Wireless Peripheral Devices – Security Risk, Exploits and Remediation

This article covers the importance of Wireless Peripheral Device Security, the risks involved, and ways to remediate the security exploits.

By Prathibha Muraleedhara and Akhilesh Bhangepatil

Abstract

The advancement of technology has led to an increase in cybercrimes.  Any potential threat to user computers is worth investigating. One such threat could be through peripheral devices like mice and keyboards that are connected to the computers. Cybercriminals can capture keystrokes by intercepting the traffic between these peripheral devices and the computer. Just by using a $20 USB dongle, they can inject keystrokes and remotely type in malicious commands on the victim’s laptop. Using specially crafted commands the attackers can potentially take over full control of the target laptop. This article intends to create awareness about security exploits through peripheral devices and ways to prevent these attacks.

Keywords – Wireless peripheral devices, radio frequency, MouseJack, Crazyradio, wireless keyboards, USB Dongle, keystrokes, vulnerability, threat.

1. Introduction

Wired mouse and keyboards are no longer used as they are very messy. Today, wireless peripheral devices are widely preferred as they provide a convenient cable-free connection. However, unlike other USB devices like memory card readers, MFA authentication devices, USB storage drives, and fingerprint sensors, wireless mice and keyboards hardly include any security features. Many of these peripherals are affected by security vulnerabilities which can lead to complete compromise of the computers they are connected to. As more organizations are supporting remote work, it’s very important to understand the security risks involved when choosing the type of accessories that the employees are allowed to connect to the workstations.

Wireless peripheral devices like mice and keyboards use proprietary protocols operating in the 2.4GHz ISM band (Marc Newlin, 2016). They do not follow the Bluetooth protocol which has well-defined industry-standard security schemas. Thus, the manufacturers end up implementing their own security schemas which often include weaknesses that can be exploited by malicious users. Wireless mice and keyboards are paired with a USB dongle that is connected to the computer. The wireless mouse or keyboard communicates by transmitting radio frequency packets to the USB dongle. When a key is typed on the keyboard or when the mouse is moved, the packet describing the action performed is transmitted to the dongle. The dongle listens to these packets and notifies the computer to process and perform the required actions like moving the cursor or typing the text/commands. To prevent sniffing or eavesdropping, some manufacturers encrypt the radio frequency packets that are transmitted to the dongle. The decryption key is stored in the USB dongle using which it can decrypt the data and process the packets. This prevents attackers from intercepting the data and analyzing the keystrokes transmitted. Also, encryption lets the wireless devices authenticate to the connected dongle, thus preventing a rouge wireless device from connecting to the dongle and sending maliciously crafted keystrokes to the computer. However, most of the wireless peripheral device manufacturers do not encrypt their connection which has allowed attackers to capture the mouse clicks and keystrokes transmitted. Due to the lack of authentication, the dongle will not be able to differentiate if the packets are coming from a legitimate peripheral device or from the attacker. This allows hackers to send malicious keystrokes and mouse clicks to the target computer. Thus, it is important to evaluate if wireless connections are encrypted and how the dongle listens to and processes the received commands. Also, if sensitive information is handled it is recommended not to use wireless peripheral devices regardless of the manufacturers.

2. Wireless Peripheral Devices Security Threats

Wireless peripheral devices like mice and keyboards are affected by various classes of vulnerabilities. Some of them are described below (Niklas Tomsic, 2022):

2.1 Promiscuous mode nRF24L01+

The Nordic Semiconductor nRF24L01+ can be used to promiscuously sniff radio frequency packets transmitted between the wireless peripheral devices and the dongle connected to the computer. This attack does not require any specially crafted hardware. Also, this can be used to reverse engineer manufacturer proprietary protocols like Nike+ and study lower levels of ANT+ protocol.

In this exploit the sniffing of the radio packets is achieved by reducing the MAC address to 2 bytes by disabling checksums, setting the MAC address to the same as the preamble, and forcing the dongle to accept the noise as a valid MAC address (T. Goodspeed, 2011). The trick used here is to make a few illegal register settings, disable the checksum, and generate background noise that is consumed as a valid MAC address.

Once the MAC address is spoofed, the next step is to break the packet encryption. Usually, the packet header is in cleartext and only the payload is XOR encrypted using the MAC address. Just by applying XOR to the right regions, it is possible to decrypt the USB HID events and derive the key positions. Thus, this technique can be successfully used to sniff keystrokes and mouse clicks promiscuously.

2.2 NATO Tempest

TEMPEST is a United States National Security Agency specification and a North Atlantic Treaty Organization (NATO) certification. This specification refers to spying on information systems by listening to electrical or radio signals, vibrations, sounds, and other leaking emanations. TEMPEST does cover some methods that can be used to spy on wireless equipment like logging user keystrokes. It classifies the emitted signals as sensitive because if these signals are sniffed and analyzed, they may disclose all the data that is transmitted and processed by the wireless device.  Along with covering details on how to spy on other information systems, it also defines ways to prevent/protect devices from such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC).  Prevention of spying can be achieved by shielding, masking, monitoring, filtering, and defining the distance an attacker can get without being able to sniff the leaked signals. The standards defined go from level A to C, with level A being the strictest for critical devices that operate in NATO zone 0.

2.3 SATAn: Air-Gap Exfiltration Attack

Air-gapped systems usually do not have any public internet connection and are used in critical environments like industrial OT networks, government, military, nuclear plants, and other industrial networks. They are isolated from other less secure networks that have access to the internet. It was discovered that it is possible to exfiltrate data from air-gapped systems through Serial ATA (SATA) cables that are in the form of wireless antennae inside the computers.

To perform this attack, the hacker must first gain physical access to the air-gapped system and install the malware software. The software then prepares the sensitive data to be exfiltrated through modulation and encoding. The SATA cables can deliver over a radio channel between 5.9995 and 5.9996 GHz electromagnetic signals that correspond to specific characters (Mordechai Guri, 2022). Thus, this malware can be used to hijack legitimate processes on air-gapped systems and emit radio signals during specific read-and-write operations. In real real-world scenario, the receiver will be embedded in a piece of hardware equipment placed close to the air-gapped system or realized as a process in a computer nearby. The best way to prevent such attacks is to use SATA jammers, which detect suspicious read and write operations initiated from legitimate software and distort that signal.

2.4 Far Field Electromagnetic Side-Channel Attack

It was proved that it is possible to break AES-128 encryption through electromagnetic side-channel attack. The attacker must be within a 15-meter radius to perform this attack. This was accomplished by using a deep neural network and a convolution neural network with an input size of 110 (R. Wang, H. Wang, and E. Dubrova, 2020). If sensitive information like the AES key can be retrieved from about 15 meters away just by sniffing the electromagnetic side-channel signals, it provides enough evidence that any information can be intercepted and stolen by being in proximity to an unaware victim.

2.5 Bastille Research

The Bastille Research team has conducted several research regarding wireless security threats. Some of their discoveries include rouge Wi-Fi hotspots, eavesdropping/surveillance devices, wireless camera exploits, home security systems, IoT device exploits, and rogue cell towers that can be used to hijack mobile phone connections to eavesdrop and listen to other’s phone calls, read text messages, break 2-factor authentication and push malware to victim phones (Bastille Research Team, 2017). Also, they have discovered several exploits that affect wireless peripheral devices like mice and keyboards.

KeySniffer is an exploit that targets non-Bluetooth wireless devices that do not encrypt their radio communication. This allows hackers to intercept all keystrokes entered by the victim from several hundred feet away (Marc Newlin, 2016a). All personal information including usernames, passwords, credit card details, sensitive transactions, and all information can be intercepted and stolen. KeyJack is another exploit discovered by the Bastille Research team that allows malicious users to inject encrypted keystrokes into the vulnerable USB dongle without access to the encryption key (Marc Newlin, 2016b).

3. Mousejack Exploit Technical Details

Mousejack is a class of vulnerability that affects non-Bluetooth wireless peripheral devices like mice and keyboards connected through USB dongles. This section will cover in-depth technical details on how to sniff mouse clicks, keystrokes and inject maliciously crafted keystrokes to compromise a victim machine. An attacker can take complete control over the target computer without any physical access by launching this attack using a dongle which costs less than 15$.

Mousejack attack includes three methods that can be used to sniff transmitted radio traffic or to inject keystrokes to compromise the victim’s device. The three methods include:

3.1 Injecting keystrokes as a spoofed mouse.

Most of the peripheral wireless device manufacturers only encrypt the connection between keyboards and dongles. They do not encrypt the connection between the mouse and the dongle as they only transmit mouse movement and right or left click signals. It is assumed that these signals are not sensitive. Due to a lack of encryption and authentication, the USB dongle directly accepts and processes data packets from any rouge-spoofed mouse.

Additionally, the USB dongle does not validate if the type of signal it received matches the type of the device that generated it. It blindly accepts keystroke signals even if it is generated from a mouse. This allows attackers to send out maliciously crafted keystroke signals from a spoofed mouse and remotely execute commands on victim machines.

3.2 Injecting keystrokes as a spoofed keyboard.

Most wireless device manufacturers encrypt the communication between the USB dongle and keyboards to prevent sniffing of keystrokes. However, a vulnerable dongle sometimes does accept unencrypted signals and successfully process them. This allows attackers to send malicious commands to the victim’s laptop and take control of it.

3.3 Force pairing an illegitimate mouse or keyboard.

Earlier the keyboard and mouse were paired before they left the factory. It means the dongle wireless address and encryption key were hardcoded in the keyboard firmware and the decryption key was stored in the dongle firmware. But lately, manufacturers have provided features where users can pair wireless devices to new dongles or even pair multiple devices to a single dongle. Pairing can be done by physically enabling pairing mode for a few seconds using a button on the device. But sometimes it is possible to bypass this pairing process without any user interactions. For example, the user may be using only a mouse but paired with a vulnerable dongle that accepts keystrokes from rouge devices. This way an attacker can send malicious commands to the victim’s laptop.

The nRF24L transceivers are used to transmit data packets between the wireless devices and the dongle connected to the laptop. To create a rouge peripheral device, a Crazyradio PA dongle is used. This is an amplified nRF24L-based USB dongle that is used to control Crazyfile open-source drones. By modifying the Crazyradio PA firmware and enabling pseudo-promiscuous mode it is possible to convert the dongle into a fuzzer. The USB dongle connected to the computer sends instructions to the operating system in the form of USB HID packets (Marc Newlin, 2016). These packets can be sniffed by enabling the usbmon kernel module on Linux. The Crazyradio PA fuzzer takes advantage of this by sending radio frequency signals to the victim’s USB dongle and monitoring the generated USB HID packets. By analyzing the radio frequency signal and the HID events the packet format and behaviors are derived.

The first step to launch this attack is to purchase a CrazyRadio PA USB dongle and flash the dongle with the Bastille network’s Mousejack firmware (Marc Newlin, 2016c). The next step is to install the Jackit toolkit (Marc Newlin, 2016d). This toolkit includes a set of ducky scripts that will be used to transmit a sequence of keystrokes to compromise the target computer. The attacker scans the surroundings by listening to the radio frequency signals transmitted by nearby wireless devices to find a vulnerable target. Once the target is identified the hacker force pairs the victim’s dongle with the Crazyradio dongle. Then a ducky script payload is created and the jackit tool is executed to send out a sequence of unencrypted keystrokes to the vulnerable dongle. The dongle trusts the signals to be coming from legitimate wireless devices and processes them. Through this attack, a hacker can install rootkits, viruses, exfiltrate data and do everything possible if he has physical access to the victim’s laptop.

Remediation – The nRF24L transceiver chip used in wireless peripheral devices like mouse, keyboard, and USB dongles includes either one-time programmable or flash memory. If one-time programmable devices are found vulnerable, they must be discarded as their firmware cannot be updated once they leave the factory. Devices with flash memory can be fixed if updated firmware is available from the manufacturers. It is recommended to upgrade to the latest firmware before continuing to use the affected wireless devices.

4. Conclusion

The various exploits like Mousejack, KeyJack, and electromagnetic side-channel attacks prove that wireless products even from trusted manufacturers may be vulnerable to serious security exploits. Also, this shows how creative hackers can get to compromise computer networks. Before the pandemic, organizations had to only worry about physical security in company onsite locations. But now the threat landscape is changing as the workforce moves from traditional onsite spaces to home offices. Organizations must perform due diligence to make sure the peripheral devices that they have issued are not vulnerable to these exploits. The IT department must frequently check the list of affected devices published by researchers and take appropriate measures. If updated firmware is available from the manufacturers, it must be pushed to all the devices. All vulnerable devices with no firmware updates must be discarded. Organizations must maintain a thorough inventory of all devices used to keep track of vulnerable and end-of-life systems. It is important to create awareness among users about these exploits so that they can take simple measures like locking their laptops before stepping away from their desks or removing the USB dongle when not in use. This also helps them identify irregular unexpected behaviors in their workstations.

Reference:

Bastille Research Team (2017). Rogue Cell Towers. Bastille Wireless Threat Intelligence. Retrieved from https://www.bastille.net/vulnerabilities/rogue-cell-towers

Marc Newlin (2016). MouseJack Technical Details. Bastille Wireless Threat Intelligence. Retrieved from https://www.bastille.net/research/vulnerabilities/mousejack/technical-details

Marc Newlin (2016a). Keysniffer. GitHub – Bastille Wireless Threat Intelligence. Retrieved from https://github.com/BastilleResearch/keysniffer

Marc Newlin (2016b). Keyjack. GitHub – Bastille Wireless Threat Intelligence. Retrieved from https://github.com/BastilleResearch/keyjack

Marc Newlin (2016c). BastilleResearch/mousejack. Github. Retrieved from https://github.com/BastilleResearch/mousejack

Marc Newlin (2016d). BastilleResearch/nrf-research-firmware. Github. Retrieved from https://github.com/BastilleResearch/nrf-research-firmware

Mordechai Guri (2022). SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables. Retrieved from https://browse.arxiv.org/pdf/2207.07413.pdf

Niklas Tomsic (2022). Penetration testing wireless keyboards. KTH Royal Institute of Technology. Retrieved from https://kth.diva-portal.org/smash/get/diva2:1701492/FULLTEXT01.pdf

10. Wang, H. Wang, and E. Dubrova, (2020). Far-field em side-channel attack on aes using deep learning. Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security. Retrieved from https://dl.acm.org/doi/abs/10.1145/3411504.3421214?sid=SCITRUS
11. Goodspeed (2011). Promiscuity is the nRF24L01+’s Duty. Retrieved from http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html

About the Authors

Prathibha Muraleedhara, Cybersecurity Leader

Prathibha Muraleedhara is a Security Architecture Manager for a leading product manufacturing company. She holds a master’s degree in Information System Security and 10+ years of professional experience in Security Architecture, Cloud Security, and Penetration Testing. She is a committee member of the Women in Security -Information Systems Security Association specialty group, ISACA SheLeadsTech Ambassador, and Cyber Wyoming member of the Board of Directors. She is a passionate researcher, and author, and enjoys educating people on security exploits and remediation.

Contact details: [email protected], LinkedIn: https://www.linkedin.com/in/prathibha-muraleedhara-8a3976105/

Akhilesh Bhangepatil, Cybersecurity Leader

Akhilesh Bhangepatil is a highly accomplished cybersecurity professional with a Master of Science in Cybersecurity and a comprehensive set of cybersecurity certifications, including CISSP, CISA, GICSP, GCIP, and GRID. He has established himself as a recognized expert in the field of cybersecurity and a distinguished Cybersecurity Leader who specializes in Cyber-Physical Systems (CPS). Akhilesh is also renowned as a distinguished speaker in the realm of cybersecurity.

Contact details: [email protected], LinkedIn: https://www.linkedin.com/in/bakhilesh/