Just Mouse Jack Init

28
Just (Mouse)jackin’ It Exploring Mousejack & other nRF24x adventures Part 1: Research & Review of Prior Work

Transcript of Just Mouse Jack Init

Page 1: Just Mouse Jack Init

Just (Mouse)jackin’ ItExploring Mousejack & other nRF24x adventures

Part 1:Research & Review of Prior Work

Page 2: Just Mouse Jack Init

Mousejack ... tl;dr

● https://www.bastille.net/technical-details● Lots of wireless keyboards and mice nRF24x chipsets● Mice – unencrypted.

– Inject mouse events. ● Blind, open-loop on-screen keyboard navigation anyone?

– Can we glean info from tracking mouse movement?

● Keyboards – encrypted… but...– Some receivers accept unencrypted keystroke messages…

– … from mice with identity crises

● Forced pairing– Because convenience?

Page 3: Just Mouse Jack Init

Vendor Responses

o_O

Page 4: Just Mouse Jack Init

Vendor Responses

“Dell has been working with Bastille Research on their latest findings regarding the vulnerabilities identified in Wireless Keyboard Mouse bundle KM632 & KM714.

Customer security is a top concern and priority for Dell and we will work with our customers directly to resolve potential vulnerabilities like this. If you are using the affected models, or question whether you are using an affected model, Dell recommends that you reach out to our Technical support contacts specific to your country as listed here.

Dell Technical Support will assist the customer in addressing the vulnerability, including identifying a suitable Dell replacement if appropriate.

In the meantime, customers can largely contain this vulnerability by activating the Operating System’s lock screen when not using the system.

Dell would like to thank ‘Bastille Research’ and those in the security community whose efforts help us protect customers through coordinated vulnerability disclosure.”

February 23rd, 2016.

Page 5: Just Mouse Jack Init

Teach Me How to Dougie

● https://www.bitcraze.io/crazyradio-pa

● https://github.com/RFStorm/mousejack– nRF24LU1 firmware

– Sniffing & Enumeration scripts

– PoC Exploit code is not published● Speculation: Ethical or legal dilemma for the researchers?● Plenty of information in advisory and prior work slides

– We’re big kids, we can figure things out ourselves, right? :)

Page 6: Just Mouse Jack Init

Teach Me How to Dougie

● Step 1: Scan for devices

$ ./nrf24-scanner -l

[2016-06-03 01:22:28.768] 62 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.107] 71 10 EA:EA:9C:34:07 00:C2:00:00:ED:CF:FF:00:00:83[2016-06-03 01:22:38.123] 71 10 EA:EA:9C:34:07 00:C2:00:00:EB:DF:FF:00:00:75[2016-06-03 01:22:38.148] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.179] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.561] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.569] 71 10 EA:EA:9C:34:07 00:C2:00:00:03:00:00:00:00:3B[2016-06-03 01:22:54.529] 66 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.646] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.662] 62 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:23:11.084] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.090] 62 10 EA:EA:9C:34:07 00:C2:00:00:FE:1F:00:00:00:21[2016-06-03 01:23:11.137] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.145] 62 10 EA:EA:9C:34:07 00:C2:00:00:FC:4F:00:00:00:F3

Page 7: Just Mouse Jack Init

Teach Me How to Dougie

● Step 2: Sniff traffic

$ ./nrf24-sniffer.py -l -a EA:EA:9C:34:07

[2016-06-03 01:24:38.249] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.306] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:F0:FF:00:00:4E[2016-06-03 01:24:38.313] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E[2016-06-03 01:24:38.321] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E[2016-06-03 01:24:38.327] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:E0:FF:00:00:64[2016-06-03 01:24:38.335] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:00:00:00:00:3D[2016-06-03 01:24:38.343] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:F0:FF:00:00:4F[2016-06-03 01:24:38.351] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:F0:FF:00:00:54[2016-06-03 01:24:38.452] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.454] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.554] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.656] 71 10 EA:EA:9C:34:07 00:C2:01:00:00:00:00:00:00:3D[2016-06-03 01:24:38.664] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43[2016-06-03 01:24:38.672] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.766] 71 5 EA:EA:9C:34:07 00:40:00:6E:52[2016-06-03 01:24:38.773] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:00:00:00:00:3E[2016-06-03 01:24:38.781] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43[2016-06-03 01:24:38.883] 71 5 EA:EA:9C:34:07 00:40:00:6E:52

Page 8: Just Mouse Jack Init

Teach Me How to Dougie

● Step 2a: Decode…– Active heartbeat:

00:40:00:6E:52

– Active → Idle:00:4F:00:04:B0:F0:FF:00:00:0E

– Idle heartbeat: 00:40:04:B0:0C

– Left press:00:C2:01:00:00:00:00:00:00:3D

– Right press:00:C2:02:00:00:00:00:00:00:3C

– Middle press:00:C2:04:00:00:00:00:00:00:3A

– Release:00:C2:00:00:00:00:00:00:00:3E

– Movement:00:C2:00:00:FE:AF:FF:00:00:9200:C2:00:00:FF:6F:00:00:00:D000:C2:00:00:EE:0F:00:00:00:4100:C2:00:00:07:E0:FF:00:00:58

Page 9: Just Mouse Jack Init

Teach Me How to Dougie

● Step 2a: Decode…– Last byte is checksum

● Checksum = -(sum(payload))– That’s a two’s complement negation, not bitwise

– Byte two is button press mask:● [0]: Left button● [1]: Right button● [2]: Scroll wheel button● [3]: Side button (back)● [4]: Side button (forward)● [5]: Thumb button

– Press sets bit, release clears it

Page 10: Just Mouse Jack Init

Teach Me How to Dougie

● Step 2a: Decode…– Relative movement in bytes 4 through 6.

● Two’s complement, 12-bit value.● X = sign_extend([4] | (([5] & 0x0f) << 8))● Y = sign_extend(([5] & 0xf0 >> 4) | [6] << 4)

Page 11: Just Mouse Jack Init

Teach Me How to Dougie

● Demo:– Decode packets piped from nrf24-sniffer.py– Animate/plot mouse movement and button press

locations using Turtle [1]. (Live or pre-recorded)

[1] https://docs.python.org/2/library/turtle.html

Page 12: Just Mouse Jack Init

Teach Me How to Dougie

● Step 2b:– Generate or replay packets as needed

to drive your coworkers insane.

# Put the radio in sniffer mode (ESB w/o auto ACKs)common.radio.enter_sniffer_mode(address)

common.radio.set_channel(common.channels[0])

common.radio.transmit_payload(payload)

Page 13: Just Mouse Jack Init

Teach Me How to Dougie

● Step 3: Probe “network” - Who else is home?

$ ./nrf24-network-mapper.py -l -a EA:EA:9C:34:07[2016-06-03 02:06:06.399] Trying address EA:EA:9C:34:00[2016-06-03 02:06:06.510] Successful ping of EA:EA:9C:34:00 on channel 17[2016-06-03 02:06:06.612] Successful ping of EA:EA:9C:34:00 on channel 32[2016-06-03 02:06:06.966] Trying address EA:EA:9C:34:01[2016-06-03 02:06:07.539] Trying address EA:EA:9C:34:02[2016-06-03 02:06:07.754] Successful ping of EA:EA:9C:34:02 on channel 32[2016-06-03 02:06:08.107] Trying address EA:EA:9C:34:03[2016-06-03 02:06:08.677] Trying address EA:EA:9C:34:04[2016-06-03 02:06:09.250] Trying address EA:EA:9C:34:05[2016-06-03 02:06:09.823] Trying address EA:EA:9C:34:06[2016-06-03 02:06:10.395] Trying address EA:EA:9C:34:07[2016-06-03 02:06:10.485] Successful ping of EA:EA:9C:34:07 on channel 14[2016-06-03 02:06:10.967] Trying address EA:EA:9C:34:08[2016-06-03 02:06:11.540] Trying address EA:EA:9C:34:09[2016-06-03 02:06:12.111] Trying address EA:EA:9C:34:0A

Page 14: Just Mouse Jack Init

Teach Me How to Dougie

● Step 4: Go reverse engineer and exploit the target device(s)

Page 15: Just Mouse Jack Init

A Mouse

● Who cares? Pointless to bother with?– Subtle jiggler – keep those nasty screensavers off

– Blind, open loop attacks possible?

– Modified firmware: Surreptitious comms & data exfiltration?

Page 16: Just Mouse Jack Init

A Keyboard

● -EAGAIN– Have not reproduced keystroke injection yet

– Currently distracted by nRF24 datasheets & SDK…

– TODO: fuzzing strategy presented in the advisory:● Monitor EV_KEY events from /dev/inputX node

via evtest● TX payload, check for event(s), verify successes,

rinse and repeat

SPI programming interface

Page 17: Just Mouse Jack Init

“Old news, why bother?”

● Some vendors are releasing patches– What subset of users will bother to apply patch?

● Are there more opportunities for shenanigans?– What does the nRF24 SDK provide?

● i.e., what code are we likely to find that’s been copied wholesale into firmware?

– What other devices can I find using these parts?

Page 18: Just Mouse Jack Init

nRF24L01+● Low cost, single-chip 2.4 GHz transceiver● GFSK modulation, 1 or 2 Mbps● “Enhanced ShockBurst”

– Automatic packet handling (e.g., validation, ACK, retries)

– Built-in FIFOs

– “Multiceiver” (6 separate RX data pipes)

● SPI interface for control and data● 2011: Promiscuous mode hack to sniff keyboard [1]

– <3 Travis Goodspeed

[1] https://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html

Page 19: Just Mouse Jack Init

nRF24LU1+

● Single chip solution:– nRF24L01+ transceiver

– 8051 microcontroller● USB interface● Flash memory

– AES co-processor● Mention of “True RNG?”

Note: nRF24LE1+ is similar, minus USB and full AES co-processor(Galois multipliers only?)

Page 20: Just Mouse Jack Init

Can we abuse automagic features?

● Lots of nice features to ensure devs only see “valid” packets.– What assumptions will developers make that we

can prove incorrect?

– Can we control packet drop?

– Can we bend RX state machines to our whim?● Prior work on “packet in packet” attacks relevant?

Page 21: Just Mouse Jack Init

Can we abuse automagic features?

● Spoof messages with PID + n, PID + (n+1)

Page 22: Just Mouse Jack Init

Possible to dump firmware?Only if protections weren’t enabled.

Page 23: Just Mouse Jack Init

Possible to dump firmware?Only if protections weren’t enabled.

:(

Page 24: Just Mouse Jack Init

nRF24 SDK

● Provides “Gazelle” Link Layer & examples– Star network with 6 nodes (Host & device roles)

– Frequency Hopping

– AES encryption

– Pairing example:

I wonder if any devs said... “This pairing example works out of the box. SHIPPIT!”

Page 25: Just Mouse Jack Init

nRF24 SDK

● Provides AES encryption examples– Supports:

● ECB, CBC, CFB, OFB, CTR● RNG passes “thermal noise” through “digital corrector” to

yield 8-bit readout.– I’ll get back to you with FIPS 140-1 test results...

Page 26: Just Mouse Jack Init

nRF24 SDK: AES Lib

Page 27: Just Mouse Jack Init

NRF24 SDK: hal_aes

Page 28: Just Mouse Jack Init

Where’s the Beef?Tune in next time...

● Work with & disassemble SDK examples● Implement fuzzing scripts● Try to dump firmware/data from devices

– Eliminate or bound fuzzing

– Key hunting

– Do we see good amounts of SDK code re-use?● How are the “exercises left to reader” implemented?

● Bring out your keyboards and mice.