Dynamic Analysis of Android Apps
Ralph Meier
Flipper Zero ideal for Attacks via utilised Wireless Peripherals
The use of wireless keyboards brings an increased attack surface and depending on the system, there are publicly known vulnerabilities, for example Logitech Unify technology is affected by the vulnerability CVE-2019-13055. This issue is about recording the AES key material when a Logitech Unify device is first paired with a Unify adapter and decrypting the subsequently typed characters.
MouseJack is a collection of vulnerabilities involving keystroke injection and encryption bypassing. Officially, MouseJack is listed as CVE-2016-10761. A wide range of wireless keyboards and mice that communicate over the 2.4GHz frequency are affected. Peripherals that communicate exclusively via Bluetooth are excluded. However, it is not primarily due to the radio frequency used, but to the chip in the receiver that is connected to the computer. The vulnerability was discovered by the company Bastille in 2016, they also list affected devices with manufacturer statements and a fix for the vulnerability where possible on their website. However, patching the affected device is not exactly easy.
Each manufacturer is responsible for communication and the security used for pairing and transmission. When moving the mouse or typing, the movements or keystrokes made are transmitted to the wireless receiver on the computer by means of packets, although the exact implementation depends on the manufacturer. Normally, the user’s inputs are transmitted in encrypted form. The key is defined during the initial pairing between the input device and the wireless receiver. Encrypted transmission prevents the simple interception of unauthorised input.
The tested Unify adapters that were affected by the above-mentioned MouseJack vulnerability were initially delivered paired, but could be connected to new mice or keyboards independently. According to this, it made no difference whether the Unify adapter was paired exclusively with a mouse, a keyboard or both. This suggests that when only a mouse is used, it is not checked whether the commands received are also exclusively mouse movements or the pressing of mouse buttons. Therefore, it is also possible to make unintentional keystrokes on the target system when only using a wireless mouse.
When Bastille originally discovered the MouseJack vulnerabilities, it was noted that most manufacturers encrypt the keystrokes made, but the Unify adapters do not verify that all user input received is encrypted. Therefore, the inputs are also received in unencrypted form. This simplifies the process enormously for attackers, as they do not have to worry about the key used, but only need the exact Unify adapter address to send the desired payload. Pairing between the attacker’s device and the Unify adapter is also not necessary.
As a Flipper Zero was used in the inspiration video that led to this article, the aim was to recreate this attack. However, the actual attack is carried out by the NRF24L01+ wireless radio module, the Flipper Zero just controls the radio module.
The test setup was a Windows notebook with a Logitech Unify adapter and a Logitech M525 mouse and later a Logitech K800 keyboard. To carry out the attack, a Flipper Zero with a NRF24L01+ wireless radio module connected via GPIO pins was used. The firmware used on the Flipper Zero was a fork of the Flipper firmware from RogueMaster, because the necessary scripts for operating the NRF24L01+ wireless radio module via the GPIO pins are already available.
The wiring between Flipper Zero and NRF24L01+ wireless radio module was implemented according to the linked scheme. After wiring, this looked like shown in the image.
After connecting via the GPIO pins, the address of the Unify adapter can be found out with the NRF24 Sniffer Script and then attacked with the NRF24 MouseJack Script. The MouseJack script asks for a ducky script as payload at start, which is executed and sends the keystrokes unencrypted to the Unify adapter.
For example, the following ducky script can be used:
DELAY 1000 GUI r DELAY 500 STRING http:\\www.scip.ch DELAY 500 ENTER
Ducky Scripts are explained in more detail in the article Attacks via Peripheral Devices .
The small size of the Flipper Zero makes it much easier to attack wireless peripheral devices or their connected computers or other targets that require a certain physical proximity. The Flipper Zero fits easily into a jacket pocket or shoulder bag, even with an additional module or the wireless radio module shown above. This makes it much more inconspicuous in the event of an attack with physical proximity. In an open-plan office where several people use wireless peripherals that are affected by the MouseJack vulnerabilities, the probability of an inconspicuous, successful attack is very high.
Wireless devices have a higher attack surface and should therefore always be used with the current firmware and in sensitive areas a wired keyboard and mouse should be preferred for continuous operation. The MouseJack vulnerabilities are already more than seven years old at the time of this writing and are still present and exploitable when testing devices in one’s own environment. Also, at the time of writing, new devices with a vulnerable Logitech Unify adapter are still being sold. The Flipper Zero’s small form factor and support for a variety of radio frequencies, as well as its easy expandability via GPIO pins, make it perfectly suited for attacks on wireless targets with necessary physical proximity to the target device.
Our experts will get in contact with you!
Ralph Meier
Ralph Meier
Ralph Meier
Ralph Meier
Our experts will get in contact with you!