About the dangers of wireless keyboards and mice

Image: home thods , flickr

Computer mice and keyboards with a radio interface and a USB transceiver cost a little more than ordinary wired models and are popular. But such devices are not protected from hacking: you can assemble a set for an attack for as little as 300 rubles, and it can be fought from a distance of up to 1 km.
')
We tested the security of Logitech, A4Tech, and Microsoft devices. In the course of the tests, we were able to intercept data transmitted by keyboards and mice, decrypt traffic and implement a number of other attacks. The discovered vulnerabilities can lead to leakage of passwords, payment details, personal data and other important information.

"Standard" problems

Currently, there is no standard regulating the security of wireless input devices operating at 2.4 GHz (not to be confused with Wi-Fi). And because protection issues remain entirely on the conscience of manufacturers. In some models, when connecting mice to a transceiver (transceiver), neither authentication mechanisms nor encryption are used, which allows you to pass your device to someone else's mouse and take control of the cursor.

Keyboards with a radio interface, unlike mice, as a rule, encrypt the signal. But this does not always help. First, unencrypted mouse commands can be used to emulate keyboard input — thanks to protocol unification. This method, called MouseJack, was shown by Bastille Networks in February 2016. Secondly, a number of transceivers allow you to connect more than one device to one dongle: an attacker can use a convenient option, which allows not to occupy extra USB-connectors, and add your wireless keyboard to a legitimate mouse. Finally, in some keyboard models, data is transmitted in the clear.

Attack scripts

Listening to the air . Interception of keystrokes of the keyboard, which does not encrypt traffic, threatens to leak usernames and passwords, PIN codes of cards for online payment, personal correspondence. Encryption keyboards can also be compromised if you know how cryptography works in a particular model.

Falsification of the sender . Instead of a legitimate user, you can send a command to press the keys of the mouse or keyboard, using the fact that the transceiver does not check the received data packet with the type of the transmitting device. Thus you can:

• open the console, enter commands to delete the entire contents of the computer, restart the computer, etc .;
• launch a browser, enter the address of the infected site, follow the infected link, download a virus to your computer.

Disabling equipment . A variation of MouseJack attack. The attack at first glance is relatively harmless. However, the mouse and keyboard can be installed, for example, as a security console or used to work with some critical systems.

Attack methods

Interception via NRF24 . This method does not require serious financial investments and knowledge in the field of radio communications. In fact, the attack requires the Arduino hardware platform, the NRF24 chip and a laptop.

Peripherals Logitech, A4Tech, Microsoft most often use NRF24 chips with a frequency of 2.4 GHz, and therefore - to intercept and clone traffic you need a transceiver with a similar chip. In our case, the nRF24L01 + chip was used, which cost 60 rubles in conjunction with Arduino or Raspberry microcontrollers. There are many clones of nRF24L01 + that can be bought even cheaper ( sigrok.org/wiki/Protocol_decoder:Nrf24l01 ). Completely the decision will cost about 300 rubles.

Interception via SDR . During the last year's MouseJack study, Bastille Networks specialists scanned the air using the NRF24 chip. Positive Technologies experts were able to reproduce the attacks with device tampering and wiretap using both the NRF24 module and the SDR transceiver. The latter method allows you to eliminate messing with wires, programming Arduino; all you need to do is plug the SDR into USB and run the scanner. The downside is that the device is quite expensive: for example, HackRF One with delivery to Russia costs about $ 380.

The results of our tests

For our tests, we wrote a universal software scanner for SDR and NRF24 ( github.com/chopengauer/nrf_analyze ), which allows you to listen to the broadcast, find and with a high degree of probability identify potentially vulnerable devices, which in turn allows you to either intercept data (sniff), or imitate keyboard presses and mouse clicks, that is, replace input data (spoof).

The attacker may be, for example, in a car near a business center or in the courtyard of an apartment building. The distance listening to traffic can reach 100 meters, and with the use of directional antennas and amplifiers is still increased. If the goal is to substitute data and perform a MouseJack attack, then the attack radius increases to 0.5-1 km.

The following results were achieved in our tests:

• Microsoft (keyboard and mouse) - it turned out to listen and emulate, substitute and send commands, as well as carry out a MouseJack attack;
• A4Tech (mouse) - managed to replace the mouse and go to sites;
• Logitech (keyboard and mouse) - managed to disable them.

How to protect yourself

Most USB transceivers can not upgrade the firmware, so it is impossible to eliminate the vulnerabilities. Whether your device is vulnerable, you can check on mousejack.com. If hacking methods are not published for some devices, this does not mean that they do not exist.
The main advice is not to use wireless keyboards and mice to enter confidential data (important passwords, logins, card data). This is especially true of public places.

Authors : Arthur Garipov, Pavel Novikov