Flipper Zero - Attack on the use of Wireless Peripherals

Flipper Zero

Attack on the use of Wireless Peripherals

Ralph Meier
by Ralph Meier
on February 23, 2023
time to read: 7 minutes

Keypoints

Flipper Zero ideal for Attacks via utilised Wireless Peripherals

  • Wireless peripherals bring convenience as well as an increased attack surface
  • Manufacturers of peripherals with 2.4GHz frequency use proprietary packets, protocols and are themselves responsible for secure transmission
  • MouseJack is a collection of vulnerabilities for wireless mice and keyboards that can still be found in a large number of products in use even after seven years
  • Flipper Zero is well suited for attacks with necessary physical proximity to attack a desired target by radio

This article is about a practical example of how a computer can be attacked by connected wireless peripherals such as mice or keyboards, using Logitech Unify technology as an example of wireless peripherals. For a basic understanding and to get an overview of the different modules and functions of the Flipper Zero, the article Flipper Zero – What can the little Hacking Tamagotchi do should be read first. The inspiration to address the issue of attacking computers through the use of wireless peripherals came from a video.

The use of wireless keyboards brings an increased attack surface and depending on the system, there are publicly known vulnerabilities, for example Logitech Unify technology is affected by the vulnerability CVE-2019-13055. This issue is about recording the AES key material when a Logitech Unify device is first paired with a Unify adapter and decrypting the subsequently typed characters.

MouseJack

MouseJack is a collection of vulnerabilities involving keystroke injection and encryption bypassing. Officially, MouseJack is listed as CVE-2016-10761. A wide range of wireless keyboards and mice that communicate over the 2.4GHz frequency are affected. Peripherals that communicate exclusively via Bluetooth are excluded. However, it is not primarily due to the radio frequency used, but to the chip in the receiver that is connected to the computer. The vulnerability was discovered by the company Bastille in 2016, they also list affected devices with manufacturer statements and a fix for the vulnerability where possible on their website. However, patching the affected device is not exactly easy.

How it works

Each manufacturer is responsible for communication and the security used for pairing and transmission. When moving the mouse or typing, the movements or keystrokes made are transmitted to the wireless receiver on the computer by means of packets, although the exact implementation depends on the manufacturer. Normally, the user’s inputs are transmitted in encrypted form. The key is defined during the initial pairing between the input device and the wireless receiver. Encrypted transmission prevents the simple interception of unauthorised input.

Injecting Keystrokes

The tested Unify adapters that were affected by the above-mentioned MouseJack vulnerability were initially delivered paired, but could be connected to new mice or keyboards independently. According to this, it made no difference whether the Unify adapter was paired exclusively with a mouse, a keyboard or both. This suggests that when only a mouse is used, it is not checked whether the commands received are also exclusively mouse movements or the pressing of mouse buttons. Therefore, it is also possible to make unintentional keystrokes on the target system when only using a wireless mouse.

When Bastille originally discovered the MouseJack vulnerabilities, it was noted that most manufacturers encrypt the keystrokes made, but the Unify adapters do not verify that all user input received is encrypted. Therefore, the inputs are also received in unencrypted form. This simplifies the process enormously for attackers, as they do not have to worry about the key used, but only need the exact Unify adapter address to send the desired payload. Pairing between the attacker’s device and the Unify adapter is also not necessary.

Attack on a Computer with a connected Wireless Peripheral Device

As a Flipper Zero was used in the inspiration video that led to this article, the aim was to recreate this attack. However, the actual attack is carried out by the NRF24L01+ wireless radio module, the Flipper Zero just controls the radio module.

Test Setup

The test setup was a Windows notebook with a Logitech Unify adapter and a Logitech M525 mouse and later a Logitech K800 keyboard. To carry out the attack, a Flipper Zero with a NRF24L01+ wireless radio module connected via GPIO pins was used. The firmware used on the Flipper Zero was a fork of the Flipper firmware from RogueMaster, because the necessary scripts for operating the NRF24L01+ wireless radio module via the GPIO pins are already available.

The wiring between Flipper Zero and NRF24L01+ wireless radio module was implemented according to the linked scheme. After wiring, this looked like shown in the image.

Flipper Zero with connected NRF24L01+ wireless radio module

After connecting via the GPIO pins, the address of the Unify adapter can be found out with the NRF24 Sniffer Script and then attacked with the NRF24 MouseJack Script. The MouseJack script asks for a ducky script as payload at start, which is executed and sends the keystrokes unencrypted to the Unify adapter.

For example, the following ducky script can be used:

DELAY 1000
GUI r
DELAY 500
STRING http:\\www.scip.ch
DELAY 500
ENTER

Ducky Scripts are explained in more detail in the article Attacks via Peripheral Devices .

Influence of Flipper Zero in combination with MouseJack

The small size of the Flipper Zero makes it much easier to attack wireless peripheral devices or their connected computers or other targets that require a certain physical proximity. The Flipper Zero fits easily into a jacket pocket or shoulder bag, even with an additional module or the wireless radio module shown above. This makes it much more inconspicuous in the event of an attack with physical proximity. In an open-plan office where several people use wireless peripherals that are affected by the MouseJack vulnerabilities, the probability of an inconspicuous, successful attack is very high.

Conclusion

Wireless devices have a higher attack surface and should therefore always be used with the current firmware and in sensitive areas a wired keyboard and mouse should be preferred for continuous operation. The MouseJack vulnerabilities are already more than seven years old at the time of this writing and are still present and exploitable when testing devices in one’s own environment. Also, at the time of writing, new devices with a vulnerable Logitech Unify adapter are still being sold. The Flipper Zero’s small form factor and support for a variety of radio frequencies, as well as its easy expandability via GPIO pins, make it perfectly suited for attacks on wireless targets with necessary physical proximity to the target device.

About the Author

Ralph Meier

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services. (ORCID 0000-0002-3997-8482)

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
Dynamic Analysis of Android Apps

Dynamic Analysis of Android Apps

Ralph Meier

Burp Bambdas & BChecks

Burp Bambdas & BChecks

Ralph Meier

Disk Cloning

Disk Cloning

Ralph Meier

The BIOS

The BIOS

Ralph Meier

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here