Logitech Unifying - ultimate goal achieved: Running a RF based reverse shell through a Unifying receiver on an otherwise airgapped machine.

Details in thread

I gonna post the video on youtube in high res in some minutes.

The demo works on all available dongles and is a prototype for a talk (not public).

The client side agent is based on .NET and is about 12KB in size (debug version).

NET was chosen, because it is usable in PowerShell. The client payload is small enough to get delivered via keystroke injection, in some seconds.

As current Logitech dongles are still affected by injection, even after KeyJack/MouseJack is patched (refer my PoC2) they could ...

... be used for delivery of such a client payload.

The client agent needs no elevated user privileges.

The shell works even if no paired device is in range. And it works the otherway around: while the shell is running, one could still use paired wireless devices.

The console Window on the Windows box is only for demo, the payload could work without this.

Important: This is not a security issue with the Unifying dongles, this "covert channel" utilizes techniques which behave as intended.

It was my initial intention to develop such a ...

... bidirectional channel, but was slowed down a bit by the security issues found during research.

On Linux end, a CrazyRadio with modified firmware is used. This radio works with 20dBm, so the shell could be ran from "long range"

Video on YouTube

@RoganDawes ... what should I say ... it is possible 🤷‍♂️

@TinkerSec an extension for the "sitting in the parking lot" pentest

Typo in initial tweet:

s/reverse/remote/

(Distinguishing reverse/bind shell doesn't make sense here)