National audienceInternet of Things (IoT) is one of the most fast-growing field in high technologies nowadays. Therefore, lots of electronic devices include wireless connections with several communication protocols (WiFi, ZigBee, Sigfox, LoRa and so on). Nevertheless, designers of such components do not take care of security features most of the time while focusing on communication reliability (speed, throughput and low power consumption). As a consequence, several wireless IoT devices transmit data in plaintext creating lots of security breaches for both eavesdropping and data injection attacks. This work introduces KeyJack, a preliminary proof-of-concept of a solution aiming to eavesdrop wireless devices and hopefully perform injection attacks afterwards. KeyJack operates on widely-used devices: our keyboards! This solution is based on low-cost embedded electronics and gives an attacker or a white hat hacker the possibility to retrieve data from John Doe's computer. This work also shows that this approach could be used to any wireless device using 2.4GHz radio chips like the NRF24L01 from Nordic Semiconductor

Cotret, Pascal

Fournier, Guillaume

Matoussowsky, Pierre

arXiv

HAL-Rennes 1

Hit the KeyJack: stealing data from your daily wirelessdevices incognitoGuillaume Fournier, Pierre Matoussowsky, Pascal CotretTo cite this version:Guillaume Fournier, Pierre Matoussowsky, Pascal Cotret. Hit the KeyJack: stealing data fromyour daily wireless devices incognito. Journe´es C&ESAR, Nov 2016, Rennes, France. 2016,<https://www.cesar-conference.org/>. <hal-01383008>HAL Id: hal-01383008https://hal-centralesupelec.archives-ouvertes.fr/hal-01383008Submitted on 17 Oct 2016HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.L’archive ouverte pluridisciplinaire HAL, estdestine´e au de´poˆt et a` la diffusion de documentsscientifiques de niveau recherche, publie´s ou non,e´manant des e´tablissements d’enseignement et derecherche franc¸ais ou e´trangers, des laboratoirespublics ou prive´s.Distributed under a Creative Commons Attribution - NonCommercial - NoDerivatives 4.0International LicenseHit the KeyJack: stealing data from your dailywireless devices incognitoGuillaume Fournier1, Pierre Matoussowsky1, Pascal Cotret1,21 CentraleSupe´lec - Rennes, Franceguillaume.fournier@supelec.fr, pierre.matoussowsky@supelec.fr2 IETR, SCEE Research Team - Rennes, Francepascal.cotret@centralesupelec.fr / @Pascal r2Abstract. Internet of Things (IoT) is one of the most fast-growing fieldin high technologies nowadays. Therefore, lots of electronic devices in-clude wireless connections with several communication protocols (WiFi,ZigBee, Sigfox, LoRa and so on). Nevertheless, designers of such com-ponents do not take care of security features most of the time whilefocusing on communication reliability (speed, throughput and low powerconsumption). As a consequence, several wireless IoT devices transmitdata in plaintext creating lots of security breaches for both eavesdrop-ping and data injection attacks. This work introduces KeyJack, a prelim-inary proof-of-concept of a solution aiming to eavesdrop wireless devicesand hopefully perform injection attacks afterwards. KeyJack operateson widely-used devices: our keyboards! This solution is based on low-cost embedded electronics and gives an attacker or a white hat hackerthe possibility to retrieve data from John Doe’s computer. This workalso shows that this approach could be used to any wireless device using2.4GHz radio chips like the NRF24L01 from Nordic Semiconductor.1 IntroductionNowadays, most of the people have IoT devices at home or even at work: forinstance, it could be included in a fridge, a set-top box or computers. IoT is ahighly-growing field and it will get even bigger in the next decade (a Verizon re-port [21] foresees that the IoT market will hit the $1 trillion limit by 2019). In thesame document, it can be seen that the IoT market targets several applicationssuch as healthcare and home monitoring. Most of these connected devices weredesigned to perform tasks fast and in a cheap way (in other words, communica-tion links have to be fast and low-power). Unfortunately, without security, eachdevice is a vector of threats: malevolent people could use breaches in wirelessprotocols to steal or inject data using man-in-the-middle (MITM) attacks.In this context, this work focuses on wireless keyboards that are widely-spread components. This work presents KeyJack that is a kind of wireless key-logger implemented in a tiny electronic board aiming to retrieve data from aremote computer. Furthermore, this work gives some clues about using it as amalicious injection device.2Section 2 presents some related works of both classic keyloggers and em-bedded electronics solutions with similar goals. Section 3 presents KeyJack, itsrequirements and implementation details. Then, Section 4 presents an eavesdrop-ping scenario where Keyjack is used and gives some hints about the feasabilityof injection attacks using such hardware components. Finally, Section 5 presentssome conclusions and perspectives about this work.2 Related works2.1 KeyloggersWhen an hacker wants to retrieve data from a user keyboard, keyloggers couldbe used [18,19,12,5]: these components are usually softwares running in the back-ground of the target computer. In more recent works such as Damopoulos et al.[4], keyloggers are also implemented for touchscreen that are widely-spread in-terfaces on our smartphones and tablets. Such keyloggers aim to keep a copy ofeach keyboard hit made by the victim. On the other side, several works such as[10,17] present countermeasures in order to implement systems resilient to suchattacks. Therefore, IoT designers could imagine to create embedded systems im-mune to standard keylogger implementations.However, most of software keyloggers are not so easy to use:– Advanced features are rarely included in free versions. As keyloggers maybe used for ”bad” purposes, developers keep the most intrusive options forpaid licenses.– Basic keyloggers are not 100% discrete as they appear in the task manager.– For some of them, administrator rights may be required by the operatingsystem (for instance, installing a driver).– Furthermore, results take up space on the target computer and may increaseits power consumption.2.2 Other interesting worksIn the context of pure keyloggers, there are other interesting alternatives in thehardware community:– KeyGrabber USB made by KeeLog [20].– USB Rubber Ducky, a USB tool by Hak5 [9]. This USB key includes a60MHz programmable microcontroller and a µSD slot. It behaves like akeyboard: therefore, nearly anything can be performed (from a Rick Rollhack to keyloggers as well).Both solutions look like USB flash drives: it can be easily hidden on a computerport. Even if some countermeasures exists (for instance, KeyScrambler[14] en-crypts of all keyboard hits in Firefox), it is not 100% satisfying as it still needs3some physical access to the target. Furthermore, even if such a tool may behidden in the task manager, it is assumed that its power consumption may berevealed with physical measurements.KeyJack wants to tackle those problems using an alternative breach: nowa-days, most keyboards are wireless and may be affected by eavesdropping andMITM attacks. The next subsection presents some works using wireless connec-tion to reveal security breaches.2.3 Embedded electronics solutionsThere are several works aiming to steal information from wireless computer de-vices. The most “industrial” solution is MouseJack from Bastille Networks3.MouseJack is an exploit used in several wireless (non-Bluetooth) keyboards thatcan be used to perform eavesdropping and relay attacks. However, a laptop isrequired to run MouseJack in contradiction to KeyJack which aims to be a dis-crete and standalone solution [11].Other people tried to make things smaller. Digital Security (@iotcert) im-plemented related eavesdropping methods for Bluetooth devices running on asingle-board computer such as Raspberry Pi [2,3]: Cauquil et al. implemented aBluetooth sniffer on a RaspberryPi Zero single-board computer that can be usedto track people and steal secrets (as it was shown in their Nuit du Hack’16 talk 4).Samy Kamkar (@samykamkar) developed Keysweeper [13,7], a solution basedon a small tiny microcontroller similar to Teensy or Arduino Nano. Even ifthis solution is the most similar to KeyJack, it does not take into account thefeasability of data injection (Kamkar only focused on data listening). Further-more, KeyJack plans to use a GSM chip to perform multiple eavesdropping withtarget localization in a use case where several KeyJack devices would be imple-mented.3 KeyJack3.1 Threat modelThere are several keyboard manufacturers. This work focuses on the two mainones: Microsoft and Logitech (it is assumed that generic/low-cost keyboards maywork as well). Microsoft/Logitech keyboards uses a classic Wifi-based protocolworking at 2.4GHz (for European versions at least). When this 2.4GHz link isleft unencrypted, a classic MITM scheme could be used as shown in Figure 1.3 https://www.mousejack.com/4 http://virtualabs.fr/ndh16/ndh16-mass-pwning-bug.pdf4Data transmissionMITMData stolen !Unencrypted linkData injected !Fig. 1. MITM scheme with KeyJack as the eavesdropper/injection deviceFor some recent keyboards, the communication between Alice and Bob is en-crypted: even if such schemes may be broken using brute force or other advancedtechniques, this work assumes that the link is left in plaintext:– For basic models, security was not implemented in the wireless protocol.– For future perspectives, KeyJack could be adapted to other plaintext proto-cols working at different frequencies (5GHz band, for instance).3.2 RequirementsA KeyJack device must have the following requirements:– No physical access to the target device/computer. It means there will not beany USB connection or malicious software installed.– Tiny implementation: in other words, KeyJack must be a small-sized board,easily transportable and autonomous in terms of energy.– “Tracking-friendly”: KeyJack end-users must be able to get eavesdroppingresults from a remote device (website, smartphone. . . ).– Injection-enabled: this work aims to propose a solution which enable notonly eavesdropping but also data injection (from a remote interface as well).– This work focuses on a Microsoft Wireless Keyboard 8005. Mainly becauseits protocol was unecrypted.5 https://www.microsoft.com/accessories/en-gb/products/keyboards/wireless-keyboard-800/2vj-000065– For further implementations, a GSM chip in order to retrieve locations ofKeyJack nodes in case we want to install a network of such devices.– And, of course, something that is low-cost and easily reproductible!3.3 Hardware implementationKeyJack components are shown in Figure 2:Fig. 2. Electronic components used in KeyJackFrom the left to the right side:– A 2.4GHz board based on a NRF24L01 chip from Nordic Semiconductors.– An antenna.– Adafruit Feather FONA as the microcontroller board: this board includes,in a tiny form factor, an ATmega32u4 running at 8MHz and a GSM chip.– And a battery.– (the USB cable is just here for programming purposes)3.4 Software layerFigure 3 shows an example of a KeyJack network. Each node is the Adafruitplatform described in the previous section running a given Arduino code. Wheneach node collects information, it is transmitted to the self-hosted server wherean internal website was developed.6KeyJack nodeKeyJack nodeKeyJack nodeKeyJack server(self-hosted)Fig. 3. Example of a KeyJack network with three nodes and a serverOn the server side, KeyJack interface looks as follows:Fig. 4. KeyJack server interface4 Case study: eavesdropping a Microsoft keyboardAs it was said in Section 3, this case study is focused on a Microsoft WirelessKeyboard 800. Furthermore, we only used a single KeyJack node as shown inFigure 2. When the user enters the KeyJack server, an interface as shown inFigure 6 appears.7Each keyboard is identified by its MAC address and has a dedicated menu:– Search. In this part, the user can read logs of former measurements.– Capture. Reading captures filtered by their date.– Injection. Transmitting keyboard keys.– Hacking. This last tab allows to launch attack scripts.Fig. 5. KeyJack keyboard interfaceFig. 6. KeyJack injection interfaceNormally, the NRF24L01 chip is not able to work as a sniffer: in fact, the tar-get MAC address is needed and it is not possible to scan the frequency spec-8trum around 2.4GHz to find one. However, as Samy Kamkar explained in itsKeysweeper project, we can send fake information about the MAC address inorder to swindle the wireless chip.Fig. 7. NRF24L01 packet structureWith previous works of Travis Goodspeed, Samy Kamkar discovered that ifwe enter an incorrect value regarding the MAC address size (writing the pream-ble itself), the upset NRF24L01 chip considers all preambles as the target MACaddress. However, all data after the MAC address should be the payload. Ther-fore, we get all traffic packets with the MAC address and everything else up tothe CRC. From there, we can proceed to keyboard detection.Each brand has its own protocol to deal with the USB dongle on the com-puter. Microsoft does not encrypt data sent by its keyboards (it is only donesince 2015 !). The only security measure is a XOR performed on the payloadwith the MAC address. As we know how to get MAC address, this is not aproblem for us. As a consequence, we only have to detect Microsoft protocolsand perform a XOR.Fig. 8. Packet structure9Samy Kamkar also discovered that all Microsoft keyboards used a MACaddress beginning with 0xCD (this is the only byte we need in further mea-surements). In fact, Microsoft is done in a way that the key value is in the 10thposition. As the MAC address is 5 bytes wide and 4 first bytes are not encrypted,the key value is always XORed with 0xCD.The last criteria we use to detect Microsoft keyboards is the value of the firstunencrypted bytes. As it is shown in Figure 8, the device type is always 0x0A(for keyboards). Then, the packet type indicates the key category (we only focuson keystrokes or idles). Related codes are 0x78 and 0x38. We are finally readyto scan, for all frequencies from 2403MHz to 2480MHz:– We check if the MAC address of the transmitter begins by 0xCD.– We test if the paylod begins by 0xA78 or 0xA38.5 Conclusion and perspectivesThis work presented KeyJack, a low-cost solution for basic eavesdropping of aspecific Microsoft wireless keyboard. The proof-of-concept is a standalone devicewhich can be left in any open-space and small enough to be hidden from peoplesight. Even if this study focuses on a specific keyboard model, there are oppor-tunities with other models/vendors when communications are not encrypted.Furthermore, KeyJack can be easily modified for data injection as the serverside is already implemented. As each keyboard is clearly identified, the nextperspective is to make a network of KeyJack node and a single server wherewe could monitor everything from a remote location. Finally, KeyJack may beadapted for other protocol where security matters in the context of Internet ofThings.References1. Bastille Networks, L.: Mousejack faq (Feb 2016), https://www.bastille.net/sites/all/themes/professional_theme/media/bastille_mousejack_faq_2_12_16-2.pdf2. Cauquil, D.: Bluetooth low energy device spoofing library (Aug 2016), https://github.com/DigitalSecurity/mockle3. Cauquil, D.: Btlejuice: The bluetooth smart mitm frame-work (Aug 2016), https://speakerdeck.com/virtualabs/btlejuice-the-bluetooth-smart-mitm-framework4. Damopoulos, D., Kambourakis, G., Gritzalis, S.: From keyloggers to touchloggers:Take the rough with the smooth. Computers & Security 32, 102 – 114 (2013),http://www.sciencedirect.com/science/article/pii/S01674048120016545. Dorne, M.K.: La menace keylogger (Jul 2016), http://korben.info/la-menace-keylogger.html6. Express, J.: Vous utilisez des objets connecte´s? gare a` vosdonne´es (Jul 2016), http://lexpansion.lexpress.fr/high-tech/vous-utilisez-des-objets-connectes-gare-a-vos-donnees_1813593.html107. Goodin, D.: Meet keysweeper, the 10usd usb charger that steals mskeyboard strokes (Jan 2015), http://arstechnica.com/security/2015/01/meet-keysweeper-the-10-usb-charger-that-steals-ms-keyboard-strokes/8. Hacker, B.: La se´curite´ dans l’internet des objets (Jul 2016), http://www.leblogduhacker.fr/la-securite-dans-internet-des-objets/9. Hak5: Usb rubber ducky wiki (Jan 2016), http://usbrubberducky.com/#!index.md10. Herley, C., Florencio, D.: How to Login from an Internet Cafe Without Worryingabout Keyloggers . Association for Computing Machinery, Inc (2003)11. Higgins, K.: Mousejack attack bites non-bluetooth wire-less mice (Feb 2016), http://www.darkreading.com/endpoint/mousejack-attack-bites-non-bluetooth-wireless-mice/d/d-id/132440412. Holz, T., Engelberth, M., Freiling, F.: Learning More about the Under-ground Economy: A Case-Study of Keyloggers and Dropzones, pp. 1–18.Springer Berlin Heidelberg, Berlin, Heidelberg (2009), http://dx.doi.org/10.1007/978-3-642-04444-1_113. Kamkar, S.: Keysweeper (2015), http://samy.pl/keysweeper/14. KeyScrambler: Keyscrambler’s features (Jan 2016), https://www.qfxsoftware.com/ks-windows/features.htm15. Lifchitz, R.: Zigbee security review of a famous french set-top box (Jul 2016), https://speakerdeck.com/rlifchitz/zigbee-security-review-of-a-famous-french-set-top-box16. Moine, F.: Huit bonnes pratiques pour bien se´curiser les objets con-necte´s (Jul 2016), http://www.journaldunet.com/solutions/expert/64817/huit-bonnes-pratiques-pour-bien-securiser-les-objets-connectes.shtml17. Ortolani, S., Crispo, B.: Noisykey: Tolerating keyloggers via keystrokes hiding.In: Presented as part of the 7th USENIX Workshop on Hot Topics in Security.USENIX, Berkeley, CA (2012), https://www.usenix.org/conference/hotsec12/workshop-program/presentation/Ortolani18. Sagiroglu, S., Canbek, G.: Keyloggers. IEEE Technology and Society Magazine28(3), 10–17 (Fall 2009)19. Subramayam, K., Frank, C., Galli, D.: Keyloggers: The Overlooked Threat to Com-puter Security. The Vespiary (2003)20. USB, K.: Hardware keylogger - keygrabber usb (Jan 2016), https://www.keelog.com/usb_hardware_keylogger.html21. Verizon: State of the market: The internet of things 2016 (Jan2016), https://www.verizon.com/about/sites/default/files/state-of-the-internet-of-things-market-report-2016.pdf

Hit the KeyJack: stealing data from your daily wireless devices incognito

HAL Descartes

Archive Ouverte en Sciences de l'Information et de la Communication

HAL Id: hal-01383008
https://hal-centralesupelec.archives-ouvertes.fr/hal-01383008
Submitted on 17 Oct 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Distributed under a Creative Commons Attribution - NonCommercial - NoDerivatives| 4.0
International License
Hit the KeyJack: stealing data from your daily wireless
devices incognito
Guillaume Fournier, Pierre Matoussowsky, Pascal Cotret
To cite this version:
Guillaume Fournier, Pierre Matoussowsky, Pascal Cotret. Hit the KeyJack: stealing data from your
daily wireless devices incognito. Journées C&ESAR, Nov 2016, Rennes, France. ￿hal-01383008￿
Hit the KeyJack: stealing data from your daily
wireless devices incognito
Guillaume Fournier1, Pierre Matoussowsky1, Pascal Cotret1,2
1 CentraleSupe´lec - Rennes, France
guillaume.fournier@supelec.fr, pierre.matoussowsky@supelec.fr
2 IETR, SCEE Research Team - Rennes, France
pascal.cotret@centralesupelec.fr / @Pascal r2
Abstract. Internet of Things (IoT) is one of the most fast-growing field
in high technologies nowadays. Therefore, lots of electronic devices in-
clude wireless connections with several communication protocols (WiFi,
ZigBee, Sigfox, LoRa and so on). Nevertheless, designers of such com-
ponents do not take care of security features most of the time while
focusing on communication reliability (speed, throughput and low power
consumption). As a consequence, several wireless IoT devices transmit
data in plaintext creating lots of security breaches for both eavesdrop-
ping and data injection attacks. This work introduces KeyJack, a prelim-
inary proof-of-concept of a solution aiming to eavesdrop wireless devices
and hopefully perform injection attacks afterwards. KeyJack operates
on widely-used devices: our keyboards! This solution is based on low-
cost embedded electronics and gives an attacker or a white hat hacker
the possibility to retrieve data from John Doe’s computer. This work
also shows that this approach could be used to any wireless device using
2.4GHz radio chips like the NRF24L01 from Nordic Semiconductor.
1 Introduction
Nowadays, most of the people have IoT devices at home or even at work: for
instance, it could be included in a fridge, a set-top box or computers. IoT is a
highly-growing field and it will get even bigger in the next decade (a Verizon re-
port [21] foresees that the IoT market will hit the $1 trillion limit by 2019). In the
same document, it can be seen that the IoT market targets several applications
such as healthcare and home monitoring. Most of these connected devices were
designed to perform tasks fast and in a cheap way (in other words, communica-
tion links have to be fast and low-power). Unfortunately, without security, each
device is a vector of threats: malevolent people could use breaches in wireless
protocols to steal or inject data using man-in-the-middle (MITM) attacks.
In this context, this work focuses on wireless keyboards that are widely-
spread components. This work presents KeyJack that is a kind of wireless key-
logger implemented in a tiny electronic board aiming to retrieve data from a
remote computer. Furthermore, this work gives some clues about using it as a
malicious injection device.
2Section 2 presents some related works of both classic keyloggers and em-
bedded electronics solutions with similar goals. Section 3 presents KeyJack, its
requirements and implementation details. Then, Section 4 presents an eavesdrop-
ping scenario where Keyjack is used and gives some hints about the feasability
of injection attacks using such hardware components. Finally, Section 5 presents
some conclusions and perspectives about this work.
2 Related works
2.1 Keyloggers
When an hacker wants to retrieve data from a user keyboard, keyloggers could
be used [18,19,12,5]: these components are usually softwares running in the back-
ground of the target computer. In more recent works such as Damopoulos et al.
[4], keyloggers are also implemented for touchscreen that are widely-spread in-
terfaces on our smartphones and tablets. Such keyloggers aim to keep a copy of
each keyboard hit made by the victim. On the other side, several works such as
[10,17] present countermeasures in order to implement systems resilient to such
attacks. Therefore, IoT designers could imagine to create embedded systems im-
mune to standard keylogger implementations.
However, most of software keyloggers are not so easy to use:
– Advanced features are rarely included in free versions. As keyloggers may
be used for ”bad” purposes, developers keep the most intrusive options for
paid licenses.
– Basic keyloggers are not 100% discrete as they appear in the task manager.
– For some of them, administrator rights may be required by the operating
system (for instance, installing a driver).
– Furthermore, results take up space on the target computer and may increase
its power consumption.
2.2 Other interesting works
In the context of pure keyloggers, there are other interesting alternatives in the
hardware community:
– KeyGrabber USB made by KeeLog [20].
– USB Rubber Ducky, a USB tool by Hak5 [9]. This USB key includes a
60MHz programmable microcontroller and a µSD slot. It behaves like a
keyboard: therefore, nearly anything can be performed (from a Rick Roll
hack to keyloggers as well).
Both solutions look like USB flash drives: it can be easily hidden on a computer
port. Even if some countermeasures exists (for instance, KeyScrambler[14] en-
crypts of all keyboard hits in Firefox), it is not 100% satisfying as it still needs
3some physical access to the target. Furthermore, even if such a tool may be
hidden in the task manager, it is assumed that its power consumption may be
revealed with physical measurements.
KeyJack wants to tackle those problems using an alternative breach: nowa-
days, most keyboards are wireless and may be affected by eavesdropping and
MITM attacks. The next subsection presents some works using wireless connec-
tion to reveal security breaches.
2.3 Embedded electronics solutions
There are several works aiming to steal information from wireless computer de-
vices. The most “industrial” solution is MouseJack from Bastille Networks3.
MouseJack is an exploit used in several wireless (non-Bluetooth) keyboards that
can be used to perform eavesdropping and relay attacks. However, a laptop is
required to run MouseJack in contradiction to KeyJack which aims to be a dis-
crete and standalone solution [11].
Other people tried to make things smaller. Digital Security (@iotcert) im-
plemented related eavesdropping methods for Bluetooth devices running on a
single-board computer such as Raspberry Pi [2,3]: Cauquil et al. implemented a
Bluetooth sniffer on a RaspberryPi Zero single-board computer that can be used
to track people and steal secrets (as it was shown in their Nuit du Hack’16 talk 4).
Samy Kamkar (@samykamkar) developed Keysweeper [13,7], a solution based
on a small tiny microcontroller similar to Teensy or Arduino Nano. Even if
this solution is the most similar to KeyJack, it does not take into account the
feasability of data injection (Kamkar only focused on data listening). Further-
more, KeyJack plans to use a GSM chip to perform multiple eavesdropping with
target localization in a use case where several KeyJack devices would be imple-
mented.
3 KeyJack
3.1 Threat model
There are several keyboard manufacturers. This work focuses on the two main
ones: Microsoft and Logitech (it is assumed that generic/low-cost keyboards may
work as well). Microsoft/Logitech keyboards uses a classic Wifi-based protocol
working at 2.4GHz (for European versions at least). When this 2.4GHz link is
left unencrypted, a classic MITM scheme could be used as shown in Figure 1.
3 https://www.mousejack.com/
4 http://virtualabs.fr/ndh16/ndh16-mass-pwning-bug.pdf
4Data transmission
MITM
Data 
stolen !
Unencrypted link
Data 
injected !
Fig. 1. MITM scheme with KeyJack as the eavesdropper/injection device
For some recent keyboards, the communication between Alice and Bob is en-
crypted: even if such schemes may be broken using brute force or other advanced
techniques, this work assumes that the link is left in plaintext:
– For basic models, security was not implemented in the wireless protocol.
– For future perspectives, KeyJack could be adapted to other plaintext proto-
cols working at different frequencies (5GHz band, for instance).
3.2 Requirements
A KeyJack device must have the following requirements:
– No physical access to the target device/computer. It means there will not be
any USB connection or malicious software installed.
– Tiny implementation: in other words, KeyJack must be a small-sized board,
easily transportable and autonomous in terms of energy.
– “Tracking-friendly”: KeyJack end-users must be able to get eavesdropping
results from a remote device (website, smartphone. . . ).
– Injection-enabled: this work aims to propose a solution which enable not
only eavesdropping but also data injection (from a remote interface as well).
– This work focuses on a Microsoft Wireless Keyboard 8005. Mainly because
its protocol was unecrypted.
5 https://www.microsoft.com/accessories/en-gb/products/keyboards/
wireless-keyboard-800/2vj-00006
5– For further implementations, a GSM chip in order to retrieve locations of
KeyJack nodes in case we want to install a network of such devices.
– And, of course, something that is low-cost and easily reproductible!
3.3 Hardware implementation
KeyJack components are shown in Figure 2:
Fig. 2. Electronic components used in KeyJack
From the left to the right side:
– A 2.4GHz board based on a NRF24L01 chip from Nordic Semiconductors.
– An antenna.
– Adafruit Feather FONA as the microcontroller board: this board includes,
in a tiny form factor, an ATmega32u4 running at 8MHz and a GSM chip.
– And a battery.
– (the USB cable is just here for programming purposes)
3.4 Software layer
Figure 3 shows an example of a KeyJack network. Each node is the Adafruit
platform described in the previous section running a given Arduino code. When
each node collects information, it is transmitted to the self-hosted server where
an internal website was developed.
6KeyJack node
KeyJack node
KeyJack node
KeyJack server
(self-hosted)
Fig. 3. Example of a KeyJack network with three nodes and a server
On the server side, KeyJack interface looks as follows:
Fig. 4. KeyJack server interface
4 Case study: eavesdropping a Microsoft keyboard
As it was said in Section 3, this case study is focused on a Microsoft Wireless
Keyboard 800. Furthermore, we only used a single KeyJack node as shown in
Figure 2. When the user enters the KeyJack server, an interface as shown in
Figure 6 appears.
7Each keyboard is identified by its MAC address and has a dedicated menu:
– Search. In this part, the user can read logs of former measurements.
– Capture. Reading captures filtered by their date.
– Injection. Transmitting keyboard keys.
– Hacking. This last tab allows to launch attack scripts.
Fig. 5. KeyJack keyboard interface
Fig. 6. KeyJack injection interface
Normally, the NRF24L01 chip is not able to work as a sniffer: in fact, the tar-
get MAC address is needed and it is not possible to scan the frequency spec-
8trum around 2.4GHz to find one. However, as Samy Kamkar explained in its
Keysweeper project, we can send fake information about the MAC address in
order to swindle the wireless chip.
Fig. 7. NRF24L01 packet structure
With previous works of Travis Goodspeed, Samy Kamkar discovered that if
we enter an incorrect value regarding the MAC address size (writing the pream-
ble itself), the upset NRF24L01 chip considers all preambles as the target MAC
address. However, all data after the MAC address should be the payload. Ther-
fore, we get all traffic packets with the MAC address and everything else up to
the CRC. From there, we can proceed to keyboard detection.
Each brand has its own protocol to deal with the USB dongle on the com-
puter. Microsoft does not encrypt data sent by its keyboards (it is only done
since 2015 !). The only security measure is a XOR performed on the payload
with the MAC address. As we know how to get MAC address, this is not a
problem for us. As a consequence, we only have to detect Microsoft protocols
and perform a XOR.
Fig. 8. Packet structure
9Samy Kamkar also discovered that all Microsoft keyboards used a MAC
address beginning with 0xCD (this is the only byte we need in further mea-
surements). In fact, Microsoft is done in a way that the key value is in the 10th
position. As the MAC address is 5 bytes wide and 4 first bytes are not encrypted,
the key value is always XORed with 0xCD.
The last criteria we use to detect Microsoft keyboards is the value of the first
unencrypted bytes. As it is shown in Figure 8, the device type is always 0x0A
(for keyboards). Then, the packet type indicates the key category (we only focus
on keystrokes or idles). Related codes are 0x78 and 0x38. We are finally ready
to scan, for all frequencies from 2403MHz to 2480MHz:
– We check if the MAC address of the transmitter begins by 0xCD.
– We test if the paylod begins by 0xA78 or 0xA38.
5 Conclusion and perspectives
This work presented KeyJack, a low-cost solution for basic eavesdropping of a
specific Microsoft wireless keyboard. The proof-of-concept is a standalone device
which can be left in any open-space and small enough to be hidden from people
sight. Even if this study focuses on a specific keyboard model, there are oppor-
tunities with other models/vendors when communications are not encrypted.
Furthermore, KeyJack can be easily modified for data injection as the server
side is already implemented. As each keyboard is clearly identified, the next
perspective is to make a network of KeyJack node and a single server where
we could monitor everything from a remote location. Finally, KeyJack may be
adapted for other protocol where security matters in the context of Internet of
Things.
References
1. Bastille Networks, L.: Mousejack faq (Feb 2016), https://www.bastille.net/
sites/all/themes/professional_theme/media/bastille_mousejack_faq_2_
12_16-2.pdf
2. Cauquil, D.: Bluetooth low energy device spoofing library (Aug 2016), https:
//github.com/DigitalSecurity/mockle
3. Cauquil, D.: Btlejuice: The bluetooth smart mitm frame-
work (Aug 2016), https://speakerdeck.com/virtualabs/
btlejuice-the-bluetooth-smart-mitm-framework
4. Damopoulos, D., Kambourakis, G., Gritzalis, S.: From keyloggers to touchloggers:
Take the rough with the smooth. Computers & Security 32, 102 – 114 (2013),
http://www.sciencedirect.com/science/article/pii/S0167404812001654
5. Dorne, M.K.: La menace keylogger (Jul 2016), http://korben.info/
la-menace-keylogger.html
6. Express, J.: Vous utilisez des objets connecte´s? gare a` vos
donne´es (Jul 2016), http://lexpansion.lexpress.fr/high-tech/
vous-utilisez-des-objets-connectes-gare-a-vos-donnees_1813593.html
10
7. Goodin, D.: Meet keysweeper, the 10usd usb charger that steals ms
keyboard strokes (Jan 2015), http://arstechnica.com/security/2015/01/
meet-keysweeper-the-10-usb-charger-that-steals-ms-keyboard-strokes/
8. Hacker, B.: La se´curite´ dans l’internet des objets (Jul 2016), http://www.
leblogduhacker.fr/la-securite-dans-internet-des-objets/
9. Hak5: Usb rubber ducky wiki (Jan 2016), http://usbrubberducky.com/#!index.
md
10. Herley, C., Florencio, D.: How to Login from an Internet Cafe Without Worrying
about Keyloggers . Association for Computing Machinery, Inc (2003)
11. Higgins, K.: Mousejack attack bites non-bluetooth wire-
less mice (Feb 2016), http://www.darkreading.com/endpoint/
mousejack-attack-bites-non-bluetooth-wireless-mice/d/d-id/1324404
12. Holz, T., Engelberth, M., Freiling, F.: Learning More about the Under-
ground Economy: A Case-Study of Keyloggers and Dropzones, pp. 1–18.
Springer Berlin Heidelberg, Berlin, Heidelberg (2009), http://dx.doi.org/10.
1007/978-3-642-04444-1_1
13. Kamkar, S.: Keysweeper (2015), http://samy.pl/keysweeper/
14. KeyScrambler: Keyscrambler’s features (Jan 2016), https://www.qfxsoftware.
com/ks-windows/features.htm
15. Lifchitz, R.: Zigbee security review of a famous french set-
top box (Jul 2016), https://speakerdeck.com/rlifchitz/
zigbee-security-review-of-a-famous-french-set-top-box
16. Moine, F.: Huit bonnes pratiques pour bien se´curiser les objets con-
necte´s (Jul 2016), http://www.journaldunet.com/solutions/expert/64817/
huit-bonnes-pratiques-pour-bien-securiser-les-objets-connectes.shtml
17. Ortolani, S., Crispo, B.: Noisykey: Tolerating keyloggers via keystrokes hiding.
In: Presented as part of the 7th USENIX Workshop on Hot Topics in Security.
USENIX, Berkeley, CA (2012), https://www.usenix.org/conference/hotsec12/
workshop-program/presentation/Ortolani
18. Sagiroglu, S., Canbek, G.: Keyloggers. IEEE Technology and Society Magazine
28(3), 10–17 (Fall 2009)
19. Subramayam, K., Frank, C., Galli, D.: Keyloggers: The Overlooked Threat to Com-
puter Security. The Vespiary (2003)
20. USB, K.: Hardware keylogger - keygrabber usb (Jan 2016), https://www.keelog.
com/usb_hardware_keylogger.html
21. Verizon: State of the market: The internet of things 2016 (Jan
2016), https://www.verizon.com/about/sites/default/files/
state-of-the-internet-of-things-market-report-2016.pdf


Hit the KeyJack: stealing data from your daily wireless devices incognito

Abstract

Similar works

Full text

Available Versions

HAL-Rennes 1

HAL Descartes

Archive Ouverte en Sciences de l'Information et de la Communication

Hal-Diderot

HAL-Univ-Nantes

HAL-CentraleSupelec