Last summer a friend and I worked on some electronics projects so I thought I’d write a post about it.
Marc Newlin and the team over at Bastille released a vulnerability called MouseJack in early 2016. This vulnerability allows an attacker to send keystrokes directly to a wireless mouse or keyboard, similar to a Hak5 Rubber Ducky, but from up to hundreds of meters away.
I found out about the vulnerability around June last year and immediately set about to replicate the research. Shortly after, we published a tool called JackIt.
JackIt is a relatively simple Python script that leverages a CrazyRadio PA USB adapter to inject keystrokes into many Microsoft and Logitech keyboards and mice using the NRF24L01+ protocol. It uses the same HID attack description syntax as the Hak5 Rubber Ducky, called Duckyscript, and you can find example payloads in the project wiki.
After my friend and I wrote the JackIt tool, we realized that carrying around a laptop with a specialized USB radio was a bit sketchy. It would be much more effective to carry around a simple physical key fob that would opportunistically exploit the vulnerability.
In August, after a bit of Arduino tinkering and learning to solder, we found a platform that worked nicely and created a portable version called uC_Mousejack. Depending on the battery size and radio, it can run for up to a day per charge and still manages 25 meters of range.
The microcontroller version uses PlatformIO as the toolchain (which is brilliant), and includes a Python script to compile Duckyscripts into C arrays for easy firmware recompilation.
During the uC_Mousejack project, I discovered that working with simple electronics is a breeze. I’m really surprised that there aren’t more custom hardware-based attacks in common use by penetration testers, especially considering that binary exploitation is a lot more challenging today.
My friend and I once again teamed up for the uDuck project and decided to make a simple PCB. The obvious choice was the USB HID attack popularized by the Hak5 Rubber Ducky. It’s a great attack, but unfortunately I can’t afford to drop a handful of $45 USB devices in a parking lot and hope for the best.
It’s worth mentioning that around the same time, Sensepost released the USaBUSe project. I really like the concept of a more feature rich version, but it doesn’t fit our use case well. We wanted ultra-cheap devices that we can label as “Confidential” and leave in parking lots or around employee smoke-break areas. uDuck is the philosophically opposite approach and embraces minimalism instead.
You can find the Github repo for uDuck here.
The uDuck can be reprogrammed over the same USB port that delivers the attack. To accomplish this, it leverages the Micronucleus bootloader. Essentially, it waits in the bootloader for 2 seconds after being connected, then changes into a keyboard device. The included Python script compiles a Duckyscript payload into a byte array, patches the firmware with the byte array (containing HID codes and delays) and waits for the USB device to be connected. Once connected, the new firmware is uploaded.
No more fishing a microSD card out of a tiny slot and finding a card reader :).
So why is uDuck interesting? The devices can be made for less than $2 in relatively small quantities. It changes the economics of carrying out this attack.
I figured that MouseJack would be obsolete by now — it’s been over a year. Unfortunately it seems many of the vulnerable devices can still be bought in stores. It’s interesting that we find vulnerabilities in information security every day, but the old ones never seem to go away.
Anyway, if you’re in the infosec community don’t be afraid to jump into electronics. In the past, the toolchains for microcontrollers were arcane, the specialized equipment required was expensive and the learning curve was steep. The Arduino community and the momentum behind IoT made all of that a thing of the past.