Pinball Zero – Attack on wireless peripherals

This article covers a practical example of how to attack wireless peripherals such as mice or keyboards, using Logitech Unify technology as an example. To get a basic understanding and to get an overview of the various units and functions of Pinball Zero, the following article Pinball Zero – What to hack little Tamagotchi read first. The inspiration came to address the issue of attacking wireless peripherals video.

The use of wireless keyboards entails an increased attack surface, and depending on the system, there are known vulnerabilities such as CVE-2019-13055. It comes to them registration AES-Main materials When the Logitech Unify device is initially paired with the Unify adapter and the typed characters are then decoded.

MouseJack It is a collection of vulnerabilities that includes push-button injection and encryption bypass. Officially, it is called MouseJack CVE-2016-10761 included. Variety of wireless keyboards and mice with extension The frequency is 2.4 GHz Communication affected. Peripherals that connect exclusively via Bluetooth are excluded from this. The vulnerability was discovered by Bastille in 2016, and it is listed website It also affected devices with manufacturer data and fixed the vulnerability where possible.

Careers

With wireless peripherals such as mice or keyboards, there are no special protocols operating on the 2.4GHz frequency. Accordingly, each manufacturer is responsible for the connection and security used. With the movement of the mouse or during typing, the movements or keystrokes made are sent to the wireless receiver on the computer by packets, the exact implementation depends on the manufacturer, as mentioned earlier. Usually, the entries made by the user are sent in encrypted form. The key is selected during the initial pairing between the input device and the wireless receiver. The encrypted transmission prevents simple eavesdropping on foreign inputs.

keystrokes

The tested Unify adapters affected by the MouseJack vulnerability were initially connected paired, but could be connected to new mice or keyboards independently. So it made no difference whether the Unify adapter was paired exclusively with a mouse, keyboard, or both. From this it can be concluded that when the mouse is used exclusively, it is not checked whether the received commands are also exclusively mouse movements or mouse buttons operation. So it is also possible to perform unwanted keystrokes on the target system when using a wireless mouse.

When Bastille initially discovered the MouseJack vulnerability, it was noted that most vendors encrypt the keystrokes they make, but unified adapters do not verify that all user input received is encrypted. Or, entries may also be accepted unencrypted. This greatly simplifies the process for attackers, since you don’t have to worry about the key being used, just the specific key Adapter address unification Required to send the required payload.

As Pinball zero was used in the inspiring video that led to this article, the goal was to replicate this attack.

Test preparation

A Windows notebook computer with a Logitech Unify adapter, a Logitech M525 mouse, and later a Logitech K800 keyboard was used as a test setup. To carry out the attack, a zero fin was used with NRF24L01+ Wireless Internetradio unitvia GPIO-pins is connected. The firmware on the Flipper Zero was a fork of the Flipper firmware from Rogue Master Used because there are scripts needed to run the NRF24L01 + Wireless Internet– Radio trans unit GPIOPins already exist.

Wiring between Flipper Zero and NRF24L01+ Wireless Internet– Radio unit has been connected yet a plan outlet. After wiring, this looked as shown in the illustration.

After connecting via GPIO-Pins Unify can address the adapter with an extension NRF24 sniffer software To be discovered then with NRF24 MouseJack script to be attacked. On startup, the MouseJack script requests Ducky as a payload, executes and sends the unencrypted keystrokes to the Unfiy adapter.

For example, the following Ducky script can be used:

DELAY 1000
GUI r
DELAY 500
STRING firefox.exe
DELAY 500
ENTER
DELAY 1500
CTRL l
DELAY 500
STRING www.scip.ch
DELAY 500
ENTER

Beloved manuscripts They are discussed in more detail in the Terminal Attacks article.

Because of Pinball Zero’s small size, attacking wireless peripherals or other targets has a certain object physical proximity Need something easier to implement. The Pinball Zero also fits an add-on unit or the unit shown above Wireless Internet– Radio unit easily into a jacket or shoulder bag. This makes it less noticeable when attacked at physical proximity. In an open office where many people use wireless peripherals affected by the MouseJack vulnerability, the probability of an inconspicuous and successful attack is very high.

Wireless devices bring with them a higher attack surface, so you should always be on top The current firmware version It is kept in sensitive areas and must be used for continuous operation Wired Keyboard and mouse are preferred. At the time of writing, the MouseJack vulnerability is over seven years old and is always present and exploitable when testing devices in your own environment. Due to the pinball factor’s small size and support for a large number of radio frequencies, as well as its easy expansion across GPIOpins, the device is ideal for attacking wireless targets that require physical proximity to the target device.

About the author

Ralph Meyer He has an apprenticeship Application developerfocusing on web development with Java, and completing it in a major Swiss bank and then a bachelor of science ZFH in computer science In the ZHAW College of Engineering completed. Focuses on safety investigation web applications. (orchid 0000-0002-3997-8482)

Leave