Profile picture
Marcus Mengs
@mame82
, 6 tweets, 9 min read Read on Twitter
Keystroke injection into encrypted @Logitech R500 presentation clicker
- steal AES key (undisclosed vulnerability, one time physical access)
- RF injection with bypass of alpha key blacklisting (could be done as often as needed, once AES key is dumped)
@Logitech report for PoC 3 applies (from March 13th).

I will hand over the report to @certbund asap, as there was no further feedback and no information for customers, that beside Unifying devices, encrypted presentation clickers are affected
Cc:

@RoganDawes @marcnewlin @iiiikarus @matthiasdeeg @travisgoodspeed @cybergibbons @TinkerSec @WHID_Injector @heisec @Cyberarms @seytonic @certbund
cc (spread the word) @mylaocoon @ideascout @sveckert @jatiki @HonkHase @phretor @markusdahlberg @yadox @DemmSec @schniggie @AnGreagach @Securityblog @pentestitde @Sec_GroundZero @n0x08 @UlfFrisk @obiwan666 @binitamshah @slawekja
Addition:
As @marcnewlin pointed out with his latest research, R500 encryption could also be attacked using an encryption weakness published in 2016. This wouldn't require AES key extraction at all (if same key-blacklisting bypass is applied).

Reference: github.com/marcnewlin/pre…
Summary of additional vulnerabilities for wireless peripherals is here (eavesdropping, encrypted injection, key extraction, relaying remote shell through receiver)

Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Marcus Mengs
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @mame82 see all

Profile picture
Marcus Mengs
@mame82
Logitech Unifying - ultimate goal achieved: Running a RF based reverse shell through a Unifying receiver on an otherwise airgapped machine.

Details in thread
I gonna post the video on youtube in high res in some minutes.

The demo works on all available dongles and is a prototype for a talk (not public).

The client side agent is based on .NET and is about 12KB in size (debug version).
NET was chosen, because it is usable in PowerShell. The client payload is small enough to get delivered via keystroke injection, in some seconds.

As current Logitech dongles are still affected by injection, even after KeyJack/MouseJack is patched (refer my PoC2) they could ...
Read 10 tweets
Profile picture
Marcus Mengs
@mame82
1/n
 Working in progress ESB promiscous mode for nRF52840

@travisgoodspeed
- output of captured RF frames grepped for target address bb0adc
- rf payload starts at 2nd byte
- first byte shows pipe no in lower nibble, higher nibble is 4 if crc match
2/n
 - utilizing all pipes for capture (adresses 0xa8aa, aa1f, aa9f, aaa8, aaa9, aa8f, aaaa)
- most hits on aaaa, but real rf frame occurs very late in rx buffer
- rx buffer stores 60 bytes after address match (more than 200 possible on nRF52)
3/n
 - as most hits are on 0xaaaa, the rx ISR skips full 0xaa bytes on received buffer
- next step is to check crc (accounting for length in assumed PCF)
- if CRC check fails, whole rx buffer is left shifted 1 bit and crc check repeated
Read 6 tweets
Profile picture
Marcus Mengs
@mame82
@EskenSaskia @JensZimmermann1 @UweJelting @spdbt @FalkoMohrs Ja, das ändert aber nichts an den Fakten. Dass allein ein einzelnes dienstl. genutztes IT-Projekt mit noch so viel Resourceneinsatz nicht zu 100% abgesichert und gemonitort werden kann, versteht auch jemand der nicht vom Fach ist. Die Ausdehnung von Maßnahmen auf einen ...
@EskenSaskia @JensZimmermann1 @UweJelting @spdbt @FalkoMohrs ... nicht voll kontrollierbaren Bereich dürfte selbst bei exponentiell höheren Resourcenansatz, nur einen geringen Gewinn an technischer Sicherheit bringen.

Demgegenüber existieren kaum erfolgversprechende Angriffszenarien die ohne menschliche Fehler auskommen (oder ...
@EskenSaskia @JensZimmermann1 @UweJelting @spdbt @FalkoMohrs ...es sind ebenfalls immense Ressourcen nötig, z.B. Ankauf von ZeroDays). Der menschliche Fehler im privaten Umfeld, wird vom Nutzer gemacht (oft mit dienstlichen Auswirkungen, z.B. Erpressbarkeit).
Genau deshalb ist die Investition in Sensibilisierung (Prävention) lohnenswert
Read 4 tweets

Related threads

Profile picture
Ruby🇺🇸♥️
@Patriotess_Ruby
One of Canada’s biggest #Bitcoin (BTC) exchange – QuadrigaCX – has possibly lost #190Million in #cryptocurrencies after its founder and #CEO DIED SUDDENLY last December in India due to Crohn’s disease.

ethereumworldnews.com/190-million-in…
#Cotten mostly worked from his #HomeComputer which was #encrypted. The late Cotten’s wife, Jennifer Robertson, stated via an affidavit, that she did not know the #password or recovery key despite hiring a cyber-security expert to attempt #accessing the machine.
Founder (deceased #Cotten) had #SoleAccess to #ColdWallets
Read 4 tweets
Profile picture
rahel aima
@cnqmdi
time for a year in review! those of you who subscribe to my tinyletter (or even just follow me #onhere) might have seen me handwringing about freelancing, precarity. I learnt a lot this year—thanks in large part to @studyhallxyz which I highly recommend joining!—including the
simple fact rates aren't set in stone. you can—should!—ask for more. you might not always get it, but sometimes you will and it can make a big difference. this is one of those things that ~everyone already knows~ but I'd been doing this for a while and totally didn't!
this might be a terrible idea, but i'm going to be including what I was paid for each of these—transparency is so important in this industry and also so rare. when info is shared those who need it the most can rarely access it (though s/o to @WhoPaysWriters here!!)
Read 52 tweets
Profile picture
Godwin Tom
@GodwinTom
I want to tell you guys a story about how it all started #10YearsALearner #10YALpodcast
In 2008, I worked as a PR and marketing executive at an event and image consulting company in VI and I was treated well. But I wanted more. I wanted a bigger challenge so I told Kely dear friend and inspiration @iamtheOsagie #10YearsALearner #10YAL
@iamtheOsagie 2 weeks later.. I got a call from @iamtheOsagie and that was the beginning of an adventure…

O: Hey Godwin. Are you still bored?
Me: lol… You have something for me?
O: Would you like to manage an artist?
me: Who?
O: His name is MI
me: ok… send music

#10YearsALearner
Read 66 tweets
Profile picture
Leena📎🧝🏼‍♀️ Alv
@LeenaJohansson
Är du oroad över att demokrati och de mänskliga rättigheterna är i fara? Utveckling i världen och här hemma tyder på det. Du som vill göra något för att lyfta fram det viktiga med samtal om demokrati kan nu att agera. Läs tråden
röstamermänskligt.se
#röstamermänskligt
Alla goda röster behövs för att komma bort från den enkelspåriga retoriken där gruppers gälla mot varann.
#röstemermänskligt är en partipolitiskt och religiöst obunden grupp från skilda bakgrunder med en gemensam nämnare: ett mänskligt samhälle
Valkampanjen är öppen för alla. Du behöver inte vara expert. Det du kan göra är att sprida kunskap, informera och samtala om mänskliga rättigheter under #röstamermänskligt eller irl, på gator och torg, med dina bekanta och familjer.
Read 8 tweets
Profile picture
JoanneDavis
@JoanneDavis
May 23rd – 2018
Part I – The FISA Court Grants The Authority, Not The Ability…
theconservativetreehouse.com/2018/05/23/par…

1) There is a meeting scheduled tomorrow between key congressional oversight committee heads (Nunes, Gowdy etc.) and leadership of the FBI (Director Wray),
2) DOJ (Edward O’Callaghan) and ODNI (Dan Coats). The meeting was set up by White House Chief of Staff John Kelly, and the purpose of the meeting is to come to some agreement on access to documents being withheld by the DOJ, DOJ-NSD and FBI.
3) However, amid the ongoing debate over spies & informants used by the CIA & FBI to conduct political surveillance, there’s an aspect of the ongoing investigation that seems to be entirely overlooked.

On January 7th, 2016 the Inspector General of the National Security Agency,
Read 25 tweets
Profile picture
#DestroyTheAadhaar #BanDigitalElections #DefeatCIA
@Stupidosaur
One important thing about Aadhaar or any centralized system,particularly connected to money, which I have not said so far, is how it completely destroys any security by obscurity which we have enjoyed so far. Take the example of mobile OTP.
Aadhaar uses SMS One Time Password (OTP) to secure Aadhaar transactions. But we have seen how process to update mobile for Aadhaar itself is hopeless destroy-the-aadhaar.blogspot.in/2017/12/regist…
It is hopeless in terms of security as well as frustrations experienced by the user. Some of the security risks can be fixed if UIDAI is more transparent about the process, as we have seen in that article. Some frustrations also may reduced if Aadhaar centres more nearby. But...
Read 84 tweets

Trending hashtags

#R #PlanHidrológicoNacional #Toledo #MondayMotivation #Agronegocios #ReferendumADP #ObrasDeEmergencia #röstemermänskligt #ReadMore #MichaelCohen #ríoGuadalentín #AadhaarFail #Talavera #Castril #Trumpcare #Catalunya #IndependenciaCatalunya #DataIsTheNewOil #personhood #PozosDeSequía #Résultats #MemorándumTajo #BeepBeep #Guadalentín #3615referendum
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!