Several months ago, we published all information that is necessary to build an own wireless keyboard sniffer. We called it Keykeriki and we also have a project page for this stuff. This keyboard sniffing device is able to capture and decrypt keystrokes, sent by Microsoft and Logitech 27 MHz based keyboards. And we got stuck there, somehow. We prepared PCBs for you and we still have some, but: We don’t know if it’s worth ordering more PCBs right now, at least there are still several people out there, interested in getting such a PCB for building this device. But why shouldn’t it not worth ordering more PCBs right now..? Well, we did some more research as briefly announced on the project page. If you wrote us an email, it might be still not answered yet… well, we’re sorry about this, but we were really, really close to completion of this project – every day. For the past six months.
We just thought: “let’s just wait a few days and we will write answers to all those emails anyway!”.
What happened?
In November 2009 we had a talk regarding 2.4GHz based wireless keyboard security at DeepSec Security Conference in Vienna. We analyzed several modern, state of the art keyboards and realized that they all have something in common: They’re all using some kind of proprietary protocol, based on a free 2.4GHz band. All of them we have analyzed (several Microsoft and Logitech devices, Siemens-Fujitsu, etc) uses a Nordic Semiconductor SoC transceiver which also implements (and hides) the complete Layer-2, the MAC layer. Using the so-called “Enhanced Shockburst™ Technology” data rates up to 2mbit/sec are possible at very low power consumption, by minimizing the on-air time. Those devices do not allow a direct access to Layer-2 by design, one must know the MAC-address in order to configure and use a Nordic Semiconductor transceiver properly. Otherwise the SoC threats Shockburst Frames without correct destination address as noise. Despite the fact that we need to brute-force guess a correct MAC address (which is possible within several hours) we analyzed the payload, sent by the keyboards.
Short summary of some findings:
- Logitech uses the 128-bit AES crypto hardware of Nordic Semiconductor’s transceiver chip. The methods used here are already broken in theory; I guess it simply needs some more spare-time for also being broken in practice ;-)
- Microsoft also uses 128-bit AES hardware crypto-enabled transceiver chips, but… they rather implemented their own high-secure crypto-algorithm in software, and also a secret checksum algorithm! Well, duh – lessons learned from the past: They don’t use the secret XOR-with-one-random-byte-algorithm anymore. Since they ship their devices with hardware-crypto enabled SoCs, implementing a secret XOR-with-five-nonrandom(MAC address)-byte-algorithm goes without saying. That’s right, five byte XOR key equals the constant MAC address which must (!) be known by anyone who wants to send/receive to/from a specific device anyway!
- Siemens Fujitsu – no crypto
- No-Name devices – *yawn*
At this point we just followed the brute-force attack scenario and attached a Nordic Semi transceiver module to the existing Keykeriki device. Only one simple modification is necessary, to attach the module to the pins on the right side of the Atmel AVR. And this simple modification is exactly the reason for the delay, that’s why we got stuck in a situation trying both: moving forward at the same time whilst moving backward (for staying compatible) and providing better error correction for the 27MHz stuff.
2.4GHz range tests inhouse
In the end we were able to (of course) read, and also send data to the PC. We implemented a very simple remote command injection exploit demo by sending “Windows-R + cmd.exe + Return”. Well, there are several technical details which will be described in our new whitepaper, but at least we were able to execute commands remotely over a distance of 75m in-house.
The attack and also information about the Logitech crypto is briefly described in our presentation slides of DeepSec Conference 2009 and will be detailed in our upcoming whitepaper.
Keykeriki V2
Now – and that’s the news – we are also able to perform all attacks also using zero-knowledge approaches. We build a new generation Keykeriki V2 which is based on an ARM Cortex-M3 microcontroller. We decided to let off the concept of a super-universal Keykeriki device and build a new one that is able to process data at higher speed.
Dev/Prototype version of Keykeriki V2
Our goal was to enable attacks using zero-knowledge approaches without expensive radio equipment. The new tool may also prepare the base for complete new threat scenarios through those low-cost 2.4GHz SoC devices! We don’t want to publish many information about the new hard- and software right now. The news will be detailed at our talk at CanSecWest 2010 in Vancouver, Canada. We’re going to release the successor to the Keykeriki during the conference. The working title is “Vogelgrippe” and it will be able to capture raw “Enhanced Shockburst™” frames, therefore being able capturing keystrokes of any wireless keyboard which uses the 2.4GHz Enhanced Shockburst™ Technology. The hardware will be as tiny and handy as the first generation Keykeriki, therefore not larger than a packet of cigarettes.
The abstract of our talk at CanSecWest 2010 will be available later. CanSecWest 2010 will be held March 24.-26.March 2010 in Vancouver, Canada. Many thanks to Dreamlab Technologies AG for supporting this project!
返回顶部
