Mithören: Device for Wireless Peripheral Testing

hey our next presenter is Michael Wolfe so recent graduate of UC and pursuing his MBA yeah radical so my works at Kroger doing application performance management and yeah he's presented about a tool which is like one of my favorite types of talks to see so excited here about it so Michael Wolfe hit me all right first of all thank you so much little all right a little bit hot yeah all right so thank you so much Justin for putting this together and thanks for ever talking for me really awesome presentations I don't want to get up but this is a door and this is the my senior design project that I put together with the Colin buckle staff so attention is a

simple extensible platform for wireless peripheral packet capture that is a mouthful but really I'm just taking wireless keyboards and using a bunch of different exploits that exist and I'm just kind of putting it together you could slap something on the ground and it starts capturing so really call this talk a little bit something different we had about a eight months to put this together and so there's still a lot of work I really want to get done on this project but I just kind of really want to share a lot of the knowledge that I had with the very kind of surface level digging that I did with these exploits a little bit about myself so again a

recent grad of you see in the cyber security track which it was a really awesome I got in the right when it was starting and I'm ultra pursuing my idea which is kind of like tight in there cool Kroger is some working for totally a six-day in the crowd and thank you please reach out so my manager into this bed again this is my first talk coming subscribe so I'll sort this off of the story of where we were in September we had to topic for this you know Helena I have pretty similar interests you know we had it we had to make it kind of cool we didn't want to be you know have a

sucky project that we didn't want to present you can be everyone knows like learn about real identity I could really learn strong learning experience even if it was going to turn out awful so uh first idea we liked or doing who doesn't suppose what that CD and then watching stuff collections awesome Bitcoin is at $2,000 today's that was way to dicing how would a mix network I'd been reading way too many academic papers and how mix network sound like an amazing ways like to applied algorithms I don't understand now how about I talk even compute cluster let's just do kubernetes I guess no that's not security related how about that's something we're interested in not

that either so Cohen found this video from Def Con in 2016 and it was attacking the unifying Wireless Keyboard protocol and so it really struck us cuz he just goes through and just owned keyboards like we have a lot of these P words like I was using this one that like at the time so that was really something but anyway he called this mouse jack and mouse jack is really at school now Jack as he first used it on like the actual mouth and he also found that you could use it to crack into keyboards for 20 pounds were a little bit more slicing for you know security people when we would approach this we saw this awesome demo Mike

wouldn't it be awesome if we could just plop this down somewhere that's kind of boring we're going to do more than that and really kind of not really make a product but make something more useful so we start looking into similar exploits in what we from there so of course we're started singing into all the papers we could find and a lot of these go back you know a couple years but what I would see words haven't been around too long this is one of the big ones this is probably the first one that came out visions by max Miller and in a photo and it was presented in 2008 but it targets a very

particular type of Microsoft Wireless Keyboard was like a whole line you'll find is that good well a lot I think it might have brought ones but they were there one of the very early ones and they just had really really poor encryption and some of the implementations didn't have any encryption this game became known as key creaky I have a lot of links of stuff at the end that you can look up the sense of key creaky version one and that goes on the 27 megahertz they also make a creaky 2.0 which is on the 2.4 gigahertz and that is the same frequency that most the other modern keyboards are on another really cool paper that we looked

at was a Bluetooth keyboard attack this is by students of the university of minnesota blue cheese was really scary they could actually which is like a pretty well-designed particle even in 2010 all they could do was really like a denial of service and we had kind of heard some horror stories about how difficult bluetooth was to break into so we're like okay we'll kind of shy away from gluten for now now this is like a really phenomenal paper if you have a little bit of time and you really want to learn more about SDR and breaking into keyboards and stuff send me there 79 pages of analysis of the 2.4 gigahertz fan I think the section will send a

couple different ones but it's looked at the Logitech keyboard here which which is kind of the foundation of their later unifying devices you know there are YouTube videos of how they did exactly what they did a really fantastic paper except they're using almost all these people who've been attacking these protocols have used these u.s. RPS which are essentially these boxes made played like one company and one of these boxes like a couple thousand dollars so we're we're not about to drop that money just to get our mattress but they're a lot more papers we also looked at this is one of the really important blog post by Travis County and so what he did was

he looked at the receiver and transmitter for a lot of these keyboards which is the NRF 24 l 0 1 plus and so this is used in almost all the modern keyboards and it's also used a lot in amateur drones and it opens it's a really awesome receiver but it also will talk to anyone and it's very very good at connecting it can connect you know like kilometers away hook up so this was kind of another paper that we just kind of thought was cool or just using a mouse to reconstruct using the packet from the mouse to reconstruct where the cursor was running kind of other interesting topics you know the interest in the

topic you should definitely check out these it's one of the key sweeper which is by say McCain car you really took the research about the NRF to limit like next level applied it they put it in like a little some but you plug into the wall and it just the crap out of people and that one with a really awesome exploit that really upbeat Aris finally had mouths Jack which we'll talk about later and it also works probably off of the permissive researcher of the NRA essentially from this we learned that there are about four types of the next would say they're about four types of tags that can be done at the keyboard as

you can imagine there's eavesdropping fortunes when there's no encryption applied on any of the packets you'll rarely his only in like really budget models where Microsoft was alerted that they needed better encryption in like 2008 so you know to cope by now that they're sort of om encryption but a lot of you know I think RadioShack the longest time had keyboards and migrated a keyboard but they had like no encryption and so you can just if you were listening on the frequency you could pick up on the packets and identify them and even with replay them now service it's pretty easy where you just kind of flood a receiver with you know like they said syn/ack except with

the whatever protocols being used if the replay attack if they are not using an encryption key Simon stunning you can just send the packet and just keep spamming those a or you know gather that information and then use that to intercept and then send your own command so our big takeaways from this we're there exist a lot of exploits already we don't need to go and no great thing obviously we don't have the money for that or the kind of electrical engineering expertise as much as we'd like you maybe one day but you know since he's actually like this we don't really need to do that we can take useful with it and make something better

than that hoping you get a burning that at some point that's where Mark Newman first music object furthermore we're going to buy some keywords this is about me like it's playing it like ten times as many keyboards by the end of it but uh in testing our stuff these are all things that I either got off the internet or got at Goodwill some of them works some of them did not but I ended up having way too many keyboards and before I gave this talk I took a bunch of these two computer cooperative otherwise that we brought them just to demonstrate how many keyboards are affected an old swatch of keyboard so to amador so uh before you a for the

Victorian and it's German for to over here I was like kind of teaching myself German at designs of it to like an essentially what we wanted to do was create a like platform where we can connect all of these different exploits into a single automated plug-and-play kind of like for penetration testing or just researching essentially just scanning an area for any sort of wireless keyboards that would be vulnerable to any of these attacks and any further attacks that happened so in our case we used drum roll please a Raspberry Pi probably in here somewhere I'll get more of that later for say this evening we also want to make sure was open source everything we do and love is

open source and so please look at our code make fun of a-sixes healthy so essentially one it's something that was form-factor to hide somewhere also dinner with such a much electricity because it doesn't take that much it's just a receiver essentially Samy Kamkar was able to cram it to like a little wall plug so we also wanted to be pretty design device agnostic so we wrote it in Python wanted to be able to up on to about any system furthermore going to make sure it was modular we can in the future hook more things into more exploits as they came out every one of these open source as mentioned it's MIT license Richard licenses are a serious

thing that I think someone was taking the court over license anyway out kind of like we used every presentation sort of bring everything together so that it's constantly scanning all of these different vulnerabilities you don't have to do them your one at a time words nunim furthermore it's kind of wondering two ways of raise awareness of all these violent exploits my mother we had to pick up the deadlines perfect alright radio is obviously a huge attack surface to everyone here at Oak knows as you know radio is broadcasted the weakest form of physical layer communication furthermore in a business context if someone's bringing their own device and you're at a place that you know has

importantly passwords and user information and you're not using you MFA or other forms of authentication and certificate based logins or anything that's have a bad time furthermore but this would be like an excellent tool for security research anyone who's developing and do that's what and use this tool to kind of work off of springboard into whatever they're working on more security research there'd be like super leak hackers not really prefer that if you're working on that product right now is not particularly great at simply bagging so we made a cheesy demo on the church if I'm going to play the music soda unmute that today we went to grocery cafe and made a cute little video I don't know my

columns using a wireless keyboard with this laptop but for the sake of man-in-the-middle we wanted to just kind of display how it works people who were non-technical hopefully I wanted to use kdenlive this is like this is the most fun I had on this project because I was like coding for a couple weeks straight house like I need did not be doing that shoutout to Cal say so our software essentially just architected and in a pretty standard pythonic hopefully way in which we have the user interface successfully either locally or over SSH and then set connected into a daemon process which is constantly scanning reporting into a MongoDB database and from the menu you can either query that

directly or send it out as an email we're hoping to get more integrations into other software as it comes out but right now it sends it out in hTML is JSON I just kind of want to dive into the mouth check module a little bit really really awesome exploit that's explained by Mark Newland if you haven't taken a chance here with Exxon stepped on video about it but essentially it is regarding the Logitech watch take unifying download these little guys if you see that little star on you and so this is about every water tech unifying device free early 20 like 2016 has this vulnerability and it's all based off of that Nordica semiconductor at RF 24 l receiver and essentially you

can talk to it with either one of those domes or one of these little guys that I read before the crazy radio pas were originally used for drones and so they can reach two or three kilometres some crazy amount of distance with the versus the little dogs which can you know go a couple feet but anyway so you can get the little dongles for about 10 bucks flash barking ones firmware onto them or you can really shell out big bucks get the $30 one here and that covers a really wide area we obviously test to go through this we got really good results although we got some noise from my remix drone so essentially how that works

it tries to connect to the to the receiver and once it's connected you can pick up on the channels on the keys that are being types and most keyboards have the main feeds encrypted but these like the specialties as well as now it's like mouse movement mouse clicks are generally not encrypted we also did find that some keywords were not encrypted most modern keyboards are are more secure though but this allows for keystroke injection and possibly remote code execution if it's done particularly well essentially once it once you were paired with the device you can start sending stuff you know if you intercept it and target it right we can do a pretty perfect man in the middle we

weren't able to achieve it I don't think more Cleveland was either but moving forward I feel like someone will be quickly having to do this pretty well it's kind of kind of sad but it's most of the manufacturers had responded to mark a new one by mid to late 2016 especially Logitech was really responsive but a lot of the manufacturers who really keep Amazon crafts just don't care so those are probably so vulnerable them even if mal'chik is mostly Pashtun and in cover they're still going to be more peripheral exploited coming out eventually selected to say a couple words from my perspective I'm just a lowly college team but manufacturers are seen was like realize they don't really

care that much if there are big American company and they you know these had to pretend to care a little bit but if you're a company like that's just manufacturing things for American companies you really really don't care that much a lot of firmwares hard-coded like can't update a keyboard why would you ever update a keyboard so you know just try your out a way to do that I think you can I think logic did push a device for the logitech unifying things I don't think any customer would really it's so much cheaper to just buy a new a new device into picture existing stuff but obviously as you can see the IOT realm manufacturers really need to get better

at the extenders soft for writing writing software and secure that's another objective of this project furthermore as someone who loves open source I don't like proprietary protocol like Logitech would have never found this issue and their unifying devices probably so classified under the feature says you know it responds to anybody but it really needs the open source community to look over it a quick tangent so I saw the movie citizens Jane yesterday which I highly recommend anyone who's into City Planning which I'm not sure I'm sure House cybersecurity city for the emergence buckhead it was a really fantastic explanation of how having you know even even if the housing was kind of shoddy or dirty having your

apartments having apartment winding the street where people could see onto the streets made the neighborhood a lot more secure versus having you know really high-rise projects where if someone on 17th floor is going to be able to you know watch out for their kids playing down in the playground so having eyes on the street at all times no matter committee are even if strangers is better than having none which is often what happens with society area from home so here's I knew it was not going to work if I tried to do a demo here because trying to like connect to devices over here wow this and it's just a disaster waiting to happen but

here's a quick recording I did a volume and I also said very slowly so forgive me this menu is beautiful ASCII art on this but effectively it I wanted it to be a very familiar experience to anyone use you know Metasploit kit or anything like that main features that we got ready and time for the FO were controlling the demon as well as running our one model that we got ready which is mouse track and due to that was yes that that's the log running from mouth track as it went through and then also sending out an email in this case yes okay Bo that's my budget enough to hide a bow professor eating this and so them in the

security team awesome guy really hi there furthermore you can send out an email either stays on for word or HTML I could pull it up now or I can just wait for me to kind of prints the table of the sound devices and we took like it's solid guess at what they were ice most practices the logitech kids made the most part with that but uh more I will go through some of the challenges we face certainly had a couple of especially radio card it's really hard to tell what's coming through your network I didn't want to dig too deep into the assembly code that working on a mouse Jack but I feel like I got definitely got a lot of noise at

any time of day in my apartment excited it kind of to filter out a lot of times it just wouldn't connect with wouldn't connect would be a lot of plugging and re-plugging this antenna that's really coming from more of a business EIT background that was really difficult for me to understand but it's definitely something that I enjoyed working through well UNIX github hate them up everything is miss heissen written just I probably could have fixed that probably the hardest thing pushing I forgot everything when I came back from Berlin but yet that kind of helped me also be organized and see what what the MVP for this product was also that killed me inside I don't like I don't like making

Gantt charts my Gantt charts never timed out correctly I prefer more like weekly weekly planning so as you can imagine our demo failed every time we tried spending I couldn't even give this presentation to load up but finally I went to my BIOS and the same old is Nvidia track so we did we did pretty well at the IT Expo we're on the server security section even though they kind of mixed up our prizes with the networking teams that thanks TTS they insisted on tonight well thank you we also have like a right up from cyclists some some sound are a repo on github in like November and all we had committed was like a wire up of the

you would didn't work at all I don't know I aim and thought that that was a cool tool but you could tell that they didn't they didn't try it but thanks anyway Susana also my mother was very proud that I graduated so moving forward is definitely a lot of work to do and there's a lot of like like a lot of potential I see with this project even if first of all I'd like to rewrite it and go I got kind of obsession recently that's with me following the shiny I would love to integrate more modules for you to put in key seafood key to rekey all those as well as anything to do it's coming out

further I'd like to work on exploits myself I've spent some money getted USRP last probably but better integration centers will take this tool more valuable present it is kind of just Raspberry Pi you set down a hack stuff I'd like to make it really more of a legitimate tool I don't aim to be Metasploit fluffs or anything it's really above this to become a pretty powerful tool for anyone who's looking into wireless keyboards furthermore anyone there students let me know great any any help would be fantastic a quick thanks to everybody who helped out and in those researchers who are continuing to code big mark new and fast year research has a lot of really awesome

stuff put a couple links dive into questions I'll just kind of pull up some stuff cohere so we sit in like a nun model that we put together did what we did we took their we took their their Python scripts and integrated it into our system so like head logic you know if if found then it would launch into the sniffer and you know go and kind of pull back what it found but this is like a really really fantastic piece of software I highly recommend everyone to check that out again you can find our project at next year so any questions I read like super-short puppets of the content but I definitely uninterested if

anyone has feedback your questions meditation I go

get us to buy a new one I think Logitech released some sort of flash for the dome for that yeah that doesn't help the keyboard itself it's really better just to either go wired or or getting new keyboards or they're really not that expensive obviously if you're doing it for the whole company it would be really yeah yeah I mean there's really not much you can do I want to say it's kind of like this IOT devices like you're just kind of screws got to go buy another one or get your users are you something more secure from my understanding someone might have had a radio again radios is pretty rough in terms of if it's

something sending out

uh I only picked once that said like unifying on them so I didn't I didn't go outside of that go I like we're we're mentioned on Mars I went up like the affected device but a couple of these were mentioned in the text of the white paper but which one would you like one I'm singing with Leslie listen this is this is one so this is a water check see 5:20 I think wasn't mentioned like specifically but it's also a logitech

going to Goodwill I just like grabbed a whole bunch and a couple of them I did it was kind of like the ones that I did find I think this one had encryption on the main keys but these were repeatable like I could have replayed you know go home or something which you know would be very annoying through a presenter actually when Mark knew in first his first kind of dive into mouth Jack was at Burning Man and he rigged up this NES controller that would move the cursor of whoever was pretending like he was intercepted that turn into like a pretty deep exploit I mean the best thing you can do is close it with a new NRP but yeah if it's

a logitech unifying device then you can flash Morricone's firmware on it or you can cards we're working on getting mobs into that we'd love to be the sources of testing a few devices are bondable but right now we like just have to support some Mouse jack a lot of those kits are like pretty inexpensive and they're a lot of fun to dig around with as well but generally like a good rule of thumb is if they're if they're a lot like bluetooth they're pretty secure I haven't seen anything that's - I think the worst one iPhones the denial of service really to sleep there's some DEFCON see if they tell you something extra half as always there's always

plenty of news coming out about vulnerable place

one of the main issues that they found is that they do the static encryption key on a lot of these keyboards so that's that was one of the things that was found I think that would we know what you typed last time we want to think that they found that so it's still rounded mark no one was doing his research aha here we go another thing that is episode they're using almost all the modern keyboards that we're encrypting like the main keys reading sha 256 which is completely valid you know other than that I think the really old marks off ones we're doing something like md5 because I you know put out back in the day those 2008 to more recent

stuff they they kind of understand that about the importance of encryption

obviously a sir there are a lot of humor that enters the markets that are not from major manufacturers and I don't think anyone would take the time to look through all them it's that's just assume that they're anything else for this point thanks [Applause]