Sniffing Keyboards (Turns Out Some Of Them Stink) by Miłosz Gaczkowski

so hello everyone it's lovely to be here and thank you very much for having me here at besides Dublin I'll start with a quick introduction of myself I am miwash if you're looking for a pronunciation guide what I usually go with is me no dirty me wash you've got it if you prefer a more formal approach here's the International Phonetic Alphabet spelling of my first name miwash I'm not going to bore you with my last name um in my past life I did a fair amount of work at University most of it was teaching there was a little bit of incidental I.T stuff as well but I've spent about six years teaching computer science and cyber security at UK

University in my current life I am more focused on mobile application pen testing and mobile device pen testing I currently lead the mobile security team at with secure um recently I got a little bit more into mobile application management setups but that's kind of neither funeral there and I am the friend of the local Basingstoke Ducks as seen in the photograph today's talk is not going to be mobile security because I don't want to bore you guys with my everyday work instead we will be talking about a few days of investigating a suspected incident at a UK higher education Institution and the goals for this talk are kind of to first and foremost entertain you a little bit Let's Lose a

little bit of steam but also cover the kind of basic technical understanding of how keyboards actually function and that's going to be mostly USB keyboards and a little bit of wireless keyboards and the process of actually figuring things out so you're presented with a situation you know nothing about and you're going to go well now what a lot of technical talks Focus so much on sort of you know going oh yeah and here's what we found out not many of them go into here's how we found out so I'll try to cover that at a slightly higher level without delving too much into the technicalities and kind of much more focusing on that like you know I

started with this assumption and then went on to reach something that resembles a conclusion and just to give you a little bit of an idea of how I started this talk this was my level of experience when I started and this is my current level of experience with the subject so in case anyone tries to tell you that I'm an expert no I'm a baby with a few tools right let's talk about keyboards so the problem statement of the keyboard is people want to be able to type that presumably is not news to anyone um the way this used to work a long long time ago is you would either have a parallel or serial device connected to

your computer and that would send an interrupt to the actual machine and then the machine would respond so it was the actual keyboard's job to send the signal to the computer to say hey a key has been pressed or a key has been picked up um this still has a religious following among some Gamers because there is a instant response from the keyboard so the moment you press a button that's when the interrupt goes to your operating system and it's your operating system's problem to do something with it from that point on and the sort of more recent rather than having like a standard parallel or a Serial Port is the PS2 Port which you

can see over there you've probably seen that on Modern PC still and the main reason for that is Legacy support and honesty Gamers um but most of the world has moved on to USB keyboards which work quite differently so they rely on a standard known as the human Enterprise device class and basically what usb hid does is it provides a list of standardized functionality um that is being used by the USB controller to identify when a key has been pressed a mouse has been moved a button on a controller has been pressed that kind of stuff so whenever you have a device that a human uses to interact with a computer in a fairly standard way

that's probably using usb hid if it is a USB device if it is a Bluetooth device it's actually the same protocol it's just been ported over to Bluetooth the Bluetooth documentation doesn't actually tell you anything about hid it just says go read the USB documentation um so yeah that covers mice keyboards game controllers presentation clickers actually like if I had one of the switchy slidey things that is also a uhb usb hid device um and it actually usually just identifies itself as either a keyboard or a mouse the good news of having everything so start standard isn't simple is that you can plug in any keyboard any Mouse into a computer it instantly knows what to do

with it and it will just work the bad news is that you can plug in anything that says it's a keyboard or Mouse and it will act as one so this leads us to a situation where that Simplicity kind of produces a potential side effect of you know either having a device in the middle that understands hid and it can read what the keyboard is saying does something else with it but also sends it to the machine so if you have physical access you could put something in between and get your keystrokes that way but also it means that the device that you're plugging in is the keyboard doesn't actually have to be physically a keyboard it can be just

about anything and that is generally classified as bad USB devices so again because there isn't really much in terms of security when it comes to usb hid devices identifying themselves you just end up with anything that says it's a key it's a keyboard is now a keyboard you plug something in and it just goes hey I'm going to be sending you keystrokes now and the OS is like okay um there are a few notable exceptions to that but they're mostly accidental um I think the main exception I can think of is Mac OS if you plug in a keyboard to a Mac device it will first ask you to help it identify what layout the keyboard is and as a result it will

not immediately be accepting keystrokes because it will be waiting for you to clarify it at first so it asks you like oh you know is the enter key shape like this or is it more of a rectangle um and that's the only reason why coincidentally it then goes oh you know you've plugged in a keyboard what do you want to do with it and someone can go oh no I didn't otherwise on Windows pretty much as a matter of course on most Linux distributions you've plugged in a keyboard you can type straight away and you can plug in another device and type straight away um so that brings us to devices like the USB rubber ducky and similar devices so

that is a board that you can preset with a set of keystrokes with a script um that basically says you know the moment this has been plugged into a computer it will start typing those things um I have a flipper zero that has a very similar functionality and when I was playing with it I definitely didn't have a slight problem when I ended up posting notepad.tx.exe on slack so I had a very simple script that was pressing Windows R to open the Run menu types in notepad.exe and presses enter the first time I tried it it did not press Windows R it just posted on slack great um but you get the idea it's a device that

is blatantly not a keyboard acting as one and what it can do is it can type much faster than I could possibly hope um you can also set them to act on a delay so if you sneak in find someone's workstations plug something like that in and say oh you know in about half an hour open up a terminal and spawn a reverse shell that's a reasonably possible path of attack so with all that in mind things are not great but they're not terrible I mean realistically for any of those attacks you need to have physical access to a Workstation that's a pretty hefty requirement you need to have access to a USB port that is not always going to be a case

with your targets you might be looking at something like an ATM where everything is hopefully locked away and hopefully not using the default key um but on the flip side there is a little bit of potential for Mischief so you can plug something in that's like an innocuous looking USB device again going back to these two so you've got the flipper zero as an example you've got the classic USB rubber ducky that just looks like a like a USB stick you also can find those in cables so there are people who make what looks like a USB extension cable but actually contains something resembling a rubber ducky inside of it um so that could be a nice way to to

kind of get something that isn't going to catch attention visually um and also this is all very handy if your target doesn't even have a keyboard so if you have some sort of headless machine um that isn't supposed to be interacted with on a daily basis but suddenly you know you've plugged in a you've plugged in your rubber ducky and it just kind of acts as a keyboard very quickly now with all of that you know with it all being quite physical access required I was wondering whether we could take this slightly further so maybe it doesn't have to rely on a pre-written script like a rubber ducky does um maybe it's something that we could

feasibly feed um information to remotely so I would have some way of kind of you know throwing information at it from slightly further away or very far away and then that would type as I type so here's my hypothetical solution we have a Target machine let's say it's a laptop we have something that is clearly not a keyboard it's some small USB dongle you know nobody's going to tell me that that's a keyboard um and then you've got your source of keystrokes which is communicating with that don't go via radio frequency an interesting way of expanding the physical attack because now you can move away maybe 100 meters maybe you're no longer in sight of your victim but you

can type on the computer interactively the eagle arguments you might have realized that that's a wireless keyboard that covers the basic introduction to keyboards and basically gives you the the base level of knowledge required for my story so a few disclaimers on the story it is Loosely based on facts but I will have to lie to you about 40 of the time um the bids that matter are there and they are true um but yeah a few details here and there including the institution itself probably not so much so let's introduce our Institution the University of something and I will probably refer to them as uos for the rest of this talk is located somewhere in the Caribbean

it's a fairly standard educational institution so what it's going to have is you know mostly fairly large lecture theaters maybe about this size maybe a little bit larger with a not the similar itav setup and for the sake of the story I'm there doing a side job helping with a little bit of I.T so your standard lecture room might look something like this this is from a real institution but it is not from the institution in question um what you will end up with usually is you know the audience you guys um but also you'll have a Podium or a lectern which will be slightly more complex than what we have here so a lot

of the time it will have an actual desktop PC and with the idea being that because there's many lecturers kind of coming in and out they probably want to just go in log into their account on the same machine their slides are already on there and they can just kind of get going instead of having to fiddle about with laptops so although BYOD laptops bring your own device laptops are absolutely supported desktops are a very very popular option because it just provides you with that convenience of you know I walked in right grab the keyboard type in my password I'm in um they are relatively tamper-proof they kind of have to be because they've got

something like 40 000 Euros worth of equipment in them that you would very happily steal if you had the opportunity to um they aren't really secure enough to withstand like proper destruction so if someone took a sledgehammer to them yeah they're gonna get in and they're gonna walk away with stuff but they are at least going to stop a well-intentioned user from shooting themselves in the foot so if someone decides oh you know I want to plug something in the back they shouldn't be able to easily do that right now you know the institution and you know why I'm there I'm helping out with a little bit of I.T at some point we start to get some

strange I.T tickets from our users so uos starts getting a decent number of tickets maybe 10 or so saying oh you know in in this lecture theater the one on this keyboard run out of battery it needs replacing sounds pretty amateur if you think you know you think you'd have someone going around and making sure that those are in a decent State you think you think you would you wouldn't wait for them to completely run out of battery and throw someone throw someone's lecture off so why did this happen because we don't have wireless keyboards in those rooms that's kind of the whole point because there is an added risk of you know keyboard going out of commission

mid-lecture or something like that what we go with is wired keyboards specifically to prevent that so why are we getting tickets saying that there's wireless keyboards that have run out of batteries in rooms that don't have them right well the way to find out is to go to an affected room so we go in there and we try to figure out well what the hell is actually happening why you know this this doesn't click um we walk into a room we find out the wired keyboard sure enough is not there and sure enough there is a wireless keyboard on the podium just chilling we didn't put it there we don't know who did looking further we find that you know if

you go to the back of the PC you trace all the USB cables of course it is a tangled mess in there but we eventually find the right one and it goes to nothing um so someone walked in with you know if we're if we're generous wire Snips if we're realistic scissors uh snipped off the cable wired keyboard put in a wireless keyboard plugged it and don't go into the front of the machine because you've got a couple of USB ports in there and left what okay well that doesn't help but at least we we know what happened we don't know why it happened so we started thinking okay well ultimately this must be harmless right

you just replace the keyboard and forget about it it's you know it's only happened a few times yeah whatever no because this keeps happening so we've done we've done a few we didn't think about time keywords keep showing up in more and more rooms nobody knows why and at this point you know originally we weren't aware of this problem now we're watching quite actively and we're spotting them sort of the day they appear no idea what's going on and here's the keyboard the culprit the Advent keyboard so let's try and figure out why this is happening so what we didn't want to do is just assume oh it's a Cyber attack because it doesn't sound like one at

least initially so we started going for potential hypotheses yeah sure it could be a security issue we're leaving that as final option the fact that it's in this talk kind of spoils it but you know pretend you don't know that um so first hypothesis well maybe someone in it is doing this and we just don't know you know left hand doesn't know what the right hand is doing could easily happen um alternative maybe they wanted to steal the wired keyboards maybe there is a user who is you know feeling a little bit Rogue and feeling a little bit self-righteous they really don't like wire keywords they want wireless keyboards so they're just replacing them themselves

maybe someone's playing a prank on us or you know maybe there is going something on there maybe there's something going on to do with security so going back to those is it someone in it well as far as we can tell no and at this point we've gone to the point of asking just about anyone who it could be anyone who has access to those benches it also doesn't match the idea of just cutting the USB cable if you're a legitimate employee you're just going to get to the back of the machine and unplug it like a normal human um maybe they wanted to steal the wired keywords okay fine you've cut the USB cable you can solder on a new USB port

but you know that's a bit of a faff but we are talking about what is probably the cheapest keywords available to man we are talking keyboards like if you buy a Dell desktop as a business they're gonna send you a mouse and a keyboard with it and those normally go into a storage room somewhere in the back because who needs that many keyboards and mice so that's what's getting deployed because it is already there um so I don't know would someone want to steal them probably not um maybe someone really hates wired keyboards wants to replace them but then why wouldn't you carry the one wireless keyboard with you go into the room go oh

I hate this thing put it to the side plug in your keyboard use it and then take it back with you so that doesn't really work out is it just a prank I mean maybe but at this point we've collected and I I mean collected so they are in a room about 10 keyboards um so it's not that someone is you know putting in the same keyword in and out no we've been taking them back and they're even reappearing so someone is spending money on this not huge amounts of money but maybe more than like a single student trying to have a laugh because I mean if you look at 10 keywords that's you know 20 quid let's

say you're looking at about 200 pounds that's hopefully outside of the budget for her usual prank okay that brings us back to the security issue not what we want to assume but okay maybe it is a university there are there is value in a stolen credentials to elaborate if you're a student and if you've stolen lectures credentials you probably have access to Marx and you probably have added access to marks you might have access to exam papers exam papers that haven't yet been released um you might have access to research if you are a little bit more maliciously inclined and on top of that um the institution in question does have MFA with an asterisk and as long as you

know what that asterisk is then MFA is not really that big of a problem um it still sounds contrived but that's the best theory we have at this point is that someone is doing something with those keyboards to do something inject Keys sniff Keys who knows okay well we've got 10 keywords in the back room let's investigate them so Step One is take the keyboard apart and find you know whatever modification has been made to the keyboard to obviously make it malicious nothing there it's a normal keyboard it clearly has never been opened it clearly hasn't been modified if it has been modified it's been modified very well so that's probably not it okay well we've checked the keyboard

let's check the dongle the dongle is very small there isn't really disassembly to speak of other than violently hitting it until it opens up so that's what we do we look around again well point a how do you open this thing to modify it you don't we just tried um point B again there is nothing in there it just looks like you're very very standard USB dongle with the usual chip and nothing special in there that's good justify any worries okay fine grab the entire PC out of a room that's been affected by this send that to it security be like hey can you look at this you know this is what we're thinking might be the problem can you

find anything of course they can't it's a it's a normal PC with a normal keyboard dongle in it and the cut USB cable at the back um the cat USB cable is suspicious but it doesn't inherently present any risks nothing has changed as far as the software on the machine nothing has changed as far as the hardware on the machine other than the presence of a USB dongle in the front so we still don't really have that much luck um so this is where we go to the it special tactic of just frantically Googling things until something starts making sense and this step I presented it as a single bullet point that's a few days of just

going keyboard hack what help why is keyboard in room keyboard appearing mysteriously previous incidents um and very little is coming back this isn't something that people do every day you don't normally go into an organization of this size and suddenly start seeing random keywords appearing that just isn't a thing um until eventually we run into a potential lead and it is kind of by presuming in advance that there is something wrong with those keyboards that means that they wouldn't require a modification so we kind of went from assumption to assumption to assumption until you went well if the keyboard hasn't been modified and if we assume that they are being deployed there for malicious reasons then the keyboard itself must be

a problem in some way and by looking into those possibilities we eventually found research which has been voicely titled key sniffer um which boils down to Bastille research doing a little bit of reverse engineering on a bunch of wireless keyboards and finding out that quite a few of them are trivial to intercept so they do RF communication as I kind of showed you before in my hacky device joke um and essentially what they do is they don't encrypt that communication at all and they follow a communication scheme that is really quite simple to reverse engineer and understand um so from that perspective you get yourself a decent receiver you tune it to listen on the same frequency you need

to understand a little bit about what the actual protocol is but from that point on you can start listening for keystrokes and potentially the hint that you might also be able to inject keystrokes by sending packets again following the well-known format there have been similar previous vulnerabilities Mouse Jack is one that's been very well known um but the difference between mousehack and key sniffer is that key sniffer is very well Keys Never affected devices are very very promiscuous in advertising that they exist so with mouse Jack which was a very similar specification again unencrypted RF you would only be able to kind of identify that there is a device that's vulnerable in your vicinity if

you are actively getting keystrokes from it but nothing would happen if the keyboard was idle the difference with key sniffer is that the dongles identified in that round of research pretty much constantly if they're powered on say hi I'm a dongle hi I'm a Dongo at very high speeds so even if the keyboard is just chilling on a PC that's powered on and nobody's using it if you're within range you are going to be able to detect that it exists um so yeah theoretically if you were aiming to Target something like that you can probably confirm that there is an effective keyboard in your operational range long before you actually launch your attack if you wanted to play with this the cost

of Entry is really quite low you either need a something like a crazy radio dongle which is just an open project radio that you can Flash pretty much any firmware you want onto which will run you about 30 to 40 euros or you can use a Logitech unifying receiver which chances are you have five off in a drawer somewhere and if you don't it is about 15 to 20 euros it uses the exact same cheap as the crazy radio the same chip not cheap um although it is also cheap and it is surprisingly equally flashable so the only difference is that you know on the crazy radio dongle you get a nice amplified antenna on the Logitech

unifying receiver you don't it's a little bit smaller but it'll get you within decent range so first things first is the keyboard that we found or the nine of them that remain and are not destroyed vulnerable so key sniffer very helpfully present us with a list of devices that they have confirmed this on our device is not one of them which makes me sad however they do present the exact same USB ID as multiple of the affected devices so we might be onto something still so sure enough it isn't the exact model but if you look at I'm going to work right in front of the projector that's good if you look at these that is USB vid-062a

and pid4101 which should be a unique identifier of a device now the fact that it spans multiple devices from multiple Brands tells you a little bit about how unique they are but that's neither here nor there these are probably the same dongles or at least very very close okay well then let's test it so on the keys and for GitHub repo you get a handy tool to detect affected devices and basically what it does is it listens out to that hey I'm a dongle signal that those dongle send out all the time and sure enough running that it detects our keyboard so obviously we've cracked the case you know talks over thank you um and now we also have a little bit of

extra information because they hopefully tell us that these dongles are known as Mozart dongles um that refers to a semiconductor company which among other things makes a lot of white label wireless keyboards who would have found um so we're clearly finally getting somewhere we now just need to you know prove the point by actually listening to some keystrokes and we've got our case we can present it to everyone and be like hey that works so Bastille didn't just give us a working offensive tool to actually sniff keystrokes I wonder why they didn't but okay um but they did run a Defcon talk in which they explained the entire protocol in excruciating detail um without going over the entire paper

because I mean it is quite long um the key kind of point for us is the actual definition of the packet so we've got the exact bytes what are they appear on and what they actually say and we've got a couple of examples for a key down and a key up brilliant so we have a script that finds those keyboards and that sets out a lot of the coding for us because it already sets up the radio the way we want it uh it already finds the ride Channel and um and ID of the of the keyword affected so we just need to modify it very slightly to let's say listen for the key a you

know I'm working on a POC here I'm not trying to write an entire sniffer for now um so you know this will be done in no time but no I'm not seeing anything um okay fine let's take a step back so instead of trying to identify an a-press I am just going to dump every single thing that I'm getting from that keyboard on radio communication and see if any of them look like the actual package that were defined in the paper no not really they don't make sense they aren't always of the right length in fact most of the time they aren't of the right length um they kind of start right but they just there's nothing there and again

this is several days of trying to figure out what the hell is going on here the reason I'm showing it like this is because this is my state of knowledge of it it is binary garbage as far as I can tell um and the keyboard is communicating on multiple channels which is not supposed to be doing none of this is right okay new assumption clearly I've done something fundamentally wrong let's see if there is anybody else who has done similar research before sure enough there is um so we've got Romaine cares Mirage which is basically a suite of different attacks on Bluetooth and wireless protocols kind of trying to be a Metasploit type thing but for those very

very specific attack paths um and the logo like that you know we're definitely hacking so cool I've got Mirage this is going to be easy now right now I'm still not seeing anything um and the implementation in Mirage you know I went into the source code looks very similar to what I was writing and people have largely been saying that it works so I'm kind of getting a you know okay I don't think I messed up I don't think this guy messed up he really knows his stuff um people are reporting that it works and that it works to this day uh clearly we're still missing something here but while we're here and while we have a sum

with mature 2 let's play around with the other modules to do with Mozart and we find key injector which sounds like fun and I hadn't thought of actually doing this before um so key injector promises you that it will be able to actually send keystrokes into the dongle um thus impersonating a keyboard without you having physical access to it and that worked so suddenly I'm able to find my keyboard with the original tool from Bastille I'm able to set it up with Mirage so I'm setting up my target which is the address I'm setting up my channel it's communicating and then if I start typing it injects those presses into the keyboard and I can see that on the other

end on another PC that the keyboard dongle is actually plugged into I've got a quick demo here in the original version of this talk I did this live I then realized that to do that I need half an hour of prep time before the talk and then it goes wrong anyway so instead you're getting a video because there isn't actually that much to see there um but hopefully this will run yes so I've run the tool to find my Mozart dongle um I then got distracted by a member of the audience so I believe I'm spending about 30 seconds talking here about the fact that Mirage has a small issue in it where it doesn't respect the system

local so if you're doing any injection it assumes that you're typing on a French keyboard which I am not so what I have to do is I have to go into Mirage and modify it to um at least impersonate the US keyboard layout so that I get something that's at least quirky and not azerty or whatever it is okay here we go I stopped being distracted so I'm loading the Mozart key injector module uh typing very slowly because it is a live demo and then I will set my Target and channel so that's going to be the address and channel that I've got here from the original tool

we should expect this option online oh well copy paste there we go

come on did you get distracted again this is the problem of running talks with small groups of students is they will ask you questions and I will not refuse to answer um come on okay we're almost there I'm scared I'm scared to click maybe this is when I went on the friends tangent there we go okay this from from here on this should just be my slow typing so Channel 30. run

and then what you've got in the top left is my other machine which is the one I'm actually presenting from and you can see a very small notepad which I will in a moment realize that I should have zoomed in on [Music] there you go so end to end I was able to plug my actual dongle into one computer my crazy radio into another computer set them both up um so that I can send from the computer that shouldn't have access to the keyboard to the computer that's actually receiving from the keyboard and sure enough I was able to say hello to myself so we can start drawing some early conclusions the dongle clearly can receive those

packets so we can't be completely wrong it must be the right type of dongle but the keyboard isn't sending them in the format that we're expecting so we can make some educated guesses maybe this specific keyboard has been modified to not have the original issue from the Chinese kind of single label keyboards we know that other vendors have done so and we never had proper confirmation that this keyword would be vulnerable so maybe it isn't um perhaps this is easy to reverse I haven't had the sufficient amount of time to put this to put in to find out from what I've been looking it looks it doesn't look like there is an easy way to kind of start I think you'd probably

have to start looking at the actual firmware of the keyboard to see what it's doing behind the scenes and that means dumping it reversing it that's a significant effort um it is possible that the attacker if this is an attack which we don't fully know knows something that we don't maybe they have a way of sniffing on this and we just haven't figured it out but nonetheless injection is fun and it is potentially malicious because you could potentially be messing with somebody delivering a session if I had one of those keywords plugged into my machine you could potentially be really interrupting me right now by switching my slides back and forth or something like that

um and you essentially end up with a remote rubber ducky and actually um funnily enough Mirage lets you do that so you can grab a rubber ducky script and just paste it straight to the Mirage and it will do that so it really is a remote rubber ducky um we told the University of something what we knew they agreed that even though we're kind of not completely there you know it sounds suspicious enough we're gonna block those devices via group policy and just prevent them from being on those PCS they never should have been there nobody has a legitimate case to put them in there so blocking a random keyboard should be a non-event unless

someone tries to do this funnily enough a few more of those keywords appeared after we blocked them and then eventually they gave up but whoever was doing this was very very persistent um so I guess that's a big three it's a little bit Bittersweet but you know here we are um and at that point I left campus and then I lost my dongle so because I've lost my dongle I can't take any of the videos you've just seen I can't produce any evidence so I guess I will never talk about this to anybody and this talk never happened the end okay fine that doesn't make sense from a chronological perspective so yes I did go and buy another one

um sure so you know as we stand the research is a little bit incomplete I'd really like to have that sniffing at the end but it wasn't happening but even if I want to talk about this partial stuff I need to get a second keyboard okay fine well I guess I'll go to Curry's uh large retailer of of random hardware and buy another one so that will run me 16 pounds not too bad um but if I'm going anyway can I find a keyboard that looks sufficiently questionable to convince me to buy it without any knowledge because the problem is you're going Curry's website you look through you look for keyboards it tells you nothing

about what this thing actually does and I have very specific requirements I want the keyboard of the right type I won't get that information so here are my criteria does it look questionable and can I get it from my local curries there were like three results uh two results one of them gets ruled out because it explicitly says it's encrypted and that's not what I want I want a bad keyboard um one looks strangely perfect and when I say perfect I mean it just it just takes it just takes the boxes you know um it looks cheap it's not very expensive but I know nothing about it does it use the right protocol will it be relevant at all you

know it sounds like a good idea to just buy it and find out right so I did it here it is um so we go for the Motions we plug it into my actual PC and try and find out a little bit about it now you might remember this vid and PID they match exactly what we've seen on the previous keywords affected so that sounds like we might actually go somewhere there okay well let's try and actually you know run the Bastille detection tool and see if it identifies itself as a keyboard that's potentially affected sure enough it does well let's take it one step further and run Mirage and try to run the keylogger

script sure enough it does so at least for this random unrelated keyboard it is working and we now know that this is an attack that actually could happen and if our attacker bought this keyboard from Currys instead of that keyboard from Currys they would quite potentially be you know quite successful again we don't know if they were successful and we don't know that they were an attacker these are assumptions but my kind of working assumption because we haven't then seen anything bad happen is that they were probably trying to do this and they probably failed for the same reason that we did so it may have just been that they were unlucky in their choice of keyboard but

pure speculation do quote me on it if you want to but with you know big asterisks so anyway let's have a look at the demo and by the way this is this is what I was telling you about things maybe not going entirely to plan I couldn't be bothered to pretend that these python dumps didn't happen so um they're here but after a few hopeless python crashes and God knows what's happening unplugging and replugging the crazy radio and reflashing it eventually it ran so hopefully this is the successful run where I run the detection tool again and I think this is attempt number five when it suddenly finds it and we go like okay cool right let's do this

um so then we get Mirage started come on note to self make those faster um oh I'll skip ahead is that better no that's reset it okay well apparently I can't click on these um that's okay this is like Slide N minus two so we're gonna make it anyway yeah so we found uh we found the device um and then I'll run Mirage I'll run a key logger and this time I'll be doing the same exercise but in Reverse so I will be typing on the real keyboard in notepad and my hope is to see it here in my shell um one thing that you will notice when I actually get to it um is that

um it doesn't handle multiple keystrokes of the same key very well so I think I've typed in something like hello in there and it will come as as h-e-l-o because it tries to it tries to handle debouncing on a keyboard that it doesn't have much knowledge of so it just assumes that if it ever gets two keys in a row then it's wonky um you could probably write something better but again this is meant to be a POC and also if you were trying to sniff like a password if you have a little bit of possibility of there being multiple key presses you can probably infer it from there anyway so that's kind of already good enough

there we go so I typed a as my test I got very excited because it actually worked backspaced and then I'm gonna try I think it's a hello that's coming yeah but what you see on the shell is caps lock has been pressed in an he single l o that's just a consequence of how Mirage tries to handle things but you absolutely could do a little bit of analysis and find out that has been pressed twice because it would probably be a longer signal than the previous ones so that let's update our conclusions a little bit so the original keyboard was not doing the thing it's not just me being silly um there needs to be further work to

figure out what's up with that I'm assuming encryption it could be some form of obfuscation but it's going to be something of that class um apparently you can go to Curry's an eyeball about keyboard and find one that will do this which I found very exciting because that was 23 pounds that I may or may not have been seeing um so that's not great I tried telling Karis uh I never got an email back so maybe I'll try again but I'm not expecting an email back I think this is probably quite true of wireless keyboards in general I suspect if you looked at a large enough sample you'd probably find quite a few of them that

are like that um finally Bastille claims that with a crazy radio you can sniff from quite a distance so they suggested 76 meters I've tried with maybe 50 meters and a couple of walls between me and sure enough I was getting it so that could be that you are a couple of rooms away and you're listening to someone's keystrokes but you are still within decent proximity and remember these adverse advertise themselves very promiscuously they keep saying hi hi hi so you could feasibly just walk around and start looking for them you don't necessarily need to have a Target knowingly and finally there's a little bit of future work so I'd like to debug Mirage I'd like for it to recognize my keyboard

layout and not expect me to type in French um I would like for it to detect duplicate keystrokes a little bit more reliably I'm not expecting 100 but maybe a little bit um figure out what's going on with Adam keyboard probably never going to happen realistically but I'd like to and finally the creator of Mirage also made radio exploit which is insane it basically abuses a rooted Samsung Galaxy s20 modifies its Bluetooth controller stack so that that Bluetooth controller can act as an injector or sniffer of multiple protocols including the Mozart protocol so going back to my idea of you could just walk around and potentially find some keyboards nearby if that was on your phone that's becoming quite

quite realistic so I'd really like to play with that anyway that's it from me if you want to contact me why would you but here you go my Twitter is at Cyber milosh uh my work email is miloskowsky at websecure.com and if any of you want to play I think I have all the kids so if you find me at some point then you just want me to set it up quickly I absolutely can otherwise I think we might have time for exactly one question go on

yeah so um in this case if you looked at the output that I was getting I pressed caps lock and then I started typing Halo yeah um Mirage didn't let me send key combinations so if I tried holding shift L it would just say that shift has been sent but it wouldn't kind of act as it's being held so hypothetically if you extended it to do key combinations those would probably register as different yes

um probably you'd have to so the thing with flipper zero is that um it by default listens on sub gigahertz frequencies most of these happen on the 2.4 gigahertz band so you'd probably need an external board that would receive those signals but from that point on yeah it's just a simple matter of programming okay that's gonna be everything from me and yeah thank you very much for having me foreign