's it cool cool if otherwise if you want to chat come find

me