David Sopas – Web Security Researcher

18/03/19 Advisories , Hardware # , , , ,

Popular wireless Logitech mouse vulnerable to keystroke injection

One of the things that keeps me on the security path is the opportunity to learn new things each day.
After seing the new update on Bettercap – which supports HID (Human Interface Device) – I decided to read about it – specially on MouseJack keystroke injection attacks.

I went throught the affected devices list and didn’t have any on my own to test it. BUT I had a Logitech M185 wireless mouse which is very popular because… it’s cheap comparing to other models.

I grabbed the CrazyRadio dongle – which was waiting for better usage on my lab –  and put it into action.

I opened Bettercap and turn on the HID recon:

sudo bettercap -eval="net.recon off;hid.recon on"

After a while I detected my Logitech M185 and also other stuff:

Just to make sure it was really my device, I did a simple HID.sniff ADDR and pressed a few buttons. Don’t want to pop shells anywhere 🙂

Next, I created a simple DuckyScript to show the Windows calcultator on the desktop:

GUI r
DELAY 200
STRING calc
DELAY 200
ENTER

What we have so far:

  • Bettercap running with HID module on
  • Detected my Logitech M185 2.4Ghz mouse
  • Created the DuckyScript to use (ducky.txt)

The only thing missing is to inject our payload and see what happens:

hid.inject ADDR PT ducky.txt

You can see the end result of this proof-of-concept video – https://www.youtube.com/watch?v=TdPRYWkYarM

Don’t want to be a spoiler but… yeh it’s vulnerable 🙂

no responses
01/03/19 IoT # , , , , , , ,

BLE Surfing an Orienteering event

BLE Surfing an Orienteering event

It was 2pm and more than 1500 individuals were getting ready to start an international Orienteering event. To me it was opportunity to test my new BLE tool and at the same time, know more about the number of sports wearable’s people use nowadays – to know what to break next 🙂

So I positioned my crappy Android phone on the center of the event and just hit play.

After a couple of hours, I decided to check it out and I got a 701 devices detected – crazy number. Just by curiosity I made the Top5 brands and devices:

  1. Garmin – 542 devices
  2. Polar – 86 devices
  3. Fitbit – 28 devices
  4. TomTom – 21 devices
  5. Samsung – 17 devices

Around 77% of the devices detected were Garmin. Huge market share.

With that percentage, the Top5 devices were all Garmin:

  1. Forerunner 235 – 180 devices
  2. Forerunner 735 XT – 67 devices
  3. Forerunner 35 – 46 devices
  4. Forerunner 920 – 43 devices
  5. Fenix 3 HR – 30 devices

I already did some research on Garmin and TomTom, also played with someForerunner models and they show the real bd_addr (Bluetooth Address) which could be used to… track people. But this wasn’t the case.
My real goal was to test large data into my app and see how it handles on rendering them on a map. No information or connection was made to any device.

Just by curiosity, you know that only the Garmin watches had a value of around 180k?

no responses