Nhoroondo, vashandi vazhinji vanoshandisa mabhaibheri asina waya uye mbeva kubva kuLogitech. Tichiisa mapassword edu zvakare, isu, nyanzvi dzechikwata cheRaccoon Security, takazvibvunza: zvakaoma sei kunzvenga nzira dzekuchengetedza dzeasina waya kiyibhodhi? Chidzidzo ichi chakaratidza kukanganisa kwekuvaka uye zvikanganiso zvesoftware zvinobvumira kuwana data rekuisa. Pazasi pekuchekwa ndiko kwatakawana.
Sei Logitech?
Semaonero edu, Logitech michina yekupinza iri pakati pemhando yepamusoro uye yakanyanya nyore. Mazhinji emidziyo yatinayo yakavakirwa paLogitech mhinduro ndeye yepasirese dongle inogamuchira iyo inokutendera kuti ubatanidze kusvika kumidziyo mitanhatu. Midziyo yese inoenderana neLogitech Unifying tekinoroji yakanyorwa neiyo Logitech Unifying tekinoroji logo. Easy kushandisa Inokutendera kuti utore kubatana kweasina waya kiyibhodhi pakombuta yako. Maitiro ekubatanidza iyo keyboard kune Logitech inogamuchira dongle, pamwe neiyo tekinoroji pachayo, yakafukidzwa, semuenzaniso, .
Dongle inogamuchira ine Logitech Unifying rutsigiro
Iyo keyboard inogona kuve sosi yeruzivo kune vanorwisa. Logitech, achifunga nezvekutyisidzira kwaigona kuitika, akatarisira kuchengetedza - akashandisa iyo AES128 encryption algorithm muredhiyo chiteshi chetambo isina waya. Pfungwa yekutanga ingangove neanorwisa mumamiriro ezvinhu aya ndeyekutora ruzivo rwakakosha kana rwafambiswa neredhiyo panguva yekusunga. Mushure mezvose, kana iwe uine kiyi, unogona kubata redhiyo redhiyo uye nekudzima. Nekudaro, mushandisi haawanzo (kana kutomboita) anofanira kubatanidza iyo keyboard, uye hacker ine redhiyo yekuvheneka anozofanira kumirira kwenguva yakareba. Uye zvakare, hazvisi zvese zviri nyore neiyo yekubira maitiro pachayo. Muchidzidzo chazvino muna Chikumi 2019, nyanzvi yekuchengetedza Markus Mengs yakaburitswa online nezve kuwanikwa kwekusagadzikana mune yekare firmware yeLogitech USB dongles. Iyo inobvumira vanorwisa nekuwana kwemuviri kumidziyo kuti vawane redhiyo chiteshi encryption makiyi uye kubaya makiyi (CVE-2019-13054).
Tichataura nezve yedu kuchengetedza kudzidza kweLogitech dongle yakavakirwa paNRF24 SoC kubva kuNordic Semiconductor. Ngatitange, pamwe, neredhiyo chiteshi pachayo.
Iyo data "inobhururuka" muchiteshi cheredhiyo
Kuongorora nguva-frequency yechiratidzo cheredhiyo, takashandisa SDR inogamuchira yakavakirwa paBlade-RF mudziyo mune spectrum analyzer mode (unogona zvakare kuverenga nezve izvi. ).
SDR Blade-RF Chishandiso
Isu takafungawo nezve mukana wekurekodha quadratures yeredhiyo siginecha panguva yepakati frequency, iyo inogona kuongororwa tichishandisa madhijitari masaini ekugadzirisa maitiro.
State Commission paRadio Frequencies muRussian Federation yekushandiswa nemidziyo mipfupi-renji, iyo frequency renji ndeye 2400-2483,5 MHz. Iyi inzvimbo "izere nevanhu", umo iwe haungawane chero chinhu: Wi-Fi, Bluetooth, marudzi ese ezvinodzora kure, masisitimu ekuchengetedza, madhijitari asina waya, mbeva dzine kiibhodhi uye mamwe madhijitari asina waya.
Spectrum ye2,4 GHz bhendi
Kupindira kwenzvimbo muhuwandu hwakanyanya kuoma. Pasinei neizvi, Logitech yakakwanisa kupa kugamuchira kwakavimbika uye kwakagadzikana kuburikidza nekushandiswa kweEnhanced ShockBurst protocol muNRF24 transceiver pamwe chete nefrequency adaptation algorithms.
Zviteshi mubhendi zvinoiswa munzvimbo dzakakwana MHz sekutsanangurwa kwazvinoitwa NRF24 Nordic Semiconductor - huwandu hwe84 chiteshi mune frequency grid. Huwandu hweakashandiswa panguva imwe chete frequency chiteshi neLogitech, hongu, shoma. Takaona kushandiswa kweanenge mana. Nekuda kweiyo shoma bandwidth yechiratidzo spectrum analyzer yakashandiswa, iyo chaiyo rondedzero yefrequency zvinzvimbo zvakashandiswa yaisagona kutsanangurwa, asi izvi zvaive zvisiri madikanwa. Ruzivo kubva kukhibhodi kuenda kune inogamuchira dongle inofambiswa muBurst modhi (ipfupi inotendeuka pane transmitter) uchishandisa maviri-nzvimbo frequency modulation GFSK pachiyero chechiratidzo che1 Mbaud:
Keyboard redhiyo chiratidzo mukumiririra nguva
Iye anogamuchira anoshandisa iyo yekubatanidza musimboti wekugamuchira, saka iyo inotumirwa packet ine preamble uye kero chikamu. Noise-resistant coding haisi kushandiswa; iyo data data yakavharidzirwa neAES128 algorithm.
Kazhinji, iyo redhiyo interface yeLogitech isina waya keyboard inogona kuratidzwa seyakafanana zvachose nenhamba yekuwedzera uye frequency adapta. Izvi zvinoreva kuti iyo keyboard transmitter inochinja chiteshi kufambisa yega yega pakiti nyowani. Iye anogamuchira haazive pachine nguva kana nguva yekufambisa kana frequency chiteshi, asi runyorwa rwavo chete rwunozivikanwa. Iye anogamuchira uye anotumira anosangana muchiteshi nekuda kweakarongedzerwa frequency bypass uye kuteerera algorithms, pamwe neEnhanced ShockBurst yekubvuma maitiro. Hatina kuferefeta kana chiteshi chiteshi chakamira. Pamwe, shanduko yayo inokonzerwa neiyo frequency adaptation algorithm. Chimwe chinhu chiri padyo nefrequency hopping nzira (pseudo-random tuning ye frequency yekushandisa) inogona kuoneka mukushandiswa kweiyo frequency sosi yehuwandu.
Nokudaro, mumamiriro ezvinhu e-nguva-frequency kusagadzikana, kuitira kuti tive nechokwadi chekugamuchirwa kwezvikwangwani zvose zvekhibhodi, munhu anorwisa achada kugara achitarisa iyo yose frequency grid ye84 nzvimbo, iyo inoda nguva yakawanda yenguva. Pano zvinova pachena kuti nei iyo USB kiyi yekubvisa njodzi (CVE-2019-13054) yakamisikidzwa sekukwanisa kubaya makiyi, pane kuwana mukana weanorwisa kune data rakaiswa kubva kukhibhodi. Zviripachena, iyo radio interface yeiyo isina waya keyboard yakaoma uye inopa yakavimbika redhiyo kutaurirana pakati peLogitech zvishandiso mumamiriro akaoma ekupindira mu2,4 GHz bhendi.
Kutarisa dambudziko kubva mukati
Yekudzidza kwedu, isu takasarudza imwe yedu iripo Logitech K330 keyboards uye Logitech Unifying dongle.
Logitech K330
Ngatitarisei mukati me keyboard. Chinhu chinonakidza pabhodhi kudzidza ndeye SoC NRF24 chip kubva kuNordic Semiconductor.
SoC NRF24 paLogitech K330 isina waya keyboard bhodhi
Iyo firmware inowanikwa mundangariro yemukati, kuverenga uye debugging michina yakadzimwa. Nehurombo, iyo firmware haina kuburitswa munzvimbo dzakavhurika. Naizvozvo, takasarudza kutarisana nedambudziko kubva kune rimwe divi - kudzidza zviri mukati meiyo Logitech dongle inogamuchira.
Iyo "nyika yemukati" yeiyo dongle inogamuchira inonakidza kwazvo. Iyo dongle inoparadzaniswa nyore nyore, inotakura yakajairika NRF24 kuburitswa ine yakavakirwa-mukati USB controller uye inogona kurongwazve zvese kubva kudivi re USB uye zvakananga kubva kune programmer.
Logitech dongle isina pekugara
Sezvo paine yakajairwa nzira yekuvandudza iyo firmware uchishandisa (kubva kwaunogona kubvisa yakagadziridzwa firmware version), hapana chikonzero chekutsvaga firmware mukati me dongle.
Chii chakaitwa: firmware RQR_012_005_00028.bin yakatorwa kubva mumuviri weFirmware Update Tool application. Kuti utarise kutendeseka kwayo, iyo dongle controller yakabatana netambo :
Cable yekubatanidza iyo Logitech dongle kune ChipProg 48 programmer
Kudzora kutendeseka kweiyo firmware, yakabudirira kuiswa mundangariro yemutungamiriri uye yakashanda nemazvo, iyo keyboard uye mbeva zvakabatana kune dongle kuburikidza neLogitech Unifying. Izvo zvinogoneka kurodha yakagadziridzwa firmware uchishandisa yakajairwa yekuvandudza masisitimu, sezvo pasina cryptographic kuchengetedza nzira dzeiyo firmware. Nezvinangwa zvekutsvagisa, takashandisa chinongedzo chemuviri kune mugadziri, sezvo debugging inokurumidza neiyi nzira.
Firmware tsvagiridzo uye kurwisa pane mushandisi kuisa
Iyo NRF24 chip yakagadzirwa yakavakirwa paIntel 8051 komputa musimboti mune yechinyakare Harvard kuvaka. Kune iyo yakakosha, iyo transceiver inoshanda senge peripheral mudziyo uye inoiswa munzvimbo yekero seti yemarejista. Zvinyorwa zve chip uye sosi kodhi mienzaniso inogona kuwanikwa paInternet, saka disassembly firmware haina kuoma. Munguva yeinjiniya yekudzosera, takaisa mabasa ekugamuchira keystroke data kubva kunhepfenyuro yeredhiyo uye nekuishandura kuita HID fomati yekuendesa kune iyo host kuburikidza ne USB interface. Iyo jekiseni kodhi yakaiswa mune yemahara ndangariro kero, iyo yaisanganisira maturusi ekudzora kutonga, kuchengetedza uye kudzoreredza mamiriro ekutanga ekuuraya, pamwe nekodhi inoshanda.
Iyo pakiti yekutsikirira kana kuburitsa kiyi inotambirwa neiyo dongle kubva kuredhiyo chiteshi inobviswa, inoshandurwa kuita yakajairwa HID chirevo uye inotumirwa ku USB interface sekubva kune yakajairika keyboard. Sechikamu chekudzidza, chikamu cheHID report icho chinonyanya kufarirwa nesu chikamu cheHID report ine byte yemodifier mireza uye hurongwa hwemabhayiti matanhatu ane keystroke codes (yekutarisa, ruzivo nezveHID. ).
HID report chimiro:
// Keyboard HID report structure.
// See https://flylib.com/books/en/4.168.1.83/1/ (last access 2018 december)
// "Reports and Report Descriptors", "Programming the Microsoft Windows Driver Model"
typedef struct{
uint8_t Modifiers;
uint8_t Reserved;
uint8_t KeyCode[6];
}HidKbdReport_t;Pakarepo usati waendesa iyo HID chimiro kumugadziri, iyo jekiseni kodhi inotora kutonga, inokopa 8 mabytes eiyo HID data mundangariro uye inotumira kune redhiyo yedivi chiteshi mune yakajeka mavara. Mukodhi inoita seizvi:
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~>
// Profiling have shown time execution ~1.88 mSec this block of code
SaveRfState(); // save transceiver state
RfInitForTransmition(TransmitRfAddress); // configure for special trnsmition
hal_nrf_write_tx_payload_noack(pDataToSend,sizeof(HidKbdReport_t)); // Write payload to radio TX FIFO
CE_PULSE(); // Toggle radio CE signal to start transmission
RestoreRfState(); // restore original transceiver state
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~<Iyo chiteshi chiteshi chakarongeka pane frequency yatinoisa ine humwe hunhu hwekumhanyisa kumhanya uye chimiro chepaketi.
Kushanda kwe transceiver mu chip yakavakirwa pagirafu yehurumende umo iyo Enhanced ShockBurst protocol inosanganiswa. Takaona kuti pakarepo tisati taendesa HID data kune inotambira USB interface, transceiver yaive muIDLE state. Izvi zvinoita kuti zvikwanise kuigadzirisa zvakachengeteka kuti ishande muchiteshi chedivi. Iyo jekiseni kodhi inopindira kutonga, inochengetedza yekutanga transceiver kumisikidza yakazara uye inochinjisa kune itsva nzira yekufambisa padivi chiteshi. Iyo Enhanced ShockBurst yekusimbisa meshini yakadzimwa mune iyi modhi; HID data inofambiswa nenzira yakajeka pamusoro pemhepo. Chimiro chepaketeni muchiteshi chedivi chinoratidzwa mumufananidzo uri pazasi, madhayagiramu echiratidzo akawanikwa mushure mekuderedzwa uye kusati kwadzoreredzwa kwe data wachi yekuwiriranisa. Iko kukosha kwekero kwakasarudzwa kuitira kuti zvive nyore kuratidza kuonekwa kwepakiti.
Demodulated Burst Burst Signal muSide Channel
Mushure mekunge pakiti yaendeswa kune chiteshi chedivi, iyo jekiseni kodhi inodzoreredza mamiriro eiyo transceiver. Ikozvino yakagadzirira zvakare kushanda zvakajairika mumamiriro eiyo yekutanga firmware.
Mune frequency uye nguva-frequency domains, chiteshi chiteshi chinotaridzika seizvi:
Spectral uye nguva-frequency inomiririra yedivi chiteshi
Kuti tiedze kushanda kweNRF24 chip ine firmware yakagadziridzwa, takaunganidza chigadziko chaisanganisira Logitech dongle ine modified firmware, isina waya keyboard uye inogamuchira yakaungana pahwaro hweChinese module ine NRF24 chip.
Logitech isina waya kiibhodhi redhiyo chiratidzo chekubata wedunhu
NRF24 yakavakirwa module
Pabhenji, nekhibhodi inoshanda zvakajairwa, mushure mekuibatanidza neLogitech dongle, takaona kufambiswa kwe data rakajeka nezve makiyi padivi redhiyo chiteshi uye kufambiswa kwakajairwa kwedata rakavharidzirwa mune main radio interface. Nekudaro, isu takakwanisa kupa kubatwa kwakananga kwemushandisi kiibhodhi yekuisa:
Mhedzisiro yekubata kiibhodhi
Iyo jekiseni kodhi inounza kunonoka kushoma mukushanda kweiyo dongle firmware. Nekudaro, idiki kwazvo kuti mushandisi aone.
Sezvaungafungidzira, chero Logitech keyboard inoenderana neUnifying tekinoroji inogona kushandiswa kune iyi yekurwisa vector. Sezvo kurwiswa kwakanangana neUnifying inogamuchira inosanganisirwa neakawanda Logitech kiyibhodhi, yakazvimiririra kune chaiyo keyboard modhi.
mhedziso
Mhedzisiro yechidzidzo ichi inoratidza kushandiswa kunogona kuitika kwechiitiko chinotariswa nevanorwisa: kana hacker akatsiva munhu akabatwa nedongle inogamuchira yeLogitech isina waya keyboard, ipapo anozokwanisa kuziva mapassword kumaakaundi eakabatwa nezvose zvinotevera. migumisiro. Usakanganwa kuti zvinogonekawo kubaya makiyi, izvo zvinoreva kuti hazvina kuoma kuita zvekupokana kodhi pakombuta yemunhu anenge abatwa.
Ko kana kamwe kamwe munhu anorwisa achikwanisa kushandura kure kure firmware yeLogitech dongle kuburikidza ne USB? Ipapo, kubva padhuze akaparadzana dongles, unogona kugadzira network yevanodzokorora uye kuwedzera kureba kwekudonha. Kunyangwe "akapfuma mune zvemari" anorwisa achakwanisa "kuteerera" kupinza kiibhodhi uye kudzvanya makiyi kunyangwe kubva pachivako chiri pedyo, midziyo yekugamuchira redhiyo yemazuva ano ine masisitimu akasarudzika, inogamuchira redhiyo inonzwisa tsitsi ine nguva pfupi yekutarisa uye ma antenna anotungamira kwazvo anovatendera. "kuteerera" kupinza kiibhodhi uye wodzvanya makiyi kunyange kubva muchivakwa chiri pedyo.
Professional redhiyo michina
Sezvo isina waya yedhata yekufambisa chiteshi cheLogitech keyboard yakanyatso chengetedzwa, iyo yakawanikwa yekurwisa vector inoda kupinda mumuviri kune anogamuchira, iyo inodzikamisa zvakanyanya anorwisa. Iyo chete yekudzivirira sarudzo mune iyi kesi ingave yekushandisa cryptographic dziviriro nzira dzeiyo inogamuchira firmware, semuenzaniso, kutarisa siginecha yeyakarodha firmware padivi rekugamuchira. Asi, zvinosuruvarisa, NRF24 haitsigire izvi uye hazvibviri kushandisa dziviriro mukati meiyo ikozvino dhizaini dhizaini. Saka chengetedza madongles ako, nekuti iyo yakatsanangurwa kurwisa sarudzo inoda kuwana kwemuviri kwavari.
Raccoon Chengetedzo iboka rakakosha renyanzvi kubva kuVulcan Research and Development Center mumunda wekuchengetedza ruzivo ruzivo, cryptography, dhizaini yedunhu, reverse engineering uye yakaderera-level software kugadzira.
Source: www.habr.com