Keeb kwm, feem ntau cov neeg ua haujlwm siv wireless keyboards thiab nas los ntawm Logitech. Nkag mus rau peb cov passwords ib zaug ntxiv, peb, cov kws tshaj lij ntawm pab pawg Raccoon Security, nug peb tus kheej cov lus nug: nws nyuaj npaum li cas los hla txoj kev ruaj ntseg ntawm cov keyboards wireless? Txoj kev tshawb no qhia txog kev ua vaj tse tsis zoo thiab software yuam kev uas tso cai rau nkag mus rau cov ntaub ntawv nkag. Hauv qab qhov txiav yog qhov peb tau txais.
Vim li cas Logitech?
Hauv peb lub tswv yim, Logitech cov khoom siv nkag yog ib qho zoo tshaj plaws thiab yooj yim tshaj plaws. Feem ntau ntawm cov cuab yeej peb muaj yog raws li kev daws teeb meem Logitech yog ib tug universal dongle receiver uas tso cai rau koj mus cuag li 6 li. Tag nrho cov khoom siv sib xws nrog Logitech Unifying thev naus laus zis tau cim nrog Logitech Unifying thev naus laus zis logo. Yooj yim rau siv Tso cai rau koj los tswj kev sib txuas ntawm wireless keyboards rau koj lub computer. Cov txheej txheem ntawm kev txuas cov keyboard mus rau Logitech receiver dongle, nrog rau cov thev naus laus zis nws tus kheej, tau them, piv txwv li, .
Dongle receiver nrog Logitech Unifying kev txhawb nqa
Cov keyboard tuaj yeem dhau los ua cov ntaub ntawv rau cov neeg tawm tsam. Logitech, coj mus rau hauv tus account qhov kev hem thawj, tau saib xyuas kev nyab xeeb - siv AES128 encryption algorithm hauv xov tooj cua channel ntawm wireless keyboard. Thawj qhov kev xav tias tus neeg tawm tsam yuav muaj nyob rau hauv qhov xwm txheej no yog cuam tshuam cov ntaub ntawv tseem ceeb thaum nws raug xa mus rau hauv xov tooj cua channel thaum lub sijhawm ua haujlwm. Tom qab tag nrho, yog tias koj muaj tus yuam sij, koj tuaj yeem cuam tshuam cov keyboard lub xov tooj cua teeb liab thiab decrypt lawv. Txawm li cas los xij, tus neeg siv tsis tshua muaj (lossis tseem tsis tau) yuav tsum sib koom ua ke ntawm cov keyboard, thiab tus neeg nyiag khoom nrog lub xov tooj cua scan yuav tau tos ntev. Tsis tas li ntawd, tsis yog txhua yam yooj yim heev nrog cov txheej txheem cuam tshuam nws tus kheej. Hauv qhov kev tshawb fawb zaum kawg hauv Lub Rau Hli 2019, tus kws paub txog kev ruaj ntseg Markus Mengs luam tawm online hais txog qhov kev tshawb pom ntawm qhov tsis zoo hauv cov firmware qub ntawm Logitech USB dongles. Nws tso cai rau cov neeg tawm tsam nrog lub cev nkag mus rau cov khoom siv kom tau txais xov tooj cua channel encryption yuam sij thiab txhaj cov keystrokes (CVE-2019-13054).
Peb yuav tham txog peb txoj kev tshawb fawb txog kev ruaj ntseg ntawm Logitech dongle raws li NRF24 SoC los ntawm Nordic Semiconductor. Cia peb pib, tej zaum, nrog rau xov tooj cua channel nws tus kheej.
Yuav ua li cas cov ntaub ntawv "yav" hauv xov tooj cua channel
Rau lub sij hawm-frequency tsom xam ntawm lub xov tooj cua teeb liab, peb siv ib tug SDR receiver raws li lub Blade-RF ntaus ntawv nyob rau hauv spectrum analyzer hom (koj tuaj yeem nyeem txog qhov no. ).
SDR Blade-RF ntaus ntawv
Peb kuj tau txiav txim siab txog qhov muaj peev xwm ntawm kev kaw quadratures ntawm lub xov tooj cua teeb liab ntawm qhov nruab nrab zaus, uas tuaj yeem soj ntsuam siv cov txheej txheem ua cov teeb liab digital.
Lub Xeev Commission ntawm Xov Tooj Cua Frequencies hauv Lavxias Federation rau siv los ntawm cov khoom siv luv luv, qhov ntau zaus yog 2400-2483,5 MHz. Qhov no yog qhov "populated" ntau yam, uas koj yuav tsis pom dab tsi: Wi-Fi, Bluetooth, txhua yam ntawm cov chaw taws teeb tswj, kev ruaj ntseg systems, wireless detectors, nas nrog keyboards thiab lwm yam wireless digital li.
Spectrum ntawm 2,4 GHz band
Kev cuam tshuam ib puag ncig hauv qhov ntau yog qhov nyuaj heev. Txawm li cas los xij, Logitech muaj peev xwm muab kev txais tos zoo thiab ruaj khov los ntawm kev siv Cov Txheej Txheem Txhim Kho ShockBurst hauv NRF24 transceiver ua ke nrog zaus hloov kho algorithms.
Cov channel hauv ib pab pawg tau muab tso rau ntawm qhov sib npaug MHz txoj haujlwm raws li tau hais tseg hauv NRF24 Nordic Semiconductor - tag nrho ntawm 84 raws hauv daim phiaj zaus. Tus naj npawb ntawm ib txhij siv zaus raws los ntawm Logitech yog, ntawm chav kawm, tsawg dua. Peb tau txheeb xyuas qhov siv tsawg kawg yog plaub. Vim qhov txwv bandwidth ntawm lub teeb liab spectrum analyzer siv, cov npe tseeb ntawm cov haujlwm zaus siv tsis tuaj yeem txiav txim siab, tab sis qhov no tsis tsim nyog. Cov ntaub ntawv los ntawm cov keyboard mus rau lub receiver dongle yog kis nyob rau hauv Burst hom (short lem ntawm lub transmitter) siv ob-txoj hauj lwm zaus modulation GFSK ntawm lub cim tus nqi ntawm 1 Mbaud:
Keyboard xov tooj cua teeb liab hauv lub sijhawm sawv cev
Tus neeg txais khoom siv lub hauv paus ntsiab lus sib txuas ntawm kev txais tos, yog li cov pob ntawv xa tawm muaj cov lus piav qhia thiab qhov chaw nyob. Tsis siv lub suab nrov-resistant coding; cov ntaub ntawv lub cev yog encrypted nrog AES128 algorithm.
Nyob rau hauv dav dav, lub xov tooj cua interface ntawm Logitech wireless keyboard tuaj yeem ua tus yam ntxwv asynchronous tag nrho nrog cov lej sib npaug thiab zaus hloov pauv. Qhov no txhais tau hais tias cov keyboard transmitter hloov cov channel xa mus rau txhua pob ntawv tshiab. Tus neeg txais tsis paub ua ntej yog lub sijhawm sib kis lossis cov channel zaus, tab sis tsuas yog lawv cov npe paub. Lub receiver thiab transmitter sib ntsib nyob rau hauv lub channel ua tsaug rau kev sib koom ua ke zaus bypass thiab mloog algorithms, raws li zoo raws li Enhanced ShockBurst acknowledgement mechanisms. Peb tsis tau tshawb xyuas seb cov npe channel puas zoo li qub. Tej zaum, nws qhov kev hloov pauv yog vim qhov kev hloov pauv ntawm zaus. Ib yam dab tsi nyob ze rau txoj kev hopping zaus (pseudo-random tuning ntawm kev khiav hauj lwm zaus) tuaj yeem pom nyob rau hauv kev siv cov peev txheej ntawm qhov ntau.
Yog li, nyob rau hauv cov xwm txheej ntawm lub sij hawm-zaus tsis paub meej, kom ntseeg tau tias tau txais kev lees paub ntawm tag nrho cov keyboard signals, tus neeg tawm tsam yuav tsum tau saib xyuas tag nrho cov kab sib chaws zaus ntawm 84 txoj haujlwm, uas yuav tsum muaj sijhawm ntau. Ntawm no nws paub meej tias vim li cas USB qhov tseem ceeb rho tawm qhov tsis zoo (CVE-2019-13054) positioned raws li lub peev xwm los txhaj cov keystrokes, es tsis tau txais ib tug attacker nkag mus rau cov ntaub ntawv nkag los ntawm cov keyboard. Obviously, lub xov tooj cua interface ntawm wireless keyboard yog qhov nyuaj heev thiab muab kev sib txuas lus xov tooj cua txhim khu kev qha ntawm Logitech cov cuab yeej hauv cov kev cuam tshuam nyuaj hauv 2,4 GHz band.
Saib qhov teeb meem ntawm sab hauv
Rau peb txoj kev kawm, peb xaiv ib qho ntawm peb cov keyboards Logitech K330 uas twb muaj lawm thiab Logitech Unifying dongle.
Logitech K330
Cia peb saib hauv cov keyboard. Ib qho tseem ceeb ntawm lub rooj tsavxwm los kawm yog SoC NRF24 nti los ntawm Nordic Semiconductor.
SoC NRF24 ntawm Logitech K330 wireless keyboard board
Lub firmware nyob rau hauv lub cim xeeb sab hauv, nyeem ntawv thiab debugging mechanisms yog neeg xiam. Hmoov tsis zoo, lub firmware tsis tau luam tawm hauv qhov chaw qhib. Yog li ntawd, peb txiav txim siab los mus kom ze rau qhov teeb meem los ntawm sab nraud - mus kawm cov ntsiab lus sab hauv ntawm Logitech dongle receiver.
Lub "sab hauv ntiaj teb" ntawm dongle receiver yog qhov nthuav heev. Lub dongle tau yooj yim disassembled, nqa ntawm lub rooj tsav xwm paub NRF24 tso tawm nrog lub built-in USB maub los thiab tuaj yeem rov ua dua ob qho tib si los ntawm USB sab thiab ncaj qha los ntawm tus programmer.
Logitech dongle tsis muaj vaj tse
Txij li thaum muaj ib tug txheej txheem mechanism rau hloov kho lub firmware siv (los ntawm qhov koj tuaj yeem rho tawm qhov hloov kho firmware version), tsis tas yuav nrhiav cov firmware hauv lub dongle.
Dab tsi ua tiav: firmware RQR_012_005_00028.bin tau muab rho tawm los ntawm lub cev ntawm daim ntawv thov Firmware Update Tool. Txhawm rau txheeb xyuas nws txoj kev ncaj ncees, lub dongle maub los tau txuas nrog lub cable :
Cable rau txuas Logitech dongle rau ChipProg 48 programmer
Txhawm rau tswj kev ncaj ncees ntawm lub firmware, nws tau ua tiav nyob rau hauv tus tswj lub cim xeeb thiab ua haujlwm kom raug, cov keyboard thiab nas tau txuas nrog lub dongle ntawm Logitech Unifying. Nws muaj peev xwm upload hloov kho firmware siv tus txheej txheem hloov tshiab mechanism, vim tsis muaj cryptographic tiv thaiv mechanisms rau lub firmware. Rau kev tshawb fawb lub hom phiaj, peb siv lub cev sib txuas rau tus programmer, vim tias kev debugging sai dua li no.
Firmware tshawb fawb thiab tawm tsam ntawm cov neeg siv tswv yim
NRF24 nti yog tsim los ntawm Intel 8051 xam core nyob rau hauv ib txwm Harvard architecture. Rau cov tub ntxhais, lub transceiver ua raws li cov khoom siv peripheral thiab muab tso rau hauv qhov chaw nyob raws li cov txheej txheem sau npe. Cov ntaub ntawv rau cov nti thiab cov qauv piv txwv tuaj yeem pom hauv Is Taws Nem, yog li kev tshem tawm cov firmware tsis yooj yim. Thaum lub sij hawm rov qab engineering, peb localized lub zog rau kev txais keystroke cov ntaub ntawv los ntawm lub xov tooj cua channel thiab hloov mus rau hauv HID hom ntawv rau kev xa mus rau tus tswv tsev ntawm USB interface. Cov cai txhaj tshuaj tau muab tso rau hauv qhov chaw nyob dawb, uas suav nrog cov cuab yeej cuam tshuam rau kev tswj hwm, txuag thiab kho cov ntsiab lus tseem ceeb ntawm kev ua tiav, nrog rau cov cai ua haujlwm.
Cov pob ntawv ntawm nias lossis tso tus yuam sij tau txais los ntawm dongle los ntawm xov tooj cua channel yog decrypted, hloov mus rau hauv daim ntawv qhia HID txheem thiab xa mus rau USB interface raws li los ntawm cov keyboard tsis tu ncua. Raws li ib feem ntawm txoj kev tshawb no, ib feem ntawm HID daim ntawv tshaj tawm uas nyiam tshaj plaws rau peb yog ib feem ntawm HID daim ntawv tshaj tawm uas muaj ib byte ntawm tus chij hloov kho thiab ib qho array ntawm 6 bytes nrog keystroke codes (rau kev siv, cov ntaub ntawv hais txog HID ).
HID daim ntawv qhia qauv:
// Keyboard HID report structure.
// See https://flylib.com/books/en/4.168.1.83/1/ (last access 2018 december)
// "Reports and Report Descriptors", "Programming the Microsoft Windows Driver Model"
typedef struct{
uint8_t Modifiers;
uint8_t Reserved;
uint8_t KeyCode[6];
}HidKbdReport_t;Tam sim ntawd ua ntej xa cov qauv HID mus rau tus tswv tsev, cov cai txhaj tshuaj tswj hwm, luam 8 bytes ntawm haiv neeg HID cov ntaub ntawv hauv lub cim xeeb thiab xa mus rau hauv xov tooj cua sab channel hauv cov ntawv ntshiab. Hauv code nws zoo li no:
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~>
// Profiling have shown time execution ~1.88 mSec this block of code
SaveRfState(); // save transceiver state
RfInitForTransmition(TransmitRfAddress); // configure for special trnsmition
hal_nrf_write_tx_payload_noack(pDataToSend,sizeof(HidKbdReport_t)); // Write payload to radio TX FIFO
CE_PULSE(); // Toggle radio CE signal to start transmission
RestoreRfState(); // restore original transceiver state
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~<Sab channel tau teeb tsa ntawm qhov zaus peb tau teeb tsa nrog qee tus yam ntxwv ntawm kev tswj xyuas ceev thiab pob ntawv qauv.
Kev ua haujlwm ntawm lub transceiver hauv lub nti yog raws li lub xeev daim duab rau hauv uas Enhanced ShockBurst raws tu qauv yog organically integrated. Peb pom tias tam sim ntawd ua ntej xa HID cov ntaub ntawv mus rau tus tswv USB interface, lub transceiver nyob rau hauv lub xeev IDLE. Qhov no ua rau nws muaj peev xwm ua kom muaj kev nyab xeeb dua nws ua haujlwm hauv ib sab channel. Txoj cai txhaj tshuaj cuam tshuam kev tswj hwm, khaws cia qhov kev hloov pauv ntawm tus thawj transceiver nyob rau hauv tag nrho thiab hloov nws mus rau ib qho tshiab kis tau tus mob ntawm sab channel. Lub Khoos Phis Tawj Kho Mob ShockBurst tau ua haujlwm tsis taus hauv hom no; HID cov ntaub ntawv raug xa mus rau hauv daim ntawv ntshiab saum huab cua. Cov qauv ntawm pob ntawv nyob rau hauv sab channel yog qhia nyob rau hauv daim duab hauv qab no, cov teeb liab daim duab tau txais tom qab demodulation thiab ua ntej lub restoration ntawm cov ntaub ntawv moos synchronization. Qhov chaw nyob tus nqi raug xaiv kom yooj yim ntawm kev pom qhov pom ntawm pob.
Demodulated Burst Burst Signal nyob rau sab Channel
Tom qab lub pob ntawv xa mus rau sab channel, cov txheej txheem txhaj tshuaj rov qab lub xeev ntawm lub transceiver. Tam sim no nws tau rov npaj ua haujlwm ib txwm nyob rau hauv cov ntsiab lus ntawm thawj firmware.
Nyob rau hauv zaus thiab lub sij hawm-frequency domains, sab channel zoo li no:
Spectral thiab lub sij hawm-zaus sawv cev ntawm sab channel
Txhawm rau kuaj kev ua haujlwm ntawm NRF24 nti nrog hloov kho firmware, peb tau sib sau ua ke ib qho chaw muag khoom uas suav nrog Logitech dongle nrog hloov kho firmware, wireless keyboard thiab lub receiver sib sau ua ke raws li Suav module nrog NRF24 nti.
Logitech wireless keyboard xov tooj cua teeb liab cuam tshuam Circuit Court
NRF24 raws module
Ntawm lub rooj ntev zaum, nrog cov keyboard ua haujlwm ib txwm, tom qab txuas nws mus rau Logitech dongle, peb tau pom qhov kev sib kis ntawm cov ntaub ntawv meej txog keystrokes nyob rau sab xov tooj cua channel thiab ib txwm xa cov ntaub ntawv encrypted hauv lub xov tooj cua tseem ceeb. Yog li, peb tuaj yeem muab kev cuam tshuam ncaj qha ntawm cov neeg siv cov keyboard nkag:
Qhov tshwm sim ntawm intercepting keyboard input
Cov cai txhaj tshuaj qhia txog kev qeeb me ntsis hauv kev ua haujlwm ntawm dongle firmware. Txawm li cas los xij, lawv tsawg dhau rau cov neeg siv pom.
Raws li koj tuaj yeem xav, txhua tus Logitech keyboard uas tau sib xws nrog Unifying thev naus laus zis tuaj yeem siv rau qhov kev tawm tsam no. Txij li thaum qhov kev tawm tsam tsom mus rau Unifying receiver nrog rau feem ntau Logitech keyboards, nws yog ywj siab ntawm cov qauv keyboard tshwj xeeb.
xaus
Cov txiaj ntsig ntawm txoj kev tshawb fawb qhia txog qhov muaj peev xwm siv tau qhov kev xav tau los ntawm cov neeg tawm tsam: yog tias hacker hloov tus neeg raug tsim txom nrog lub dongle receiver rau Logitech wireless keyboard, ces nws yuav muaj peev xwm nrhiav tau cov passwords rau tus neeg raug tsim txom cov nyiaj nrog tag nrho cov tom ntej. qhov tshwm sim. Tsis txhob hnov ββββqab tias nws tseem muaj peev xwm txhaj cov keystrokes, uas txhais tau hais tias nws tsis yooj yim rau kev ua txhaum cai ntawm tus neeg raug tsim txom lub computer.
Yuav ua li cas yog tias tam sim ntawd tus neeg tawm tsam tuaj yeem hloov kho lub firmware ntawm Logitech dongle ntawm USB? Tom qab ntawd, los ntawm qhov sib ze ntawm dongles, koj tuaj yeem tsim ib lub network ntawm repeaters thiab nce qhov kev ncua deb. Txawm hais tias tus "nyiaj txiag muaj txiaj ntsig" tus neeg tawm tsam yuav tuaj yeem "mloog" rau cov tswv yim keyboard thiab nias cov yuam sij txawm tias los ntawm ib lub tsev nyob sib ze, cov cuab yeej siv xov tooj cua niaj hnub nrog cov txheej txheem xaiv tau zoo, cov xov tooj cua rhiab heev nrog lub sijhawm luv luv thiab cov kav hlau txais xov zoo heev yuav tso cai rau lawv. kom "mloog" rau cov tswv yim keyboard thiab nias cov yuam sij txawm tias los ntawm ib lub tsev nyob sib ze.
Cov khoom siv xov tooj cua tshaj lij
Txij li thaum lub wireless cov ntaub ntawv kis tau tus mob channel ntawm Logitech keyboard muaj kev tiv thaiv zoo heev, qhov pom kev tawm tsam vector xav tau lub cev nkag mus rau tus txais, uas txwv tsis pub tus neeg tawm tsam. Qhov kev tiv thaiv nkaus xwb nyob rau hauv cov ntaub ntawv no yuav yog siv cryptographic tiv thaiv mechanisms rau lub receiver firmware, piv txwv li, xyuas lub kos npe ntawm lub loaded firmware nyob rau hauv lub receiver sab. Tab sis, hmoov tsis, NRF24 tsis txhawb qhov no thiab nws tsis tuaj yeem siv kev tiv thaiv hauv cov cuab yeej cuab tam tam sim no. Yog li saib xyuas koj cov dongles, vim hais tias qhov kev xaiv nres tau piav qhia yuav tsum tau nkag mus rau lawv lub cev.
Raccoon Security yog ib pab neeg tshwj xeeb ntawm cov kws tshaj lij los ntawm Vulcan Research thiab Development Center hauv kev ua haujlwm ntawm cov ntaub ntawv kev ruaj ntseg, cryptography, circuit design, thim rov qab engineering thiab qis-qib software tsim.
Tau qhov twg los: www.hab.com