Wireless key mouse monitoring and hijacking

Introduction: Keyboard is one of the most common hardware in life, wireless mouse because of its convenient appearance by many people's favor, then its security? How do we defend against attacks?
This article selected from the "Hardware security and Defense big secret".

1. The rise of wireless key mice

Keyboard connected to the computer there are many ways, wired keyboard mouse in the life of the most common, the scope of application is also very broad, but wired connection not only to the operating distance is limited, and to carry caused inconvenience. Not only that, the cumbersome cable is also easy to make the desktop messy. The wireless key mouse solves the above problem very well. Wireless Key mouse is also divided into Bluetooth type and 2.4GHz type, the text refers to the wireless mouse generally refers to the 2.4GHz type. It is worth noting that, although the Bluetooth keyboard working frequency band is also the 2.4GHz band, the use of Bluetooth communication protocol, in line with the Bluetooth standard. The 2.4GHz type of key mouse mainly refers to the use of proprietary wireless protocol developed wireless products. 2.4GHz type of wireless key mouse, generally plug in the computer's USB interface adapter, mouse and keyboard powered by the battery.

2. Basic principles of wireless key mouse

The main difference between the wireless mouse and the Wired mouse is the way the signal is transmitted. Wired mouse uses wires to transmit information, while wireless keyboards use radio to transmit information. The early wireless keyboards used 27MHz bands, and the wireless receivers were much larger than the current integrated chips. Most products currently work in the 2.4GHz ISM (industrial, scientific, medical) band. Here's a general introduction to how wireless keyboards work. When the keyboard is pressed, the inside of the keyboard using the principle of matrix scanning to detect which button was pressed, the corresponding keys have the corresponding code; The MCU uses the Wireless transceiver module to transmit the key information through the radio; the adapter that is plugged into the USB port on the computer receives the corresponding data and then passes the USB Transmits input information for keystrokes to the computer's operating system. This completes the transfer of a key message, which details the hardware part of the wireless communication and the Communication data section.

3. Hardware section

If you want to really understand the structure of the keyboard, basic principles and other information, disassembly is a very direct and effective method.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100539681?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" Picture description "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The disassembly diagram for a wireless keyboard. The lower right part is a battery slot, and the red line is a power cord that powers the microcontroller and the wireless module. The most common on the market today is this thin-film keyboard. The reason why the thin-film keyboard replaces the mechanical keyboard is not that the quality of the mechanical keyboard is good enough and feels bad. Mechanical keyboard feel, service life is better than the membrane keyboard, just because the cost is too high and gradually quit the market. Recently because of more pursuit of product quality, mechanical keyboard has gradually become popular.
The film-type keyboard is divided into three layers to achieve no mechanical wear, which is characterized by low prices, low noise and low cost, has occupied the majority of the market share. What we are using now is the membrane keypad. The thin-film keyboard architecture is simple, in addition to the upper and lower lid, the key cap, after the keyboard is opened, you will also see the rubber caps (but in fact, are now made of silicone), three films, circuit boards, as well as the circuit board IC. If you look at the film again, you can see the conductive printing coating. The principle of thin-film keyboard is quite simple, in three films, the top is the positive circuit, the bottom is the negative circuit, the middle is non-conductive plastic sheet.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100556682?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 4" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
Next, put the pressing module above (usually including the key cap, the active module under the key cap, and the rubber cap), and when the finger is pressed from the key cap, the film above and below will touch the power and complete the conduction.
However, we are more concerned with its RF component. That is, it uses the chip to complete the transmission of data. In this way, we can find the right direction to study more conveniently.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100604885?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 5" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The radio frequency portion of the wireless keyboard, with the Nordic company designed the NRF24L01 chip. The black block is the chip, which is surrounded by peripheral devices such as capacitors, resistors, etc. that are required for the chip to work properly. The yellow serpentine pattern on the left is the PCB antenna. It is a way of using the wires on the printed circuit board as an antenna. The advantage of this antenna is that it is smaller and cheaper than the external antenna, but the disadvantage is that the distance is shorter and is suitable for places where there is no strict requirement for distance. This wireless transceiver chip is a key part of understanding the basic principles of wireless keyboard communication, which helps us to study wireless keyboards, and introduces some basic conditions of the chip.
NRF24L01 is a single-chip wireless transceiver designed by Nordic with protocol resolution for low-power wireless applications. NRF24L01 works in the Global Open ISM band (industrial, scientific and Medical frequency bands), 2.400ghz~2.4835ghz in frequency range. Because the NRF24L01 is only a wireless transceiver, there is no integrated microcontroller, so in use with a microcontroller and a small number of peripheral devices to work. We can operate and configure the NRF24L01 via the SPI interface. Through the SPI interface, you can read and write the registers inside the NRF24L01, complete the configuration and all other operations.
The wireless device uses the Gfsk modulation method. The user can modify the channel, output power, and data rate of the wireless device. The NRF24L01 supports three rates of 250kbit/s, 1mbit/s, and 2mbit/s. At present, the data transmission rate of 2mbit/s is widely used.
The schematic diagram of the circuit reference design given by Nordic company is shown. Most companies are developed on this basis, unless some companies have special needs in some areas to adjust the schematic diagram. Many manufacturers will develop this module two times to produce the chip.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100615895?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 6" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The finished module for the chip
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100624973?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 7" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The module only leads to the necessary power and control interfaces, and other peripheral circuits are integrated into the module. The advantage is that it is easier to use and does not need to care about the peripheral circuitry and antenna parts of the chip. Antenna design is a difficult point in circuit design, small errors may have a greater impact on the communication distance. So many vendors are using a design-mature module instead of re-designing this part themselves.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100634286?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 8" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
For the module of the pin sequence diagram, can be connected with a single-chip microcomputer. The corresponding PIN functions are as follows.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100642489?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 9" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The module retains 8 interfaces that the user needs to use. where the 1th and 2nd pins are power connectors, power the module. The 3rd PIN is a chip enable interface for setting whether the chip is operating in the receive mode or the transmit mode. Pins 4th to 7th are four wires for SPI communication. CSN is used for chip-select chips, which are the SPI communication enable of the chip. SCK is the communication clock provided by MCU for SPI Communication. MOSI is the data interface that the MCU sends the data to the module, and the miso is the data interface that the module sends the data to the MCU. The 8th-pin IRQ notifies the microcontroller module that data has been received via level hopping when receiving data. The advantage of this approach is that the microcontroller can complete other tasks without receiving data, and does not need to keep querying whether the module receives data. Of course, this interface can also be used, but as mentioned above, the need to always query whether the data received, this method is very inefficient. In this way, the other disadvantage is that the single-chip microcomputer has been working state, not conducive to sleep, will cause a significant increase in power consumption.
The above physical interface can achieve the purpose of configuration and Operation Nrf24l01. Understanding the hardware is not enough, the study of communication data is still a compulsory course.

4. Communication Data section

NRF24L01 supports automatic assembly of data packets, and automatically sends confirmation packets and resend packets. It supports 1 to 32 bytes of payload length. can automatically decompose the received packets to get the required load part. The NRF24L01 has 6 communication channels and supports a maximum of 1 to 6 star networks.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100652443?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 10" "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The packet format for NRF24L01, which includes 1-byte preamble, 3 to 5-byte addresses, 9-bit packet-control segments, 0-to-32-byte payload segments, and CRC checksum codes. Each part of the packet plays a different role throughout the communication and has different roles, which are described in detail below.
The preamble is used to synchronize the demodulator on the receiving side with the input bit stream. The length of the preamble here is a byte, and the sequence is 01010101 or 10101010. As to what kind of preamble, it is related to the first bit of the address immediately following the preamble. If the first bit of an address is 1, the preamble is automatically set to 10101010. If the first bit of an address is 0, the preamble is automatically set to 01010101. These measures are used to ensure sufficient excessive time to stabilize the receiver. Simply put, the presence of a preamble is primarily intended to make subsequent data stream reception more stable.
The address here is the transmitter sent to the receiver. The address is used by the correct receiver to detect and receive the packet, rather than being mistakenly received by another device. When we write the address in the receiver, it is convenient to filter out packets that are not sent to us, ensuring that the received packets are at least the correct address. We can adjust the width of the address to 3, 4 or 5 bytes by setting a register named AW.
650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100701052?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" "Figure 11" "Title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>
The Package control field in the packet, which involves control of the packet, mainly includes the payload length field (Payload length), the Packet recognition field (PID), and the Packet flag (no_ack) of the auto-answer. The Package control field contains a 6-bit payload Length field. When the device is set to a dynamic load length as the receiving end, the payload length field is used to indicate how long the load is so that the load can be read quickly. When set to a static load length, this field is not available because the load length is fixed each time.
The two-bit packet recognition field is used to detect whether the received packet is new or retransmission. The packet recognition field is designed to prevent repeated processing of the same load being sent to the microcontroller multiple times. When the sender sends a new packet each time, the value of the packet recognition field will grow. The device on the receiving end determines whether the packet is retransmission or new based on the packet recognition field and the cyclic check code (CRC). When more than one packet is lost, this time the package identification code may be the same as the last time, if so, nrf24l01 will compare two times the cyclic check code. If the two cycles check code is the same, the newly received packet is discarded as a backup of the last received packet.
The optional auto-answer feature controls the non-confirming flag (no_ack). This flag is valid when the auto-answer feature is used. Set this flag to 1 and tell the receiver that the package does not need to be answered automatically.
A load (Payload) is a user-defined data content. It can be 0 to 32 bytes in length. Users can transfer data that needs to be transferred in a load field. Cyclic redundancy check code is used for error detection of packets. Before the data is sent, the emitter generates cyclic redundancy check codes based on the data sent. When the receiver receives the data, it also generates a cyclic redundancy check code based on the received data. Finally, the receiver will calculate the received data check code, and directly received check code to compare, if the same is believed that the data in the transmission process is not wrong, if not the same is considered wrong, need to take retransmission or other measures. The field can be set to 1 or 2 bytes, and is calculated from the address, including the Package control field and payload.

5 How to Defend

Wired keylogger in some units or some scenarios, as a key logger device is necessary to use. Please do not take off at will, lest cause unnecessary misunderstanding.  
for individuals, the wired keylogger is easy to defend against, saying it is not difficult to say. It is easy to say that the external device is visible to the naked eye, it is difficult to use software detection is very difficult, a few simple defense methods are as follows.  
First, raise awareness of prevention. Check it before using the desktop and see if it has a "little tail" behind it. Of course, every time you look too troublesome, you can choose to put the chassis on the naked eye of the table, nothing to look at. If you use a laptop, look at it at any time.  
Second, the unfamiliar person sends the keyboard, do not feel free to accept! Or find your keyboard has been removed traces, also need to pay attention! Perhaps, the keyboard, there is a circuit board, when you inadvertently, stealing your account and password, and then as a breakthrough to steal more secrets. Of course, it is relatively reassuring to buy the keyboard on the market.  
Then, enter the key information, with a soft keyboard input is better, if the computer itself to do a good job of software security, if the Trojan is recorded on the screen will not be able to.  
for wireless keyboard monitoring of the defense, it is very simple, do not use the wireless mouse on the line! Especially when working with desktops or laptops in the office, there's absolutely no need for a wireless keyboard, and the phone and ipad are on-screen keyboards. If you have to use a wireless keyboard, you can consider yourself to do a conversion of hardware, the USB wired keyboard into a Bluetooth or wireless keyboard, as for the method, with the wireless keylogger is a principle.  
Finally, security is not absolute, but also do not be intimidated by rumors, keep good attitude, cautious, regular replacement of strong password is very important.  
Especially for the staff who master the key account password of the company or institution, please raise the awareness of self-safety.

Warning: Illegal theft of other people's information is illegal, this section is for learning reference only! Never make a mistake!

We will introduce to you in tomorrow's push the classic case of a wireless mouse monitoring and hijacking mousejack: Mousejack can make use of some problems existing in wireless mice and keyboards to achieve the effect of pretending to be a keyboard and realizing any key.
This article is selected from the "Hardware Security defense Big Secret", click this link can be viewed in the blog point of view website.

650) this.width=650; "Src=" http://img.blog.csdn.net/20170119100854889?watermark/2/text/ ahr0cdovl2jsb2cuy3nkbi5uzxqvynjvywr2awv3mjawng==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/ Gravity/southeast "alt=" Picture description "title=" "style=" Border:0px;vertical-align:middle;margin:auto; "/>

Want to get more good articles in time, you can search "blog point of View" or scan the QR code below and follow.
650) this.width=650; "src=" http://img.blog.csdn.net/20161128135240324 "alt=" Picture description "title=" Picture description "style=" border:0px; Vertical-align:middle; "/>

This article is from the blog of "Blog View blog", make sure to keep this source http://bvbroadview.blog.51cto.com/3227029/1893111

Wireless key mouse monitoring and hijacking