Hacking Wireless Keyboards

Hacking Wireless Keyboards With Keykeriki – [securitytube.net]

KeyKeriki is a hardware + software tool released by Remote Exploit to exploit wireless keyboards. You can download the theory slides from here. The details about the software and hardware requirements is available on their website.

According to them: “Now 1.5 years after releasing our whitepaper “27Mhz Wireless Keyboard Analysis Report” about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier.”

KeyKeriki v2.0 – 2.4GHz – [remote-exploit.org]

Description: KeyKeriki v2.0 was first presented to the public at the security conference CanSecWest 2010. The device consists out of two different radio modules and some ARM Cortex based micro controller board. In contrary to the 27MHz Version of Keykeriki it has the ability to inject data. So it allows remote code execution on 2.4GHz new generation keyboards. The code is a first release and is limited on purpose to this scenario (keyboard sniffing and remote command execution). Hopefully we can extend its layout to evolve to a software based, inexpensive software defined radio for 2.4GHz frequencies.

Practical Exploitation of Modern Wireless Devices – [remote-exploit.org]

slides from CanSecWest 2010

Promiscuity is the nRF24L01+’s Duty – [travisgoodspeed.blogspot.com]

by Travis Goodspeed extending the work of Thorsten Schröder and Max Moser of the KeyKeriki v2.0 project.

Similar to Bluetooth, the protocols of the Nordic VLSI nRF24L01+ chip are designed such that the MAC address of a network participant doubles as a SYNC field, making promiscuous sniffing difficult both by configuration and by hardware. In this short article, I present a nifty technique for promiscuously sniffing such radios by (1) limiting the MAC address to 2 bytes, (2) disabling checksums, (3) setting the MAC to be the same as the preamble, and (4) sorting received noise for valid MAC addresses which may later be sniffed explicitly. This method results in a rather high false-positive rate for packet reception as well as a terribly high drop rate, but once a few packets of the same address have been captured, that address can be sniffed directly with normal error rates.

As proof of concept, I present a promiscuous sniffer for the Microsoft Comfort Desktop 5000 and similar 2.4GHz wireless keyboards. This vulnerability was previously documented at CanSecWest by Thorsten Schröder and Max Moser, and an exploit has been available since then as part of the KeyKeriki v2.0 project. My implementation differs in that it runs with a single radio and a low-end microcontroller, rather than requiring two radios and a high-end microcontroller. My target hardware is the conference badge that I designed for the Next Hope, running the GoodFET Firmware.

GoodFET – [sourceforge.net]

The GoodFET is an open-source JTAG adapter, loosely based upon the TI MSP430 FET UIF and EZ430U boards, as described in their documentation. See Improving the MSP430 FET on Travis Goodspeed’s blog for further information.

Transceiver nRF24L01+ Module with RP-SMA – [sparkfun.com]

Description: The nRF24L01 module is the latest in RF modules from SparkFun. This module uses the 2.4GHz transceiver from Nordic Semiconductor, the nRF24L01+. This transceiver IC operates in the 2.4GHz band and has many new features! Take all the coolness of the nRF2401A and add some extra pipelines, buffers, and an auto-retransmit feature – very nice!

Comments are closed.