Just (Mouse)jackin’ ItExploring Mousejack & other nRF24x adventures

Part 1:Research & Review of Prior Work

Mousejack ... tl;dr

● https://www.bastille.net/technical-details● Lots of wireless keyboards and mice nRF24x chipsets● Mice – unencrypted.

– Inject mouse events. ● Blind, open-loop on-screen keyboard navigation anyone?

– Can we glean info from tracking mouse movement?

● Keyboards – encrypted… but...– Some receivers accept unencrypted keystroke messages…

– … from mice with identity crises

● Forced pairing– Because convenience?

Vendor Responses

o_O

Vendor Responses

“Dell has been working with Bastille Research on their latest findings regarding the vulnerabilities identified in Wireless Keyboard Mouse bundle KM632 & KM714.

Customer security is a top concern and priority for Dell and we will work with our customers directly to resolve potential vulnerabilities like this. If you are using the affected models, or question whether you are using an affected model, Dell recommends that you reach out to our Technical support contacts specific to your country as listed here.

Dell Technical Support will assist the customer in addressing the vulnerability, including identifying a suitable Dell replacement if appropriate.

In the meantime, customers can largely contain this vulnerability by activating the Operating System’s lock screen when not using the system.

Dell would like to thank ‘Bastille Research’ and those in the security community whose efforts help us protect customers through coordinated vulnerability disclosure.”

February 23rd, 2016.

Teach Me How to Dougie

● https://www.bitcraze.io/crazyradio-pa

● https://github.com/RFStorm/mousejack– nRF24LU1 firmware

– Sniffing & Enumeration scripts

– PoC Exploit code is not published● Speculation: Ethical or legal dilemma for the researchers?● Plenty of information in advisory and prior work slides

– We’re big kids, we can figure things out ourselves, right? :)

Teach Me How to Dougie

● Step 1: Scan for devices

$ ./nrf24-scanner -l

[2016-06-03 01:22:28.768] 62 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.107] 71 10 EA:EA:9C:34:07 00:C2:00:00:ED:CF:FF:00:00:83[2016-06-03 01:22:38.123] 71 10 EA:EA:9C:34:07 00:C2:00:00:EB:DF:FF:00:00:75[2016-06-03 01:22:38.148] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.179] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.561] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.569] 71 10 EA:EA:9C:34:07 00:C2:00:00:03:00:00:00:00:3B[2016-06-03 01:22:54.529] 66 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.646] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.662] 62 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:23:11.084] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.090] 62 10 EA:EA:9C:34:07 00:C2:00:00:FE:1F:00:00:00:21[2016-06-03 01:23:11.137] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.145] 62 10 EA:EA:9C:34:07 00:C2:00:00:FC:4F:00:00:00:F3

Teach Me How to Dougie

● Step 2: Sniff traffic

$ ./nrf24-sniffer.py -l -a EA:EA:9C:34:07

[2016-06-03 01:24:38.249] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.306] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:F0:FF:00:00:4E[2016-06-03 01:24:38.313] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E[2016-06-03 01:24:38.321] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E[2016-06-03 01:24:38.327] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:E0:FF:00:00:64[2016-06-03 01:24:38.335] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:00:00:00:00:3D[2016-06-03 01:24:38.343] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:F0:FF:00:00:4F[2016-06-03 01:24:38.351] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:F0:FF:00:00:54[2016-06-03 01:24:38.452] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.454] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.554] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.656] 71 10 EA:EA:9C:34:07 00:C2:01:00:00:00:00:00:00:3D[2016-06-03 01:24:38.664] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43[2016-06-03 01:24:38.672] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.766] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.773] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:00:00:00:00:3E[2016-06-03 01:24:38.781] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43[2016-06-03 01:24:38.883] 71 5 EA:EA:9C:34:07 00:40:00:6E:52

Teach Me How to Dougie

● Step 2a: Decode…– Active heartbeat:

00:40:00:6E:52

– Active → Idle:00:4F:00:04:B0:F0:FF:00:00:0E

– Idle heartbeat: 00:40:04:B0:0C

– Left press:00:C2:01:00:00:00:00:00:00:3D

– Right press:00:C2:02:00:00:00:00:00:00:3C

– Middle press:00:C2:04:00:00:00:00:00:00:3A

– Release:00:C2:00:00:00:00:00:00:00:3E

– Movement:00:C2:00:00:FE:AF:FF:00:00:9200:C2:00:00:FF:6F:00:00:00:D000:C2:00:00:EE:0F:00:00:00:4100:C2:00:00:07:E0:FF:00:00:58

Teach Me How to Dougie

● Step 2a: Decode…– Last byte is checksum

● Checksum = -(sum(payload))– That’s a two’s complement negation, not bitwise

– Byte two is button press mask:● [0]: Left button● [1]: Right button● [2]: Scroll wheel button● [3]: Side button (back)● [4]: Side button (forward)● [5]: Thumb button

– Press sets bit, release clears it

Teach Me How to Dougie

● Step 2a: Decode…– Relative movement in bytes 4 through 6.

● Two’s complement, 12-bit value.● X = sign_extend([4] | (([5] & 0x0f) << 8))● Y = sign_extend(([5] & 0xf0 >> 4) | [6] << 4)

Teach Me How to Dougie

● Demo:– Decode packets piped from nrf24-sniffer.py– Animate/plot mouse movement and button press

locations using Turtle [1]. (Live or pre-recorded)

[1] https://docs.python.org/2/library/turtle.html

Teach Me How to Dougie

● Step 2b:– Generate or replay packets as needed

to drive your coworkers insane.

# Put the radio in sniffer mode (ESB w/o auto ACKs)common.radio.enter_sniffer_mode(address)

common.radio.set_channel(common.channels[0])

common.radio.transmit_payload(payload)

Teach Me How to Dougie

● Step 3: Probe “network” - Who else is home?

$ ./nrf24-network-mapper.py -l -a EA:EA:9C:34:07[2016-06-03 02:06:06.399] Trying address EA:EA:9C:34:00[2016-06-03 02:06:06.510] Successful ping of EA:EA:9C:34:00 on channel 17[2016-06-03 02:06:06.612] Successful ping of EA:EA:9C:34:00 on channel 32[2016-06-03 02:06:06.966] Trying address EA:EA:9C:34:01[2016-06-03 02:06:07.539] Trying address EA:EA:9C:34:02[2016-06-03 02:06:07.754] Successful ping of EA:EA:9C:34:02 on channel 32[2016-06-03 02:06:08.107] Trying address EA:EA:9C:34:03[2016-06-03 02:06:08.677] Trying address EA:EA:9C:34:04[2016-06-03 02:06:09.250] Trying address EA:EA:9C:34:05[2016-06-03 02:06:09.823] Trying address EA:EA:9C:34:06[2016-06-03 02:06:10.395] Trying address EA:EA:9C:34:07[2016-06-03 02:06:10.485] Successful ping of EA:EA:9C:34:07 on channel 14[2016-06-03 02:06:10.967] Trying address EA:EA:9C:34:08[2016-06-03 02:06:11.540] Trying address EA:EA:9C:34:09[2016-06-03 02:06:12.111] Trying address EA:EA:9C:34:0A

Teach Me How to Dougie

● Step 4: Go reverse engineer and exploit the target device(s)

A Mouse

● Who cares? Pointless to bother with?– Subtle jiggler – keep those nasty screensavers off

– Blind, open loop attacks possible?

– Modified firmware: Surreptitious comms & data exfiltration?

A Keyboard

● -EAGAIN– Have not reproduced keystroke injection yet

– Currently distracted by nRF24 datasheets & SDK…

– TODO: fuzzing strategy presented in the advisory:● Monitor EV_KEY events from /dev/inputX node

via evtest● TX payload, check for event(s), verify successes,

rinse and repeat

SPI programming interface

“Old news, why bother?”

● Some vendors are releasing patches– What subset of users will bother to apply patch?

● Are there more opportunities for shenanigans?– What does the nRF24 SDK provide?

● i.e., what code are we likely to find that’s been copied wholesale into firmware?

– What other devices can I find using these parts?

nRF24L01+● Low cost, single-chip 2.4 GHz transceiver● GFSK modulation, 1 or 2 Mbps● “Enhanced ShockBurst”

– Automatic packet handling (e.g., validation, ACK, retries)

– Built-in FIFOs

– “Multiceiver” (6 separate RX data pipes)

● SPI interface for control and data● 2011: Promiscuous mode hack to sniff keyboard [1]

– <3 Travis Goodspeed

[1] https://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html

nRF24LU1+

● Single chip solution:– nRF24L01+ transceiver

– 8051 microcontroller● USB interface● Flash memory

– AES co-processor● Mention of “True RNG?”

Note: nRF24LE1+ is similar, minus USB and full AES co-processor(Galois multipliers only?)

Can we abuse automagic features?

● Lots of nice features to ensure devs only see “valid” packets.– What assumptions will developers make that we

can prove incorrect?

– Can we control packet drop?

– Can we bend RX state machines to our whim?● Prior work on “packet in packet” attacks relevant?

Can we abuse automagic features?

● Spoof messages with PID + n, PID + (n+1)

Possible to dump firmware?Only if protections weren’t enabled.

Possible to dump firmware?Only if protections weren’t enabled.

:(

nRF24 SDK

● Provides “Gazelle” Link Layer & examples– Star network with 6 nodes (Host & device roles)

– Frequency Hopping

– AES encryption

– Pairing example:

I wonder if any devs said... “This pairing example works out of the box. SHIPPIT!”

nRF24 SDK

● Provides AES encryption examples– Supports:

● ECB, CBC, CFB, OFB, CTR● RNG passes “thermal noise” through “digital corrector” to

yield 8-bit readout.– I’ll get back to you with FIPS 140-1 test results...

nRF24 SDK: AES Lib

NRF24 SDK: hal_aes

Where’s the Beef?Tune in next time...

● Work with & disassemble SDK examples● Implement fuzzing scripts● Try to dump firmware/data from devices

– Eliminate or bound fuzzing

– Key hunting

– Do we see good amounts of SDK code re-use?● How are the “exercises left to reader” implemented?

● Bring out your keyboards and mice.