Shulou(Shulou.com)06/01 Report--

Introduction: in yesterday's article "Wireless keyboard and mouse monitoring and hijacking", we mentioned that today we will introduce you to a classic case of wireless keyboard monitoring and hijacking, "MouseJack": MouseJack can make use of some problems in wireless mouse and keyboard to achieve the effect of masquerading as keyboard and pressing arbitrary keys.

There are two valuable cases about wireless keyboard monitoring and hijacking. One of them is MouseJack, which can take advantage of some of the problems with wireless mice and keyboards to disguise as keyboards and press arbitrary keys. The harm is that you can disguise the keyboard to enter any command to control the computer, or even download the virus through the command script or do further *.

MouseJack collected some security issues about wireless mice and keyboards. As many as seven manufacturers are affected, and these security issues allow * * to enter arbitrary instructions to the victim's computer at a distance of 100m, using only a special $15 USB adapter. The next is the USB adapter called Crazyradio PA.

Crazyradio PA is an open source hardware based on nRF24LE1. It has operational amplifier chip, has the function of signal amplification, higher receiving sensitivity, and the antenna used is not the onboard antenna in the above nRF24L01+ module, but the external SMA interface antenna. Equipped with external antenna will greatly improve the transceiver effect. These improvements allow it to transmit and receive at an empty distance of 100 meters, rather than about 10 meters as common wireless keymice. MouseJack has modified the firmware of Crazyradio PA so that it can sniff packets and implement injection via Python.

When the keyboard or mouse makes a certain action, these signals are converted into wirelessly transmitted data packets to the computer-side adapter. After receiving the data packet sent by the mouse or keyboard, the adapter on the computer side can know the corresponding action of the keyboard or mouse. In order to prevent eavesdropping, most manufacturers encrypt the communication data of the wireless keyboard. The adapter on the computer side knows the key, so it can correctly decode which keyboard is pressed. If they don't know the key, they won't be able to decode the data, so they won't know which keys are pressed. The following picture shows the user using a wireless keyboard. When the letter An is pressed, the data is encrypted before it is sent, and the adapter receives it and decrypts it to get the correct key value.

Generally speaking, the data transmitted by the mouse is not encrypted. This means that there is no proof mechanism for direct communication between the mouse and the adapter, and the adapter cannot tell which packets are sent by the mouse and which are forged. So * can forge a mouse and send the desired action to the adapter. The following picture shows the adapter that the user sends wirelessly to the computer side after clicking the left mouse button.

The main problem in this process is that the adapter's processing mechanism for received packets enables * * to transmit carefully forged packets to produce keystroke actions. The figure below shows that * can use tools such as Crazyradio PA to generate fake left-click packets. After receiving such a packet, the user's adapter tells the computer to produce a left-click action.

At present, the vast majority of the affected chips are from nRF24L series transceivers produced by Nordic Semiconductor. The nRF24L series of transceivers only provide a mechanism for sending and receiving between the two devices, and which data is sent represents mouse clicks or keystrokes are decided by manufacturers of each brand. The problems found at present can be classified into the following three categories.

1. Deceive the mouse and press the key to inject

When the received wireless packet is processed, some adapters do not verify that the type of the packet is emitted by that type of device. Under normal circumstances, the mouse sends only movement and keystroke data to the adapter, and the keyboard sends only keystrokes. If the adapter does not verify that the type of packet matches the type of device being sent, it may give * * an opportunity. * A camouflage mouse is used, but what is actually sent to the adapter is a keystroke packet from the keyboard. The adapter does not anticipate that the packet from the mouse is actually an encrypted keystroke packet. It will receive these data packets containing keystroke information and perform keystroke operations according to the contents of the packet, so that * * can send arbitrary instructions to the victim's computer.

2. Deceive the keyboard, press the key to inject

Most of the tested keyboards encrypt the data before transmitting it wirelessly to the adapter, but not all adapters receive only encrypted data, they also receive unencrypted data. This allows * * to use a disguised keyboard to send unencrypted packets to the adapter. This bypasses the encryption of the keyboard, allowing * * to send arbitrary instructions to the victim's computer through the keyboard.

3. Forced pairing

When the wireless keyboard or mouse leaves the factory, it is paired with the adapter. This means that the keyboard or mouse has saved the wireless address of the adapter. If a wireless keyboard or mouse does not store the address of the adapter, you need to pair them with the adapter. Suppose the user's wireless keyboard or mouse is broken, or the wireless adapter is lost, the user does not need to buy a full set of wireless keyboard or mouse again, just buy a new keyboard and mouse or adapter.

To prevent unauthorized devices from pairing with the adapter, the adapter needs to accept new devices within 30 seconds of the pairing mode. This allows * * to pair with the new device through the pairing mode without user intervention. The user has only one mouse, but when it is connected and paired, it can be paired with the adapter with a fake keyboard, eventually sending arbitrary instructions to the user's computer.

It doesn't make much sense to simply monitor or control a wireless mouse. Because what the mouse itself can do is too limited, nothing but move, left-click or right-click. These operations are almost meaningless without knowing the user interface. I don't know where I moved, and I don't know what the effect is. Therefore, it has no practical significance to simply monitor or control the wireless mouse.

So the official Show of MouseJack is just a Show!

Warning: illegally stealing other people's information is illegal, this section is for learning reference only! Don't make mistakes!

This article is selected from "hardware Security * * Secrets". Click this link to view it on the official website of the blog.

For more wonderful articles in time, search for "blog viewpoints" on Wechat or scan the QR code below and follow.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.