Historically, most employees use Logitech wireless keyboards and mice. Once again entering our passwords, we, the specialists of the Raccoon Security team, asked ourselves: how difficult is it to bypass the security mechanisms of wireless keyboards? The conducted research revealed architectural flaws and software errors that allow access to the input data. Under the cut - what we got.
Why Logitech?
In our opinion, Logitech input devices are among the highest quality and most convenient. Most of the devices we have are based on the Logitech solution is a universal dongle receiver that allows you to connect up to 6 devices. All devices compatible with Logitech Unifying technology are marked with the corresponding logo. Easy to use allows you to manage the connection of wireless keyboards to your computer. The process of connecting the keyboard to the Logitech dongle receiver, as well as the technology itself, are covered in detail, for example, .
Logitech Unifying Dongle Receiver
The keyboard can become a source of information for intruders. Logitech, taking into account the possible threat, took care of security - applied the AES128 encryption algorithm in the radio channel of the wireless keyboard. The first thought that may visit an attacker in this situation is the interception of key information during its transmission over the air during the binding procedure. After all, if you have a key, you can intercept the radio signals of the keyboard and decrypt them. However, it is very rare (or never) for a user to bind a keyboard with a Unifying procedure, and a hacker with a scanning radio will have to wait a long time. In addition, not everything is so simple with the interception process itself. In the latest study in June 2019, security expert Markus Mengs published online about the discovery of a vulnerability in the old firmware of Logitech USB dongles. It allows attackers with physical access to devices to obtain radio channel encryption keys and inject keystrokes (CVE-2019-13054).
We'll cover our security study of a Logitech dongle based on Nordic Semiconductor's NRF24 SoC. And let's start, perhaps, with the radio channel itself.
How data "flies" in the radio channel
For time-frequency analysis of the radio signal, we used an SDR receiver based on the Blade-RF device in spectrum analyzer mode (you can also read about this ).
SDR Blade-RF device
We also considered the possibility of recording quadratures of the radio signal at an intermediate frequency in order to then analyze them using digital signal processing methods.
State Commission for Radio Frequencies in the Russian Federation for use by short-range devices in the frequency range 2400-2483,5 MHz. This is a very "populated" range, in which you will not find anything: Wi-Fi, Bluetooth, all kinds of remote controls, security systems, wireless detectors, mice with keyboards and other wireless digital devices.
2,4 GHz band spectrum
The interference situation in the range is rather complicated. Despite this, Logitech was able to provide reliable and stable reception by using the Enhanced ShockBurst protocol in the NRF24 transceiver in combination with frequency adaptation algorithms.
The channels in the band are placed at integer MHz positions as defined in NRF24 Nordic Semiconductor - total 84 channels in the frequency grid. The number of frequency channels used simultaneously by Logitech is, of course, less. We identified the use of at least four. Due to the limited span of the signal spectrum analyzer used, it was not possible to determine the exact list of frequency positions used, but this was not necessary. Information from the keyboard to the dongle-receiver is transmitted in Burst mode (short transmitter turns on) using two-position frequency modulation GFSK at a symbol rate of 1 Mbaud:
Keyboard radio signal in time view
The receiver uses the correlation principle of reception, so the transmitted packet contains a preamble and an address part. Error-correcting coding is not used, the data body is encrypted using the AES128 algorithm.
In general, the air interface of a Logitech wireless keyboard can be characterized as fully asynchronous with statistical division multiplexing and frequency response. This means that the keyboard transmitter changes the channel to transmit each new packet. The receiver does not know in advance either the transmission time or the frequency channel, but only a list of them. The receiver and transmitter meet on the channel thanks to the agreed frequency bypass and listen algorithms, as well as Enhanced ShockBurst acknowledgment mechanisms. We have not examined whether the channel list is static. Probably, its change is due to the frequency adaptation algorithm. Something close to the PRCH method (pseudo-random tuning of the operating frequency) is guessed in the use of the frequency resource of the range.
Thus, under conditions of time-frequency uncertainty, in order to guarantee reception of all keyboard signals, an attacker will need to constantly monitor the entire frequency grid of the range of 84 positions, which requires significant time costs. Here it becomes clear why USB key extraction vulnerability (CVE-2019-13054) It is positioned as the possibility of injecting keystrokes, rather than gaining access by an attacker to data entered from the keyboard. Obviously, the radio interface of the wireless keyboard is quite complex and provides reliable radio communication between Logitech devices in a difficult interference environment in the 2,4 GHz band.
An inside look at the problem
For research, we chose one of our available Logitech K330 keyboards and a Logitech Unifying dongle.
Logitech K330
Let's take a look inside the keyboard. An interesting element on the board for research is the SoC NRF24 chip from Nordic Semiconductor.
NRF24 SoC on Logitech K330 Wireless Keyboard Board
The firmware is located in the internal memory, the reading and debugging mechanisms are turned off. Unfortunately, the firmware has not been published in open sources. Therefore, we decided to approach the problem from the other side - to study the internal content of the Logitech dongle receiver.
The βinner worldβ of the dongle receiver is quite interesting. The dongle is easily disassembled, carries on board the NRF24 familiar to us in release with a built-in USB controller and can be reprogrammed both from the USB side and directly by the programmer.
Dongle Logitech without case
Since there is a regular firmware update mechanism using (from which you can extract the updated version of the firmware), there is no need to search for the firmware inside the dongle.
What was done: The RQR_012_005_00028.bin firmware was extracted from the body of the Firmware Update Tool application. To check its integrity, the dongle controller was connected by a loop :
Logitech dongle connection cable for ChipProg 48 programmer
To control the integrity of the firmware, it was successfully placed in the controller's memory and worked correctly, the keyboard and mouse were connected to the dongle via Logitech Unifying. It is possible to upload the modified firmware using the standard update mechanism, since there are no cryptographic protection mechanisms for the firmware. For research purposes, we used a physical connection to the programmer, since debugging is much faster this way.
Firmware investigation and attack on user input
The NRF24 chip is designed based on the Intel 8051 computing core in the traditional Harvard architecture. For the kernel, the transceiver acts as a peripheral device and is located in the address space as a set of registers. Documentation for the chip and examples of source code can be found on the Internet, so disassembling the firmware is not difficult. In the course of reverse engineering, we localized the functions for receiving keystroke data from the radio channel and converting it into HID format for transmission to the host via the USB interface. In free memory addresses, the injection code was placed, which included tools for intercepting control, saving and restoring the original execution context, as well as functional code.
The packet of pressing or releasing a key received by the dongle from the radio channel is decrypted, converted into a standard HID report and sent to the USB interface as from a conventional keyboard. As part of the study, the part of the HID report that contains the byte of modifier flags and an array of 6 bytes with keystroke codes is of greatest interest to us (for reference, information about HID ).
HID report structure:
// Keyboard HID report structure.
// See https://flylib.com/books/en/4.168.1.83/1/ (last access 2018 december)
// "Reports and Report Descriptors", "Programming the Microsoft Windows Driver Model"
typedef struct{
uint8_t Modifiers;
uint8_t Reserved;
uint8_t KeyCode[6];
}HidKbdReport_t;Immediately before passing the HID structure to the host, the injected code receives control, copies 8 bytes of native HID data in memory and sends them to the radio side channel in clear text. In code it looks like this:
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~>
// Profiling have shown time execution ~1.88 mSec this block of code
SaveRfState(); // save transceiver state
RfInitForTransmition(TransmitRfAddress); // configure for special trnsmition
hal_nrf_write_tx_payload_noack(pDataToSend,sizeof(HidKbdReport_t)); // Write payload to radio TX FIFO
CE_PULSE(); // Toggle radio CE signal to start transmission
RestoreRfState(); // restore original transceiver state
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~<The side channel is organized at the frequency set by us with certain characteristics of the manipulation speed and packet structure.
Operation of the transceiver in a chip is based on a state graph, in which the Enhanced ShockBurst protocol is organically inscribed. We found that the transceiver was in the IDLE state just before the HID data was sent to the host USB interface. This makes it possible to safely reconfigure it for side-channel operation. The injected code overrides control, preserves the original configuration of the transceiver in its entirety and puts it into a new transmission mode on the side channel. The Enhanced ShockBurst acknowledgment mechanism is disabled in this mode, HID data is transmitted in clear text over the air. The structure of the packet in the side channel is shown in the figure below, the signal plots are obtained after demodulation and before data clock recovery. The address value is chosen for the convenience of visual identification of the packet.
Demodulated Burst Burst Signal in the Side Channel
After the completion of the transmission of the packet to the side channel, the injected code restores the state of the transceiver. Now it is ready to work normally again in the context of the original firmware.
In the frequency and time-frequency domains, the side channel looks like this:
Spectral and time-frequency representation of the side channel
To test the operation of the NRF24 chip with modified firmware, we assembled a test bench that included a Logitech dongle with modified firmware, a wireless keyboard, and a receiver assembled on the basis of a Chinese module with an NRF24 chip.
Logitech Wireless Keyboard Radio Intercept Diagram
NRF24 based module
On the bench, during normal operation of the keyboard after connecting it to the Logitech dongle, we observed the transmission of open data on keystrokes in the side radio channel and the normal transmission of encrypted data in the main radio interface. Thus, we managed to provide direct interception of the user's keyboard input:
The result of intercepting keyboard input
The injected code introduces small delays in the operation of the dongle firmware. However, they are too small for the user to notice them.
As you understand, for such an attack vector, you can use any Logitech keyboard that is compatible with Unifying technology. Since the attack is directed at the Unifying receiver that is included with most Logitech keyboards, it is independent of the specific keyboard model.
Conclusion
The results of the study suggest that the scenario under consideration can be used by attackers: if a hacker replaces the victim with a dongle receiver for a Logitech wireless keyboard, he will be able to find out the passwords to the victim's accounts with all the ensuing consequences. Do not forget that it is also possible to inject keystrokes, which means that it is not difficult to execute arbitrary code on the victim's computer.
What if an attacker can remotely modify the firmware of any Logitech dongle via USB? Then, from closely spaced dongles, you can add up a network of repeaters and increase the leakage distance. Although modern means of radio reception with highly selective systems, sensitive radio receivers with a short frequency tuning time and narrowly directed antennas will allow a βfinancially secureβ attacker to βlistenβ to keyboard input and press keys even from a neighboring building.
Professional radio equipment
Since the wireless data link of the Logitech keyboard is quite well protected, the attack vector found requires physical access to the receiver, which greatly limits the attacker. The only protection option in this case could be the use of cryptographic protection mechanisms for the receiver's firmware, for example, verification of the signature of the downloaded firmware on the side of the receiver. But, unfortunately, NRF24 does not support this, and it is impossible to implement protection within the current device architecture. So take care of your dongles, because the described attack option requires physical access to them.
Raccoon Security is a dedicated team of Vulkan STC experts in the field of practical information security, cryptography, circuitry, reverse engineering and low-level software development.
Source: habr.com