A tarihi, yawancin ma'aikata suna amfani da maɓallan madannai mara waya da beraye daga Logitech. Shigar da kalmomin sirrinmu kuma, mu, ƙwararrun ƙungiyar Tsaro ta Raccoon, mun tambayi kanmu: shin yana da wahala a ketare hanyoyin tsaro na maɓallan maɓallan mara waya? Binciken ya bayyana kurakuran gine-gine da kurakuran software waɗanda ke ba da damar shigar da bayanan. A ƙasa da yanke shine abin da muka samu.
Me yasa Logitech?
A ra'ayinmu, na'urorin shigar da Logitech suna cikin mafi inganci kuma mafi dacewa. Yawancin na'urorin da muke da su sun dogara ne akan maganin Logitech shine mai karɓar dongle na duniya wanda ke ba ku damar haɗa na'urori har zuwa na'urori 6. Duk na'urorin da suka dace da fasahar Haɗin kai Logitech ana yiwa alama da tambarin fasahar Haɗin kai na Logitech. Sauƙi don amfani Yana ba ku damar sarrafa haɗin maɓallan maɓalli mara waya zuwa kwamfutarka. An rufe tsarin haɗa maɓalli zuwa dongle mai karɓar Logitech, da kuma fasahar kanta, alal misali, .
Mai karɓar Dongle tare da tallafin haɗin kan Logitech
Maɓallin madannai na iya zama tushen bayanai ga maharan. Logitech, la'akari da yiwuwar barazanar, ya kula da tsaro - ya yi amfani da AES128 boye-boye algorithm a cikin tashar rediyo na maballin mara waya. Tunani na farko da maharin zai iya samu a cikin wannan yanayin shine ya katse mahimman bayanai lokacin da ake watsa su ta tashar rediyo yayin aikin ɗaure. Bayan haka, idan kuna da maɓalli, za ku iya kutsa kai cikin siginar rediyo na madannai kuma ku yanke su. Duk da haka, mai amfani da wuya (ko ma bai taɓa ba) dole ne ya haɗa maballin, kuma mai ɗan fashin kwamfuta tare da rediyon dubawa zai jira dogon lokaci. Bugu da ƙari, ba duk abin da ke da sauƙi ba ne tare da tsarin tsaka-tsakin kanta. A cikin sabon binciken a watan Yuni 2019, masanin tsaro Markus Meng ya buga akan layi game da gano wani rauni a cikin tsohon firmware na Logitech USB dongles. Yana ba maharan damar samun damar shiga na'urori ta zahiri don samun maɓallan ɓoyayyen tashar rediyo da allurar maɓalli (CVE-2019-13054).
Za mu yi magana game da bincikenmu na tsaro na Logitech dongle dangane da NRF24 SoC daga Nordic Semiconductor. Bari mu fara, watakila, da tashar rediyo kanta.
Yadda bayanai ke "tashi" a tashar rediyo
Don nazarin siginar rediyo na lokaci-lokaci, mun yi amfani da mai karɓar SDR dangane da na'urar Blade-RF a cikin yanayin nazarin bakan (zaka iya karanta game da wannan. ).
SDR Blade-RF Na'urar
Mun kuma yi la'akari da yiwuwar yin rikodi quadratures na siginar rediyo a matsakaicin mita, wanda za'a iya yin nazari ta hanyar amfani da fasahar sarrafa siginar dijital.
Hukumar Jiha akan Mitocin Rediyo a Tarayyar Rasha don amfani da na'urori masu gajeren zango, kewayon mitar shine 2400-2483,5 MHz. Wannan kewayon “yawan jama’a” ne sosai, wanda ba za ku sami komai ba: Wi-Fi, Bluetooth, kowane nau'in sarrafa nesa, tsarin tsaro, na'urorin gano mara waya, beraye masu madanni da sauran na'urorin dijital mara waya.
Spectrum na 2,4 GHz band
Yanayin tsangwama a cikin kewayon yana da rikitarwa sosai. Duk da haka, Logitech ya sami damar samar da abin dogaro da kwanciyar hankali ta hanyar yin amfani da ka'idar Ingantaccen ShockBurst a cikin mai karɓar NRF24 a hade tare da algorithms daidaitawa mita.
Ana sanya tashoshi a cikin rukuni a matsayi na lamba MHz kamar yadda aka ayyana a ciki NRF24 Nordic Semiconductor - jimlar tashoshi 84 a cikin grid mitar. Adadin tashoshin mitar da aka yi amfani da su a lokaci guda ta Logitech, ba shakka, ƙasa ne. Mun gano amfani da akalla hudu. Saboda ƙayyadaddun bandwidth na na'urar tantance siginar siginar da aka yi amfani da ita, ba za a iya tantance ainihin jerin wuraren mitar da aka yi amfani da su ba, amma wannan bai zama dole ba. Ana watsa bayanai daga maballin madannai zuwa dongle mai karɓa a cikin yanayin fashewa (gajeren kunna mai watsawa) ta amfani da daidaitawar mitar matsayi biyu GFSK a ƙimar alama ta 1 Mbaud:
Siginar rediyo na allo a cikin wakilcin lokaci
Mai karɓa yana amfani da ƙa'idar daidaitawa ta liyafar, don haka fakitin da aka watsa ya ƙunshi preamble da ɓangaren adireshi. Ba a amfani da coding mai jurewa amo; an rufaffen jikin bayanan tare da algorithm AES128.
Gabaɗaya, ƙirar rediyo na madannai mara waya ta Logitech za a iya siffanta shi da gaba ɗaya asynchronous tare da ɗimbin ƙididdiga da daidaitawar mita. Wannan yana nufin cewa mai watsa maballin madannai yana canza tashar don watsa kowane sabon fakiti. Mai karɓa bai sani ba a gaba ko dai lokacin watsawa ko tashar mitar, amma lissafin su kawai aka sani. Mai karɓa da mai watsawa suna haɗuwa a cikin tashar godiya ga haɗin kai ta mita da algorithms na sauraro, da kuma ingantattun hanyoyin yarda da ShockBurst. Ba mu bincika ko jerin tashoshi na tsaye ba. Watakila, canjin sa ya faru ne ta hanyar daidaitawar algorithm. Ana iya ganin wani abu kusa da hanyar hopping mitar (pseudo-random tuning na mitar aiki) a cikin amfani da albarkatun mitar.
Don haka, a ƙarƙashin yanayin rashin tabbas-mita-lokaci, don tabbatar da garantin karɓar duk siginar madannai, mai hari zai buƙaci koyaushe saka idanu gabaɗayan grid na matsayi 84, wanda ke buƙatar babban adadin lokaci. Anan ya zama bayyananne dalilin da yasa raunin hakar maɓallin kebul na USB (CVE-2019-13054) an sanya shi azaman ikon yin allurar maɓalli, maimakon samun damar maharin zuwa bayanan da aka shigar daga madannai. Babu shakka, ƙirar rediyo na madannai mara igiyar waya yana da wahala sosai kuma yana ba da ingantaccen sadarwar rediyo tsakanin na'urorin Logitech a cikin mawuyacin yanayi na kutse a cikin band ɗin 2,4 GHz.
Kallon matsalar daga ciki
Don bincikenmu, mun zaɓi ɗaya daga cikin maɓallan madannai na Logitech K330 na yanzu da kuma dongle ɗin Haɗin Kan Logitech.
Logitech K330
Bari mu kalli cikin madannai. Wani abu mai ban sha'awa akan allon don yin nazari shine guntu na SoC NRF24 daga Nordic Semiconductor.
SoC NRF24 akan allon madannai mara waya ta Logitech K330
Ana samun firmware a cikin ƙwaƙwalwar ajiyar ciki, an kashe hanyoyin karantawa da gyara kuskure. Abin takaici, ba a buga firmware ɗin a buɗaɗɗen maɓuɓɓuka ba. Saboda haka, mun yanke shawarar tuntuɓar matsalar daga ɗayan ɓangaren - don nazarin abubuwan ciki na mai karɓar Logitech dongle.
"Duniya na ciki" na mai karɓar dongle yana da ban sha'awa sosai. Dongle yana da sauƙin tarwatsewa, yana ɗaukan sabawar NRF24 tare da ginanniyar mai sarrafa USB kuma ana iya sake tsara shi duka daga gefen USB kuma kai tsaye daga mai tsara shirye-shirye.
Logitech dongle ba tare da gidaje ba
Tun da akwai daidaitaccen tsari don sabunta firmware ta amfani da shi (daga abin da zaku iya fitar da sabunta firmware version), babu buƙatar neman firmware a cikin dongle.
Abin da aka yi: firmware RQR_012_005_00028.bin an ciro daga jikin aikace-aikacen Sabuntawar Firmware. Don bincika amincin sa, an haɗa mai sarrafa dongle tare da kebul :
Kebul don haɗa Logitech dongle zuwa ChipProg 48 mai tsara shirye-shirye
Don sarrafa amincin firmware, an sami nasarar sanya shi a cikin ƙwaƙwalwar mai sarrafawa kuma yayi aiki daidai, keyboard da linzamin kwamfuta an haɗa su zuwa dongle ta hanyar haɗin gwiwar Logitech. Yana yiwuwa a loda ingantaccen firmware ta amfani da daidaitaccen tsarin ɗaukakawa, tunda babu hanyoyin kariya na sirri don firmware. Don dalilai na bincike, mun yi amfani da haɗin jiki zuwa mai tsara shirye-shirye, tun da gyara kuskure ya fi sauri ta wannan hanya.
Binciken firmware da kai hari akan shigar mai amfani
An ƙera guntuwar NRF24 bisa tushen ƙididdigar Intel 8051 a cikin gine-ginen Harvard na gargajiya. Don ainihin, transceiver yana aiki azaman na'urar gefe kuma an sanya shi cikin sararin adireshi azaman saitin rajista. Ana iya samun takaddun guntu da misalan lambar tushe akan Intanet, don haka rarraba firmware ba shi da wahala. A lokacin aikin injiniya na baya, mun gano ayyukan don karɓar bayanan maɓalli daga tashar rediyo da musanya shi zuwa tsarin HID don watsawa ga mai watsa shiri ta hanyar kebul na USB. An sanya lambar allurar a cikin adiresoshin ƙwaƙwalwar ajiya kyauta, waɗanda suka haɗa da kayan aiki don shiga tsakani, adanawa da dawo da mahallin aiwatarwa na asali, da kuma lambar aiki.
Fakitin latsawa ko sakin maɓalli da dongle ya karɓa daga tashar rediyo an lalata shi, an canza shi zuwa daidaitaccen rahoton HID kuma a aika zuwa kebul na USB kamar daga madannai na yau da kullun. A matsayin wani ɓangare na binciken, ɓangaren rahoton HID wanda ya fi sha'awar mu shine ɓangaren rahoton HID mai ɗauke da byte na tutoci masu gyara da tsararrun bytes 6 tare da lambobin maɓalli (don tunani, bayani game da HID). ).
Tsarin rahoton HID:
// Keyboard HID report structure.
// See https://flylib.com/books/en/4.168.1.83/1/ (last access 2018 december)
// "Reports and Report Descriptors", "Programming the Microsoft Windows Driver Model"
typedef struct{
uint8_t Modifiers;
uint8_t Reserved;
uint8_t KeyCode[6];
}HidKbdReport_t;Nan da nan kafin isar da tsarin HID ga mai watsa shiri, lambar allurar tana ɗaukar iko, kwafi 8 bytes na bayanan HID na asali a ƙwaƙwalwar ajiya kuma aika shi zuwa tashar gefen rediyo a bayyanannen rubutu. A cikin code yana kama da haka:
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~>
// Profiling have shown time execution ~1.88 mSec this block of code
SaveRfState(); // save transceiver state
RfInitForTransmition(TransmitRfAddress); // configure for special trnsmition
hal_nrf_write_tx_payload_noack(pDataToSend,sizeof(HidKbdReport_t)); // Write payload to radio TX FIFO
CE_PULSE(); // Toggle radio CE signal to start transmission
RestoreRfState(); // restore original transceiver state
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~<An tsara tashar tashar a mitar da muka saita tare da wasu halaye na saurin magudi da tsarin fakiti.
Aiki na transceiver a cikin guntu ya dogara ne akan jadawali na jiha wanda a cikinsa aka haɗa ƙa'idar Ingantacciyar ShockBurst ta zahiri. Mun gano cewa nan da nan kafin aika bayanan HID zuwa kebul na USB mai masaukin baki, mai aikawa yana cikin jihar IDLE. Wannan yana ba da damar sake saita shi cikin aminci don yin aiki a tashar gefe. Lambar da aka yi wa allurar tana sadar da iko, tana adana daidaitaccen tsari na transceiver gaba ɗaya kuma ya canza shi zuwa sabon yanayin watsawa a tashar gefe. An kashe na'urar tabbatar da Ingantacciyar ShockBurst a wannan yanayin; Ana watsa bayanan HID a fili ta hanyar iska. An nuna tsarin fakitin a cikin tashar tashar a cikin hoton da ke ƙasa, an samo siginar siginar bayan ƙaddamarwa kuma kafin sake dawo da aiki tare da agogon bayanai. An zaɓi ƙimar adireshin don sauƙin ganewa na fakitin.
Siginar fashewar fashewar da aka lalata a cikin Tashar Side
Bayan an aika fakitin zuwa tashar gefe, lambar da aka yi wa allurar tana dawo da yanayin mai ɗaukar hoto. Yanzu yana shirye don yin aiki akai-akai a cikin mahallin firmware na asali.
A cikin mitar da mitar lokaci, tashar gefen tayi kama da haka:
Spectral da mitar lokaci-lokaci wakilcin tashar gefen
Don gwada aikin guntu na NRF24 tare da ingantaccen firmware, mun haɗu da tsayin daka wanda ya haɗa da Logitech dongle tare da gyare-gyaren firmware, maɓalli mara waya da mai karɓa da aka haɗa bisa tushen tsarin Sinanci tare da guntu NRF24.
Logitech mara igiyar waya ta madanni na rediyon da'ira
NRF24 tushen module
A kan benci, tare da madannai da ke aiki akai-akai, bayan haɗa shi zuwa Logitech dongle, mun lura da watsa cikakkun bayanai game da maɓallan maɓalli a cikin tashar rediyo ta gefe da kuma yadda aka saba watsa bayanan rufaffiyar a cikin babbar hanyar sadarwa ta rediyo. Don haka, mun sami damar samar da shigar da madannai na mai amfani kai tsaye shiga:
Sakamakon shiga tsakani na maɓalli
Lambar da aka yi wa allurar tana gabatar da ɗan jinkiri a cikin aikin firmware dongle. Koyaya, sun yi ƙanƙanta don mai amfani ya lura.
Kamar yadda kuke tsammani, kowane madannai na Logitech wanda ya dace da fasahar Haɗin kai ana iya amfani da shi don wannan harin harin. Tunda harin ya shafi mai karɓar Haɗin kai wanda aka haɗa tare da yawancin maɓallan madannai na Logitech, ya kasance mai zaman kansa daga takamaiman ƙirar madannai.
ƙarshe
Sakamakon binciken ya ba da shawarar yiwuwar amfani da yanayin da maharan suka yi amfani da shi: idan dan gwanin kwamfuta ya maye gurbin wanda aka azabtar da mai karɓar dongle don maɓalli mara waya ta Logitech, to zai iya gano kalmomin shiga cikin asusun wanda aka azabtar tare da duk abubuwan da suka biyo baya. sakamakon. Kar ka manta cewa yana yiwuwa kuma a yi allurar maɓalli, wanda ke nufin cewa ba shi da wahala a aiwatar da code na sabani akan kwamfutar wanda aka azabtar.
Me zai faru idan ba zato ba tsammani mai hari zai iya canza firmware na kowane Logitech dongle ta USB? Sa'an nan, daga dongles masu nisa kusa, zaku iya ƙirƙirar hanyar sadarwa na masu maimaitawa kuma ku ƙara nisan yabo. Duk da cewa maharin “masu arziƙin kuɗi” zai iya “saurara” shigar da madannai da latsa maɓalli ko da daga ginin da ke makwabtaka da shi, kayan liyafar rediyo na zamani tare da tsarin zaɓin zaɓi, masu karɓar radiyo tare da gajerun lokutan kunna mitar da eriya mai ƙarfi sosai za su ba su damar. don “saurara” shigar da madannai kuma latsa maɓalli har ma daga ginin maƙwabta.
ƙwararrun kayan aikin rediyo
Tunda tashar watsa bayanai mara waya ta maballin Logitech yana da kariya sosai, vector ɗin da aka samo yana buƙatar samun damar jiki zuwa mai karɓa, wanda ke iyakance maharin sosai. Zaɓin kariyar kawai a cikin wannan yanayin shine amfani da hanyoyin kariya na sirri don firmware mai karɓa, misali, duba sa hannun firmware ɗin da aka ɗora a gefen mai karɓa. Amma, rashin alheri, NRF24 baya goyan bayan wannan kuma ba shi yiwuwa a aiwatar da kariya a cikin gine-ginen na'ura na yanzu. Don haka kula da dongles ɗin ku, saboda zaɓin harin da aka kwatanta yana buƙatar samun damar jiki zuwa gare su.
Tsaron Raccoon ƙungiya ce ta musamman ta ƙwararrun masana daga Cibiyar Bincike da Ci gaba ta Vulcan a fagen ingantaccen tsaro na bayanai, cryptography, ƙirar da'ira, injiniyan juye-juye da ƙirƙirar software mara ƙarfi.
source: www.habr.com