Your wireless mouse just got hacked into a keyboard!

Posted on by glitch0ne

Disclaimer: The things I’m about to show should only be tried on personal devices or with the explicit consent of any targets. I’m not responsible for the malicious use of the information presented below. Thank you, and godspeed!

While taking a break from whatever mindless task I was performing a couple of weeks ago I thought about how cool it would be to be able to have a wireless USB adapter that you could plug a USB Rubber Ducky into (or any BadUSB device, really) and have it transmit to a target computer without you actually having to be near the target itself. Now the idea itself isn’t revolutionary (as wireless keyboards, and mice, and presenters, and God knows what else are a thing and have been for quite a while) but the execution meant that I had to really over-engineer something that could probably be solved a lot easier and faster. So I began searching for USB wireless adapters for keyboards or anything that was even close to that, and lo-and-behold I came across a The Verge article that advised people to stay away from Logitech Unifying receivers, at least for a while. And that took me on the path that we’re on today.

The Verge’s article mentioned the fact that a researcher named Marcus Mengs going by the nickname MaMe82 found out in early 2019 that an old set of vulnerabilities that were believed to be patched hadn’t really gone away. That vulnerability class was called MouseJack and it affected devices from brands such as Microsoft, Dell, and Logitech. Now, most of the affected devices were not able to get firmware upgrades, but Logitech’s Unifying receivers were, in fact, issued with some firmware updates that factories were instructed to have pre-loaded on new devices and that users had to install themselves, so the problem should have been solved. The sad part about all of that is, you can’t control users, and you can’t control what’s sitting on store shelves (without losing some money first) so vulnerable receivers were still roaming the 2.4Ghz spectrum and were ripe for the taking. So I reached out and grabbed me some.

Turns out, as is the case with many script-kiddie level stuff (which I have no shame in doing), exploiting this vulnerability is quite easy. Here’s the stripped-down recipe:

  1. You get yourself an SDR (Software Defined Radio) dongle. These things allow you access to the 2.4Ghz spectrum which the Unifying dongles use for communicating with the peripherals. Your options include but are not limited to:
    – Nordic nRF52840 Dongle (pca10059)
    – MakerDiary MDK Dongle
    – April Brother Dongle

    I used the GeeekPi nRF52840 Micro Dev Kit USB dongle and it works brilliantly even though its range is kind of limited. If you can splurge a bit, go for something with an external antenna like the CrazyRadioPA as it’ll make things a lot easier and more fun.
  2. You go on MaMe82’s github page and you take a look at all the projects that he’s done. After you’ve finished basking in his glory, go to the LOGItacker project and download the hex firmware file that should work with your specific dongle. His README is pretty well put together and if you carefully follow it you should have no issue figuring out what works with what. In my instance, I used the logitacker_mdk_dongle.hex file that you can find in the build folder of the main project.
  3. Download the required software for installing your firmware and follow the steps highlighted in the README I talked about before. For me, it was just a case of downloading and installing nRF Connect, running the Programmer app that comes with it, pressing the button on my dongle, plugging it in while I was still pressing said button, et voila, my dongle was recognized in flashing mode. From there, I just loaded the hex file with the firmware, pressed the write button and everything was fine and dandy. Then I unplugged my device.
  4. If you’re running Windows, download and install PuTTy. After you’ve done that, plug in your newly flashed dongle, go into the Device Manager and see which COM Port is being used by it. Use that same COM Port number for a Serial connection in PuTTy, with a Speed of 115200. Don’t ask me why it’s 115200, that’s just how it is. We do not question the Serial gods here. Press Open.
  5. Now, if you’ve done everything correctly you should be greeted by a command line interface connected to your dongle, which is now in discovery mode. You’re one step closer to hacking people.

From here on out, what you do with the dongle is up to you, but what I did was take a look at the commands available to me and go from there. The list (so far) looks like this:

  • discover
    • run
  • inject
    • target <address>
    • execute
  • script
    • clear
    • undo
    • show
    • string
    • altstring
    • press
    • delay
    • store <script name>
    • load <script name>
    • list
    • remove
  • pair
    • sniff
    • run
  • devices
    • storage list
    • storage save <address>
    • storage load <address>
  • passive_enum <address>

A very simple hack using some of the above commands would be as follows:

  1. You let the device sit in discovery mode for a bit so that it gets a hold of a couple of wireless device addresses. Usually the device boots up in discovery mode by default but if it doesn’t, type discover run
  2. After you’ve done that, you type devices and see what addresses are available to you. I suggest you pick one that has a mouse attached to it (you should see something along the lines of Mouse: yes in the description of the device), but if you get something with an unencrypted keyboard, that’s the mother lode right there.
  3. You type in inject target, followed by the address of the device you’re targeting for the keystroke injection. It should look something like inject target AA:BB:CC:DD:EE.
  4. You type in script press GUI L. This command basically prepares a script that only does one thing. It simulates a Windows key + L key combo being pressed.
  5. You type in inject execute.
  6. ???
  7. Profit.

Now, you might be saying that’s not a hack. But think about this. You’ve remotely locked a random person’s computer without being at their keyboard. If that’s not hacking, I don’t know what is!

The capabilities of this dongle, firmware, and the vulnerability that they expose, however, are far greater. An attacker can sniff a pairing process between a Unifying dongle and a keyboard for instance, and be able to wirelessly tap into that communication, essentially creating a wireless keylogger. If said attacker has physical access to the dongle, then that process can be forced using a custom tool MaMe82 created, and some dongles are even vulnerable to forced pairing which means physical access wouldn’t even be needed. Also, the scripts that can be ran go far beyond remote locks. With the help of tools such as the Duck Toolkit and a little bit of script modification, an attacker can pretty much do whatever he or she wants with your machine from wiping your hard-drive clean to installing malware that can own your entire network. All of this because of a faulty dongle.

In all fairness, the things that you should take from this are as follows:

  1. Always be on the lookout for updates to your devices. All of your devices.
  2. New vulnerabilities appear every day.
  3. It’s easy to be a script kiddie. Which means you too can start hacking. It ain’t rocket surgery unless you really want it to be.

Thank you.

Links:

Leave a comment