Profile picture
, 10 tweets, 2 min read Read on Twitter
Logitech Unifying - ultimate goal achieved: Running a RF based reverse shell through a Unifying receiver on an otherwise airgapped machine.

Details in thread
I gonna post the video on youtube in high res in some minutes.

The demo works on all available dongles and is a prototype for a talk (not public).

The client side agent is based on .NET and is about 12KB in size (debug version).
NET was chosen, because it is usable in PowerShell. The client payload is small enough to get delivered via keystroke injection, in some seconds.

As current Logitech dongles are still affected by injection, even after KeyJack/MouseJack is patched (refer my PoC2) they could ...
... be used for delivery of such a client payload.

The client agent needs no elevated user privileges.

The shell works even if no paired device is in range. And it works the otherway around: while the shell is running, one could still use paired wireless devices.
The console Window on the Windows box is only for demo, the payload could work without this.

Important: This is not a security issue with the Unifying dongles, this "covert channel" utilizes techniques which behave as intended.

It was my initial intention to develop such a ...
... bidirectional channel, but was slowed down a bit by the security issues found during research.

On Linux end, a CrazyRadio with modified firmware is used. This radio works with 20dBm, so the shell could be ran from "long range"
Video on YouTube
@RoganDawes ... what should I say ... it is possible 🤷‍♂️
@TinkerSec an extension for the "sitting in the parking lot" pentest
Typo in initial tweet:

s/reverse/remote/

(Distinguishing reverse/bind shell doesn't make sense here)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Marcus Mengs
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!