Ngokomlando, iningi labasebenzi lisebenzisa amakhibhodi angenantambo namagundane avela ku-Logitech. Sifaka amaphasiwedi ethu futhi, thina, ochwepheshe bethimba le-Raccoon Security, sazibuza: kunzima kangakanani ukudlula izindlela zokuphepha zamakhibhodi angenantambo? Ucwaningo lwembule amaphutha ezakhiwo namaphutha esoftware avumela ukufinyelela kudatha yokufaka. Ngezansi kokusikwa yilokho esikutholile.
Kungani Logitech?
Ngokombono wethu, amadivayisi okokufaka we-Logitech aphakathi kwekhwalithi ephezulu kakhulu futhi elula kakhulu. Iningi lamadivayisi esinawo asekelwe kusixazululo se-Logitech
Isamukeli se-Dongle esinosekelo lwe-Logitech Unifying
Ikhibhodi ingaba umthombo wolwazi kubahlaseli. I-Logitech, icabangela ukusongela okungenzeka, yanakekela ukuphepha - yasebenzisa i-algorithm yokubethela ye-AES128 esiteshini somsakazo wekhibhodi engenantambo. Umcabango wokuqala umhlaseli angaba nawo kulesi simo uwukunqamula ulwazi olubalulekile lapho lusakazwa esiteshini somsakazo ngesikhathi senqubo yokubopha. Ngemuva kwakho konke, uma unokhiye, ungabamba amasiginali omsakazo wekhibhodi bese uwahlehlisa. Nokho, umsebenzisi kuyaqabukela (noma ngisho neze) ahlanganise ikhibhodi, futhi isigebengu esinomsakazo wokuskena kuzodingeka silinde isikhathi eside. Ngaphezu kwalokho, akuyona yonke into elula kakhulu ngenqubo yokuhlukanisa ngokwayo. Ocwaningweni lwakamuva lwangoJuni 2019, uchwepheshe wezokuphepha u-Markus Mengs ushicilele ku-inthanethi
Sizokhuluma ngocwaningo lwethu lwezokuphepha lwe-Logitech dongle olusekelwe ku-NRF24 SoC evela ku-Nordic Semiconductor. Ake siqale, mhlawumbe, ngesiteshi somsakazo uqobo.
“Indiza” kanjani idatha esiteshini somsakazo
Ukuhlaziya imvamisa yesikhathi yesiginali yomsakazo, sisebenzise isamukeli se-SDR esisekelwe kudivayisi ye-Blade-RF kumodi yokuhlaziya i-spectrum (ungafunda futhi ngalokhu.
Idivayisi ye-SDR Blade-RF
Siphinde sacabangela ithuba lokurekhoda ama-quadrature wesignali yomsakazo kumafrikhwensi amaphakathi, okungase kuhlaziywe kusetshenziswa amasu okucubungula isignali yedijithali.
Ikhomishini Yombuso Yemisakazo Yemisakazo e-Russian Federation
I-Spectrum yebhendi engu-2,4 GHz
Indawo yokuphazamiseka ebangeni iyinkimbinkimbi impela. Naphezu kwalokhu, i-Logitech ikwazile ukuhlinzeka ngokwamukela okuthembekile futhi okuzinzile ngokusebenzisa iphrothokholi ye-Enhanced ShockBurst ku-transceiver ye-NRF24 kuhlanganiswe nama-algorithms wokuzivumelanisa nemvamisa.
Iziteshi ebhendini zibekwe endaweni ephelele ye-MHz njengoba kuchazwe kuyo
Isignali yerediyo yekhibhodi ekumeleleni kwesikhathi
Umamukeli usebenzisa umgomo wokuxhumana wokwamukela, ngakho iphakethe elidlulisiwe liqukethe isendlalelo nengxenye yekheli. Ukubhala ngekhodi okungazwani nomsindo akusetshenziswa; indikimba yedatha ibethelwe nge-algorithm ye-AES128.
Ngokuvamile, isixhumanisi somsakazo sekhibhodi engenantambo ye-Logitech singabonakala njenge-asynchronous ngokuphelele ngokuphindaphinda kwezibalo nokujwayela imvamisa. Lokhu kusho ukuthi isidlulisi sekhibhodi sishintsha isiteshi ukuze sidlulise iphakethe ngalinye elisha. Umamukeli akazi kusenesikhathi noma isikhathi sokudlulisela noma isiteshi semvamisa, kodwa uhlu lwazo kuphela olwaziwayo. Umamukeli nesidlulisi bahlangana esiteshini ngenxa yendlela yokudlula imvamisa edidiyelwe nezindlela zokulalela, kanye nezindlela zokuvuma ezithuthukisiwe zeShockBurst. Asikaphenyi ukuthi uhlu lweziteshi alushintshi yini. Mhlawumbe, ukuguqulwa kwayo kungenxa ye-algorithm yokujwayela imvamisa. Okuthile okuseduze kwendlela yokugxuma okuyimvamisa (ukushuna okungahleliwe okungahleliwe kwefrikhwensi yokusebenza) kungabonwa ekusetshenzisweni kwensiza yemvamisa yobubanzi.
Ngakho-ke, ngaphansi kwezimo zokungaqiniseki kwemvamisa yesikhathi, ukuze kuqinisekiswe ukwamukelwa okuqinisekisiwe kwazo zonke izimpawu zekhibhodi, umhlaseli uzodinga ukuhlale eqapha yonke igridi yefrikhwensi yezikhundla ezingama-84, okudinga isikhathi esibalulekile. Lapha kuyacaca ukuthi kungani ukuba sengozini kokukhipha ukhiye we-USB (CVE-2019-13054)
Ukubheka inkinga ngaphakathi
Ocwaningweni lwethu, sikhethe enye yekhibhodi yethu ye-Logitech K330 ekhona kanye ne-Logitech Unifying dongle.
I-Logitech K330
Ake sibheke ngaphakathi kwekhibhodi. Into ethokozisayo ebhodini okufanele ifundwe yi-chip ye-SoC NRF24 evela ku-Nordic Semiconductor.
I-SoC NRF24 kubhodi yekhibhodi engenantambo ye-Logitech K330
I-firmware itholakala kumemori yangaphakathi, izindlela zokufunda nokulungisa iphutha zivaliwe. Ngeshwa, i-firmware ayikakashicilelwa emithonjeni evulekile. Ngakho-ke, sinqume ukubhekana nenkinga ngakolunye uhlangothi - ukufunda okuqukethwe kwangaphakathi kwesamukeli se-Logitech dongle.
"Umhlaba wangaphakathi" wesamukeli se-dongle uthakazelisa impela. I-dongle ihlakazeka kalula, ithwala ukukhishwa kwe-NRF24 okujwayelekile ngesilawuli se-USB esakhelwe ngaphakathi futhi ingahlelwa kabusha kokubili ohlangothini lwe-USB futhi ngokuqondile kumenzi wohlelo.
I-Logitech dongle ngaphandle kwezindlu
Njengoba kunomshini ojwayelekile wokuvuselela i-firmware usebenzisa
Okwenziwe: i-firmware RQR_012_005_00028.bin ikhishwe emzimbeni wohlelo lokusebenza Lwethuluzi Lokuvuselela I-Firmware. Ukuhlola ubuqotho bayo, isilawuli se-dongle sixhunywe ngentambo
Ikhebuli yokuxhuma i-Logitech dongle kumklami we-ChipProg 48
Ukuze ulawule ubuqotho be-firmware, ibekwe ngempumelelo kumemori yesilawuli futhi yasebenza kahle, ikhibhodi negundane zixhunywe ku-dongle nge-Logitech Unifying. Kungenzeka ukulayisha i-firmware eguquliwe kusetshenziswa indlela yokuvuselela ejwayelekile, njengoba zingekho izindlela zokuvikela i-cryptographic ze-firmware. Ngezinjongo zocwaningo, sisebenzise ukuxhumana ngokomzimba kumhleli, njengoba ukulungisa iphutha kushesha kakhulu ngale ndlela.
Ucwaningo lwe-Firmware nokuhlasela kokufakwayo komsebenzisi
I-chip ye-NRF24 yakhelwe ngokusekelwe kumongo wekhompuyutha we-Intel 8051 ekwakhiweni kwe-Harvard kwendabuko. Ngomongo, i-transceiver isebenza njengesisetshenziswa se-peripheral futhi ibekwe endaweni yekheli njengesethi yamarejista. Amadokhumenti e-chip nezibonelo zekhodi yomthombo angatholakala ku-inthanethi, ngakho-ke ukuqaqa i-firmware akunzima. Ngesikhathi sobunjiniyela obuhlehlayo, senze imisebenzi yokwamukela idatha ye-keystroke esiteshini somsakazo futhi siyiguqulele kufomethi ye-HID ukuze idluliselwe kumsingathi ngesixhumi esibonakalayo se-USB. Ikhodi yomjovo ifakwe kumakheli enkumbulo yamahhala, ahlanganisa amathuluzi okulawula ukuvimbela, ukulondoloza nokubuyisela umongo wokuqala wokwenza, kanye nekhodi yokusebenza.
Iphakethe lokucindezela noma lokukhulula ukhiye owamukelwe i-dongle esiteshini somsakazo liyasuswa ukubethela, liguqulelwe libe umbiko ojwayelekile we-HID futhi lithunyelwe kusixhumi esibonakalayo se-USB njengokusuka kukhibhodi evamile. Njengengxenye yocwaningo, ingxenye yombiko we-HID esithakaselwa kakhulu yingxenye yombiko we-HID oqukethe i-byte yamafulegi okulungisa kanye nohlu lwamabhayithi angu-6 anamakhodi okhiye (okwereferensi, ulwazi olumayelana ne-HID
Isakhiwo sombiko we-HID:
// Keyboard HID report structure.
// See https://flylib.com/books/en/4.168.1.83/1/ (last access 2018 december)
// "Reports and Report Descriptors", "Programming the Microsoft Windows Driver Model"
typedef struct{
uint8_t Modifiers;
uint8_t Reserved;
uint8_t KeyCode[6];
}HidKbdReport_t;
Ngokushesha ngaphambi kokudlulisela isakhiwo se-HID kumsingathi, ikhodi ejovwe iyalawula, ikopishe amabhayithi angu-8 edatha yomdabu ye-HID ngenkumbulo futhi iyithumele esiteshini esiseceleni komsakazo ngombhalo ocacile. Ngekhodi ibonakala kanje:
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~>
// Profiling have shown time execution ~1.88 mSec this block of code
SaveRfState(); // save transceiver state
RfInitForTransmition(TransmitRfAddress); // configure for special trnsmition
hal_nrf_write_tx_payload_noack(pDataToSend,sizeof(HidKbdReport_t)); // Write payload to radio TX FIFO
CE_PULSE(); // Toggle radio CE signal to start transmission
RestoreRfState(); // restore original transceiver state
//~~~~~~~~~ Send data via radio ~~~~~~~~~~~~~~~~~~~~~~~~~<
Isiteshi esiseceleni sihlelwa ngemvamisa esiyibeka ngezici ezithile zejubane lokukhohlisa kanye nesakhiwo sephakethe.
Ukusebenza kwe-transceiver ku-chip
Isiginali ye-Burst Burst Eyehlisiwe Kusiteshi Esiseceleni
Ngemva kokuba iphakethe selidluliselwe esiteshini esiseceleni, ikhodi ejovwe ibuyisela isimo se-transceiver. Manje isilungele ukusebenza ngokujwayelekile kumongo we-firmware yasekuqaleni.
Ezizindeni zefrikhwensi kanye nemvamisa yesikhathi, isiteshi esiseceleni sibukeka kanje:
Ukumelwa kwe-Spectral kanye nemvamisa yesikhathi yesiteshi esiseceleni
Ukuhlola ukusebenza kwe-chip ye-NRF24 nge-firmware eguquliwe, sihlanganise isitendi esihlanganisa i-Logitech dongle ene-firmware eguquliwe, ikhibhodi engenantambo nomamukeli okuhlanganiswe ngesisekelo semojula yesiShayina nge-chip ye-NRF24.
Isekhethi yokunqamula isignali yerediyo yekhibhodi engenantambo ye-Logitech
I-NRF24 esekelwe module
Ebhentshini, njengoba ikhibhodi isebenza ngokujwayelekile, ngemva kokuyixhuma ku-dongle ye-Logitech, siqaphele ukudluliswa kwedatha ecacile mayelana nama-keystroke esiteshini somsakazo oseceleni kanye nokudluliswa okuvamile kwedatha ebethelwe kusixhumi esibonakalayo somsakazo esikhulu. Ngakho-ke, sikwazile ukuhlinzeka ngokungenelela okuqondile kokufaka kwekhibhodi yomsebenzisi:
Umphumela wokuphazamisa okokufaka kwekhibhodi
Ikhodi ejovwe yethula ukubambezeleka okuncane ekusebenzeni kwe-dongle firmware. Nokho, mancane kakhulu ukuthi umsebenzisi angawaqaphela.
Njengoba ungacabanga, noma iyiphi ikhibhodi ye-Logitech ehambisana nobuchwepheshe be-Unifying ingasetshenziselwa le vector yokuhlasela. Njengoba ukuhlasela kuqondise kumamukeli we-Unifying afakwe namakhibhodi amaningi e-Logitech, azimele kumodeli yekhibhodi ethile.
isiphetho
Imiphumela yocwaningo iphakamisa ukusetshenziswa okungenzeka kwesimo esicatshangelwa ngabahlaseli: uma umgebengu ethatha indawo yesisulu ngesamukeli se-dongle sekhibhodi engenantambo ye-Logitech, uzokwazi ukuthola amaphasiwedi kuma-akhawunti wesisulu ngakho konke okulandelayo. imiphumela. Ungakhohlwa ukuthi kungenzeka futhi ukujova izinkinobho, okusho ukuthi akunzima ukwenza ikhodi engafanele kukhompyutha yesisulu.
Kuthiwani uma kungazelelwe umhlaseli engakwazi ukuguqula i-firmware yanoma iyiphi i-Logitech dongle nge-USB? Ngemuva kwalokho, kusuka kuma-dongles ahlukaniswe eduze, ungakha inethiwekhi yabaphindayo futhi wandise ibanga lokuvuza. Nakuba umhlaseli “ocebile ngokwezimali” ezokwazi “ukulalela” okokufaka kwekhibhodi futhi acindezele okhiye ngisho nasesakhiweni esingumakhelwane, imishini yesimanje yokwamukela umsakazo enezinhlelo ezikhetha kakhulu, izamukeli zomsakazo ezizwelayo ezinezikhathi zokushuna amafrikhwensi amafushane kanye nezimpondo ezihamba phambili zizobavumela. ukuze "ulalele" okokufaka kwekhibhodi bese ucindezela okhiye ngisho nasebhilidini elingumakhelwane.
Imishini yomsakazo yochwepheshe
Njengoba isiteshi sokudlulisa idatha engenantambo sekhibhodi ye-Logitech sivikelwe kahle, i-vector yokuhlasela etholakele idinga ukufinyelela ngokomzimba kumamukeli, okukhawulela kakhulu umhlaseli. Okuwukuphela kwenketho yokuvikela kuleli cala kungaba ukusebenzisa izindlela zokuvikela i-cryptographic ze-firmware yomamukeli, isibonelo, ukuhlola isiginesha ye-firmware elayishiwe ohlangothini lomamukeli. Kodwa, ngeshwa, i-NRF24 ayikusekeli lokhu futhi akunakwenzeka ukusebenzisa ukuvikela ngaphakathi kwesakhiwo samanje sedivayisi. Ngakho-ke nakekela ama-dongles akho, ngoba inketho yokuhlasela echazwe idinga ukufinyelela ngokomzimba kubo.
I-Raccoon Security iyithimba elikhethekile lochwepheshe abavela ku-Vulcan Research and Development Centre emkhakheni wezokuphepha kolwazi olusebenzayo, i-cryptography, idizayini yesifunda, ubunjiniyela obuhlanekezelwe kanye nokudalwa kwesoftware esezingeni eliphansi.
Source: www.habr.com