Page 186 - Cyber Defense eMagazine January 2024
P. 186
Additionally, the USB dongle does not validate if the type of signal it received matches the type of the
device that generated it. It blindly accepts keystroke signals even if it is generated from a mouse. This
allows attackers to send out maliciously crafted keystroke signals from a spoofed mouse and remotely
execute commands on victim machines.
3.2 Injecting keystrokes as a spoofed keyboard.
Most wireless device manufacturers encrypt the communication between the USB dongle and keyboards
to prevent sniffing of keystrokes. However, a vulnerable dongle sometimes does accept unencrypted
signals and successfully process them. This allows attackers to send malicious commands to the victim's
laptop and take control of it.
3.3 Force pairing an illegitimate mouse or keyboard.
Earlier the keyboard and mouse were paired before they left the factory. It means the dongle wireless
address and encryption key were hardcoded in the keyboard firmware and the decryption key was stored
in the dongle firmware. But lately, manufacturers have provided features where users can pair wireless
devices to new dongles or even pair multiple devices to a single dongle. Pairing can be done by physically
enabling pairing mode for a few seconds using a button on the device. But sometimes it is possible to
bypass this pairing process without any user interactions. For example, the user may be using only a
mouse but paired with a vulnerable dongle that accepts keystrokes from rouge devices. This way an
attacker can send malicious commands to the victim's laptop.
The nRF24L transceivers are used to transmit data packets between the wireless devices and the dongle
connected to the laptop. To create a rouge peripheral device, a Crazyradio PA dongle is used. This is an
amplified nRF24L-based USB dongle that is used to control Crazyfile open-source drones. By modifying
the Crazyradio PA firmware and enabling pseudo-promiscuous mode it is possible to convert the dongle
into a fuzzer. The USB dongle connected to the computer sends instructions to the operating system in
the form of USB HID packets (Marc Newlin, 2016). These packets can be sniffed by enabling the usbmon
kernel module on Linux. The Crazyradio PA fuzzer takes advantage of this by sending radio frequency
signals to the victim's USB dongle and monitoring the generated USB HID packets. By analyzing the
radio frequency signal and the HID events the packet format and behaviors are derived.
The first step to launch this attack is to purchase a CrazyRadio PA USB dongle and flash the dongle with
the Bastille network’s Mousejack firmware (Marc Newlin, 2016c). The next step is to install the Jackit
toolkit (Marc Newlin, 2016d). This toolkit includes a set of ducky scripts that will be used to transmit a
sequence of keystrokes to compromise the target computer. The attacker scans the surroundings by
listening to the radio frequency signals transmitted by nearby wireless devices to find a vulnerable target.
Once the target is identified the hacker force pairs the victim’s dongle with the Crazyradio dongle. Then
a ducky script payload is created and the jackit tool is executed to send out a sequence of unencrypted
keystrokes to the vulnerable dongle. The dongle trusts the signals to be coming from legitimate wireless
devices and processes them. Through this attack, a hacker can install rootkits, viruses, exfiltrate data
and do everything possible if he has physical access to the victim’s laptop.
Remediation - The nRF24L transceiver chip used in wireless peripheral devices like mouse, keyboard,
and USB dongles includes either one-time programmable or flash memory. If one-time programmable
Cyber Defense eMagazine – January 2024 Edition 186
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
