Shulou(Shulou.com)06/01 Report--

Introduction: keyboard is one of the most common hardware in life, wireless keyboard and mouse is favored by many people because of its convenience and beauty, so how is its security? How can we protect ourselves in the face of *?

This article is selected from "hardware Security * *".

1. The rise of wireless keymice

There are many ways to connect the keyboard to the computer, the wired keyboard and mouse is the most common in life, and the scope of application is also very wide, but the wired connection not only limits the operating distance, but also causes inconvenience to carry. Not only that, the complicated cables can easily mess up the desktop. The wireless keyboard and mouse solves the above problems very well. Wireless keyboard and mouse can be divided into Bluetooth type and 2.4GHz type. The wireless mouse referred to in this paper generally refers to the 2.4GHz type. It is worth noting that although the Bluetooth keyboard mouse also works in the 2.4GHz band, it uses the Bluetooth communication protocol, which conforms to the Bluetooth standard. The keyboard and mouse of 2.4GHz type mainly refers to the wireless products developed by proprietary wireless protocols. 2.4GHz type wireless keyboard and mouse usually plug an adapter into the USB interface of the computer, and the mouse and keyboard are powered by batteries.

2. The basic principle of wireless keyboard and mouse

The main difference between wireless keyboard mouse and wired keyboard mouse is the mode of signal transmission. Wired keymice use wires to transmit information, while wireless keyboards use radio to transmit information. Early wireless keyboards used the 27MHz band, when wireless receivers were much larger than today's integrated chips. At present, most products work in the ISM (Industrial, Scientific, Medical) band of 2.4GHz. Let's give an overview of how the wireless keyboard works. When the keyboard is pressed, the single-chip microcomputer inside the keyboard uses the principle of matrix scanning to detect which key has been pressed, and the corresponding key has the corresponding code; the single-chip microcomputer uses the wireless transceiver module to transmit the key information through the radio; the adapter inserted on the USB interface of the computer will transmit the input information of the key to the computer operating system through USB after receiving the corresponding data. In this way, the transmission of key information is completed. The hardware part and communication data part of wireless communication are described in detail below.

3. Hardware part

If you really want to understand the structure of the keyboard, basic principles and other information, disassembly is a very direct and effective method.

The picture above shows the disassembly of a wireless keyboard. The lower right part is a battery slot, and the red wire is a power cord that supplies power to the single-chip microcomputer and wireless module. At present, this kind of thin-film keyboard is the most common on the market. The reason why the film keyboard replaces the mechanical keyboard is not that the quality of the mechanical keyboard is not good enough and the feel is not good. The feel and service life of the mechanical keyboard is better than that of the thin film keyboard, but it gradually withdraws from the market because of the high cost. Recently, due to the pursuit of product quality, mechanical keyboards are becoming more and more popular.

The film keyboard is divided into three layers to achieve no mechanical wear, which is characterized by low price, low noise and low cost, and has occupied most of the market share. What we often use now is the film keyboard. The structure of the diaphragm keyboard is very simple. In addition to the upper and lower covers and keycaps, after disassembling the keyboard, you will also see rubber caps (but now all made of silicone), three films, circuit boards, and IC on the circuit boards. If you look at the film, you can also see the conductive printing coating. The principle of the thin film keyboard is quite simple. Among the three films, the top is the positive circuit, the bottom is the negative circuit, and the middle is a non-conductive plastic sheet.

Then, put the pressing module on the top (usually including the key cap, the activity module under the key cap, and the rubber cap). When the finger is pressed down from the key cap, the upper and lower films will contact and turn on.

However, we are more concerned about its RF part. That is, which chip is used to complete the data transmission. In this way, we can more easily find the right direction for research.

The picture above shows the radio frequency part of the wireless keyboard, using a nRF24L01 chip designed by Nordic. The black square is the chip, surrounded by the peripheral devices needed for the chip to work properly, such as capacitors, resistors and other devices. The snake pattern on the left is a PCB antenna. It is a way to use the wires on the printed circuit board as antennas. The advantage of this kind of antenna is that it is smaller and cheaper than the external antenna, but the disadvantage is that the distance is short, so it is suitable for places where there is no strict requirement for distance. This wireless transceiver chip is a key part of understanding the basic principles of wireless keyboard communication and helps us to study the wireless keyboard. Some basic information of the chip will be introduced below.

NRF24L01 is a single-chip wireless transceiver with protocol parsing function designed by Nordic, which is suitable for low-power wireless applications. NRF24L01 works in the global open ISM band (industrial, scientific and medical bands), within the frequency range of 2.400GHz~2.4835GHz. Because nRF24L01 is only a wireless transceiver, there is no integrated single-chip microcomputer, so it needs to work with single-chip microcomputer and a small number of peripheral devices when in use. We can operate and configure nRF24L01 through the SPI interface. Through the SPI interface, you can read and write the internal registers of nRF24L01, complete its configuration and all other operations.

The wireless device adopts GFSK modulation mode. The user can modify the channel, output power and data rate of the wireless device. NRF24L01 supports three rates: 250kbit/s, 1Mbit/s, and 2Mbit/s. At present, the data transmission rate of 2Mbit/s is widely used.

The following figure shows the circuit reference design schematic diagram officially given by Nordic. Most companies develop on this basis, and unless some companies have special requirements for certain aspects, they will adjust the schematic. According to this, many manufacturers will carry out secondary development to produce the module of the chip.

The following picture shows the finished module of the chip.

The module only leads to the necessary power supply and control interface, and other peripheral circuits have been integrated on the module. The advantage of this is that it is more convenient to use and does not need to care about the peripheral circuit and antenna part of the chip. The design of antenna is a difficult point in circuit design, and small errors may have a great impact on the communication distance. So many manufacturers use well-designed modules instead of redesigning this part.

The above picture shows the pin sequence diagram of the module, which can be connected with the single-chip microcomputer. The corresponding pin functions are as follows.

The module retains eight interfaces that users need to use. Pins 1 and 2 are power interfaces that supply power to the module. Pin 3 is the chip enable interface, which is used to set whether the chip works in receive mode or transmit mode. Pins 4 to 7 are four lines for SPI communications. CSN is used for chip selection, that is, the SPI communication enable of the chip. SCK is the communication clock provided by single-chip microcomputer for SPI communication. MOSI is the data interface that the single-chip microcomputer sends data to the module, and MISO is the data interface that the module sends data to the single-chip microcomputer. Pin 8 IRQ informs the MCU module that it has received the data through the level jump when it receives the data. The advantage of this method is that the single-chip microcomputer can complete other tasks when it does not receive the data, and there is no need to query whether the module receives the data all the time. Of course, this interface may not be used, but as mentioned above, it is very inefficient to always query whether the data has been received. Another disadvantage brought by this way is to keep the single-chip microcomputer in the working state all the time, which is not conducive to dormancy and will greatly increase the power consumption.

The purpose of configuring and operating nRF24L01 can be achieved through the above physical interface. Understanding the hardware is not enough, the study of communication data is still a compulsory course.

4. Communication data part

NRF24L01 supports automatic assembly of data packets, automatic sending of acknowledgement packets and retransmission packets. It supports a payload length of 1 to 32 bytes. The received packet can be decomposed automatically to get the required load part. NRF24L01 has six communication channels and supports up to one-to-six star networks.

The above figure shows the packet format of nRF24L01, which includes a 1-byte preamble, a 3-5-byte address, a 9-bit packet control segment, a 0-32-byte payload segment, and an CRC check code. Each part of the packet plays different roles in the whole communication and has different roles, which will be described in detail below.

The preamble is used to synchronize the demodulator at the receiver with the input bit stream. The length of the preamble here is one byte, and the sequence is 01010101 or 10101010. As for what kind of preamble it is, it is related to the first bit of the address immediately after the preamble. If the first bit of the address is 1, the preamble is automatically set to 10101010. If the first bit of the address is 0, the preamble is automatically set to 01010101. These measures are used to ensure that there is enough excessive time to stabilize the receiver. To put it simply, the main purpose of the preamble is to make the subsequent data stream reception more stable.

The address here is sent by the transmitter to the receiver. The address is used for the packet to be detected and received by the correct receiver rather than mistakenly received by other devices. When we write an address in the receiver, we can easily filter out packets that are not sent to ourselves to ensure that at least the address of the received packet is correct. We can adjust the address width to 3, 4, or 5 bytes by setting a register called AW.

The above picture shows the packet control field (Packet Control Field) in the packet, which involves the control of the packet, including the load length field (Payload Length), the packet identification field (PID) and the automatic reply non-acknowledgement flag (NO_ACK). The packet control field contains a 6-bit payload length field. When the device is set to a dynamic load length as the receiving end, the load length field is used to indicate how long the load is, so as to quickly read the load. When the static load length is set, this field is not needed because the load length is fixed each time.

The two-bit packet identification field is used to detect whether the received packet is new or retransmitted. The packet identification field is to prevent the same load from being sent to the single-chip microcomputer for repeated processing. The value of the packet identification field increases each time the sender sends a new packet. The device at the receiving end determines whether the packet is retransmitted or new based on the packet identification field and the cyclic parity check code (CRC). When multiple packets are lost, the packet identification code this time may be the same as the last time, in which case, nRF24L01 will compare the cyclic check code twice. If the cyclic parity check code is the same two times, the latest received packet is considered to be a backup of the last received packet and is discarded.

The optional auto-answer feature controls the non-acknowledgement flag (NO_ACK). This flag is valid only when the auto-answer feature is utilized. Set this flag to 1 to tell the receiver that the packet does not need to be answered automatically.

Payload is user-defined data content. Its length can be 0 to 32 bytes. The user can transfer the data to be transmitted in the load field. Cyclic redundancy check code is used for error detection of data packets. Before the data is sent, the transmitter generates a cyclic redundancy check code based on the transmitted data. When the receiver receives the data, it will also generate a cyclic redundancy check code according to the received data. Finally, the receiver calculates the received data check code and compares it with the directly received check code. if the data is the same, it is considered that there is no error in the process of transmission, and if it is different, it is considered to be error. retransmission or other measures are needed. This field can be set to 1 or 2 bytes and is calculated from the address and also includes the packet control field and payload.

5 how to defend

Wired keyloggers must be used as keystroke logging devices in some units or in some scenarios. Please do not take it off at will, so as not to cause unnecessary misunderstanding.

As far as individuals are concerned, it is not difficult to say whether it is easy to defend against wired keyloggers. It is easy to say because this external device is visible to the naked eye, and it is difficult because it is very difficult to detect with software. Several simple defense methods are as follows.

First of all, raise the awareness of prevention. Check before using the desktop to see if the back is fitted with a "little tail". Of course, every time it is too troublesome, you can choose to put the chassis on the table visible to the naked eye, nothing to take a look at. If you use a laptop, just take a look at it at any time.

Secondly, do not accept the keyboard given by those who are not familiar with it! Or find that your keyboard has been dismantled, also need to pay attention to! Perhaps, inside the keyboard, there is a circuit board that inadvertently steals your account number and password, and then uses it as a breakthrough to steal more secrets. Of course, the keyboard you bought on the market is relatively at ease.

In addition, when entering key information, it is better to enter it with a soft keyboard, as long as the software security of the computer itself is done well, and there is no way if you are screentaped.

For the defense of wireless keyboard monitoring, it is very simple, do not use wireless keyboard and mouse! Especially when using desktops or laptops in the office, there is no need to use wireless keyboards. Mobile phones and iPad can use on-screen keyboards. If you have to use a wireless keyboard, you can consider making a conversion hardware to convert the USB wired keyboard into Bluetooth or wireless keyboard. as for the method, it is the same principle as the wireless keylogger.

Finally, security is not absolute, but it is important not to be intimidated by rumors, to maintain a good attitude, to be careful, and to change strong passwords regularly.

Especially for the staff who have important account passwords of the company or government units, please improve their awareness of self-security.

Warning: illegally stealing other people's information is illegal, this section is for learning reference only! Don't make mistakes!

In tomorrow's push, we will introduce to you a classic case of wireless keyboard monitoring and hijacking, "MouseJack": MouseJack can take advantage of some problems in wireless mouse and keyboard to disguise as keyboard and press arbitrary keys.

This article is selected from "hardware Security * * Secrets". Click this link to view it on the official website of the blog.

For more wonderful articles in time, search for "blog viewpoints" on Wechat or scan the QR code below and follow.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.