I don’t understand how you can run BadUSB using a mouse/keyboard dongle. Could someone explain how it’s done in the video?
It looks to me like they used an NRF chip and an ESP32 to connect over Bluetooth as a Bluetooth keyboard. I don’t believe the Built in Bluetooth of the ESP32 or Flipper can do that right now. That’s why I believe there is also an NRF. EDIT: I can’t be 100% sure the protocol is Bluetooth but it’s most likely using 2.4ghz either way.
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/bluetooth/peripheral_hids_keyboard/README.html
2 Likes
You don’t just connect the Flipper wireless via bad USB.
The most interesting part on the Video is the Logitech Unify dongle.
As I worked in a company with a lot of Logitech equipment (silent, no interference between the offices, long product care, …) in 2018 started the security nightmare.
At first the remote presenter are attacked. During a presentation you are able to inject commands … So if your screen is flickering, not good.
Later some vulns for the unify reciever was detected, as well.
Read: UnifyingVulnsDisclosureRepo/logitech_vuln_summary.md at master · mame82/UnifyingVulnsDisclosureRepo · GitHub
But this was a huge drama, because it was Logitech. A vendor of a lot of office equipment, with a high reputation.
There are a lot of smaller companies, with cheaper products which are more easy to take over with a nRF24 and a protocol viewer/signal plotter, like Pulseview.
I would not try to analyze/capture with the flipper. It is a great gadget to perform the attack if you are done with the analysis. As shown in the video.
But, if you try this at home: I think Logitech has patched the Unify firmware. Maybe in the video an older/unpatched dongle is used.
2 Likes
I remember when that news came out but I don’t recall news of known “in the wild” use. Someone could potentially spy or inject commands to computer from an adjacent office in a building so definitely a security risk. A sophisticated threat actor could even use war shipping to get remote access.
I don’t know any warship that is allowed to use wireless equipment.
As I worked at a project, at the end it came out it was an addon for a military cluster, they where very cautious about any usb device or wireless equipment.
Only Lenovo notebooks with wireless killswitch are allowed.
Since then I am asking before, when I need to let my mobile at the entrance. Very common, also for the automobile industry.
1 Like
Yeah, found a video: How a DRONE can hack your computer in seconds | Real Experiment - YouTube
I also doubt that f0 with built-in Bluetooth is capable of that.
1 Like
This has nothing to do with the initial question. A wireless HID dongle is 2,4 GHz, but far away from bluetooth.
The build in Bluetoothstack (software) of the Flipper Zero is limited, because of the limited size of the internal storage. If you get rid of most of the other functions of the flipper zero, you maybe will have a chance to perform sophisticated attacks.
Now I’ve got a nRF24 adapter and was able to perform this, too.
The basics for this attack comes from Bastille Research (https://github.com/BastilleResearch/mousejack/tree/master/doc).
In a nutshell: The keyboards are talking encrypted. It is some kind of strong, so getting into this would be another topic. But the Mouse is talking unencrypted. You can sniff how the mouse is moving around an unseen desktop. Yay. But the Bastille Research team goes further and injected keys to the mouse. This is not verified, so the virtual keypress from the mouse is executed at the system … The wall to perform a BadUSB is fallen.
The Bastille Research Team has released 3 tools. NRF24 Sniffer, NRF24 MouseJacker and NRF24 Scanner. I am very confused, because you are scanning with the sniffer and can sniff packets with the scanner. But the nice guy or gal who is porting this to the Flipper was adapting this naming.
- Find an USB dongle with a Nordic Semiconductor nRF24LU1+ chip. Very popular are the Logitech Unifying C-U0007 sticks. But also some Lenovo or Dell and other 2,4GHz wireless sticks are possible.
- Search for a nRF24L01+ board. There are two, the little ones with the antenna printed on the board. And the larger ones, nRF24L01+PA+LNA, with external antenna, that needs nearly three times more power, but reach nearly 5 times (3 times in real) more distance.
- Open your flipper, select from ‘Applications - GPIO’ the App ‘[NRF24]Sniffer’. The tool will scan for useable signals around you … Wait and wait and wait … If the LED blinks and the flipper is vibrating, there should be a number higher than 0 in ‘Found:’ on the display.
- Switch to the app ‘[NRF24]Mousejacker’. the first app should have written the file addresses.txt to the SD card. The MouseJacker is taking this address(es), just choose the right one (I really don’t know how to know which one is the right target by more than one results) and choose a BadUSB script from your SD card …
The address is something between your Unifying (or similar) dongle and your mouse. If the firmware from your C-U0007 is not patched, you will see output on the screen, more or less, depending on the used BadUSB script.
Be aware:
- This attack can’t go behind the lock screen. It is just a keyboard.
- You can’t sniff the real keyboard. The attack is working as a keyboard trough the mouse.
- At least for Logitech are updates available. But they will not be installed through ‘Unifying software’. even when the Software is saying ‘all up to date’, you need to perform the DFU Update. GitHub - Logitech/fw_updates: This repository contains official FW update files for Logitech control devices (mice, keyboards, etc.)
- Bluetooth and the newer Logitech Bolt Adapters are not vulnerable to this attack. They have their own security flaws.
Personal note:
- Not official, but in my tests I recognized, only Windows systems are open. The same sticks (two, so far. As is, not manually patched, just latest update from Unifying Software) at a Linux system where not found by the sniffer app.
I hope this answers your question. If I left anything, feel free to ask.
2 Likes
Maybe I’m missing something because I would not expect it to work on Windows but not other OS. That sounds like something worth looking into. The patch appears to be for the actual dongle and not the drivers. I’m definitely going to need to get an NRF. I would like to test some of these generic dongles. I suspect many don’t have up to date security. I hope to eventually figure out how to write my own firmware for these USB BT dongles or possibly create my own from scratch.
Excellent information @LupusE