LOGITacker

README is still under construction

LOGITacker is a hardware tool to enumerate and test vulnerabilities of Logitech Wireless Input devices via RF. In contrast to available tooling, it is designed as stand-alone tool. This means not only the low level RF part, but also the application part is running on dedicated hardware, which could provides Command Line Interface (CLI) via USB serial connection.

Keeping hardware from other vendors (not Logitech) out of scope, allowed further optimizations and improvements for low level stuff like RF device discovery.

Additionally support for the following boards was addded:

• Nordic nRF52840 Dongle (pca10059)
• MakerDiary MDK Dongle
• MakerDiary MDK
• April Brother Dongle

LOGITacker covers the following Logitech vulnerabilities:

• MouseJack (plain injection)
• forced pairing
• CVE-2019-13052 (AES key sniffing from pairing)
• CVE-2019-13054 (injection with keys dumped via USB from presentation clickers)
• CVE-2019-13055 (injection with keys dumped via USB from Unifying devices)

LOGITacker does currently not cover the following Logitech:

• KeyJack
• CVE-2019-13053 (Injection without key knowledge, for receivers patched against KeyJack)

Note: KeyJack and CVE-2019-13053 are covered by mjackit

LOGITacker can also be used as Hardware Implant (see USBsamurai's Tutorial https://medium.com/@LucaBongiorni/usbsamurai-for-dummies-4bd47abf8f87 )

1 feature summary

• Discovery of Logitech devices on air (optimized pseudo promiscuous mode)
• Device management (store/delete devices from/to flash, auto re-load parameters - like link encryption key - from flash when a stored device is discovered again)
• Passive Enumeration of discovered devices (sniffing, automatic update of device capabilities based on received RF frames)
• Active Enumeration of discovered devices (test receiver for additional valid device addresses, test for plain keystroke injection vulnerability)
• Injection (Inject keystrokes into vulnerable devices, inject encrypted for devices with known key, bypass alpha character filter of receivers for newer devices - like R500 presentation clicker)
• Scripting (create/store/delete injections scripts on internal flash, auto load a script on boot, auto inject a script on device discovery, support for DE and US keyboard layout)
• CLI (integrated help, tab completion, inline help)
• Sniff pairing (AES link encryption keys get stored to flash, encrypted injection and live decryption of keyboard traffic gets possible)
• Device Pairing / forced pairing: a virtual device could be paired to a Unifying dongle in pairing mode or to an arbitrary RF address (in order to test for the forced pairing vulnerability presented by Marc Newlin in 2016)
• Device management on flash: Discovered devices could be stored/deleted to/from flash persistently. This comes handy if a device has an AES link encryption key associated. If the dongle is power-cycled and the respective device is discovered again, the associated data (including the AES key) is restored from flash.
• Live decryption: In passive enumeration mode, encrypted keyboard RF frames are automatically decrypted if the link Encryption key is known (could be added manually or obtained from sniffed pairing). This could be combined nicely with USB pass-thorugh modes.
• experimental covert channel for air-gap bridging with "keystroke injectable" client agent to deploy the channel for a Windows host with Logitech receiver (demo with receiver implanted into USB cable: https://youtu.be/79SogcYbpNA)
• usable for pure USB keystroke injection (RubberDucky fashion), programming features are still usable
• USB pass-through: An USB serial based CLI is not the best choice, when it comes to processing of raw or decrypted RF data. To circumvent this, LOGITacker supports the following pass-through modes:
  • USB keyboard pass-through: If enabled, received RF keyboard frames are forwarded to LOGITacker's USB keyboard interface. Key presses of the currently sniffed wireless keyboard are ultimately mirrored to the host which has LOGITacker connected. For encrypted keyboards, the decrypted data is forwarded (in case the AES key is known)
  • USB mouse pass-through: Same as keyboard pass-through, but for mouse reports.
  • RAW pass-through: Beside the USB serial, USB mouse and USB keyboard interface, LOGITacker provides a raw HID interface. Passing keyboard reports directly via USB isn't always a good idea (f.e. if you sniff a keyboard and the user presses ALT+F4). In order to allow further processing raw incoming data could be forwarded to the USB host, using the raw interface (data format includes: LOGITacker working mode, channel, RSSI, device address, raw payload).
• Automation / stand alone use: Beside devices data and scripts, several options could be stored persistently to flash. Those option allow to control LOGITacker's behavior at boot time. An example set of persistent options, which could be used for headless auto-injection (LOGITacker could be power supplied from a battery) would look like this:
  • boot in discovery mode (detect devices on air)
  • if a device is discovered, automatically enter injection mode
  • in injection mode, load a stored default script and execute the script with default language layout
  • if the injection succeeded, return to discovery mode
  • enter injection mode not more than 5-times per discovered device

There are still many ToDo's. The whole project is in experimental state.

2 Installation

2.1 Nordic nRF52840 Dongle (pca10059)

nRF Connect software by Nordic provides a Programmer app, which could be used to flash the firmware from this repository to a Nordic nRF52840 dongle. After flashing the firmware, the dongle provides 4 new interfaces (USB serial, USB mouse, USB keyboard and USB HID raw). The serial interface could be accessed using PuTTY or screen on Linux.

Reference: "Terminal Settings" section of nRF5 SDK documentation - https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.sdk5.v15.0.0/lib_cli.html#lib_cli_terminal_settings

To put the dongle into programming mode (bootloader) push the button labeled RESET. The red LED starts to "softblink" in red.

The proper file to flash with the Programmer app is build/logitacker_pca10059.hex.

2.2 MakerDiary MDK Dongle (pca10059)

nRF Connect software by Nordic provides a Programmer app, which could be used to flash the firmware from this repository to a Nordic nRF52840 dongle. After flashing the firmware, the dongle provides 4 new interfaces (USB serial, USB mouse, USB keyboard and USB HID raw). The serial interface could be accessed using PuTTY or screen on Linux.

Reference: "Terminal Settings" section of nRF5 SDK documentation - https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.sdk5.v15.0.0/lib_cli.html#lib_cli_terminal_settings

To put the dongle into programming mode (bootloader) follow these steps:

• disconnect the dongle from the host
• press and hold the button of the dongle
• re-connect the dongle to the host without releasing the button
• the red LED of the dongle should "softblink" to indicate bootloader mode

The proper file to flash with the Programmer app is build/logitacker_mdk_dongle.hex.

2.3 MakerDiary MDK

Thanks to DAPLink support flashing this board is really easy:

1. Connect the board to the host
2. Push the button labeled "IF BOOT / RST"
3. A mass storage with label "DAPLINK" should be detected and mounted to the host.
4. Copy the build/logitacker_mdk.hex file to the DAPLINK volume.
5. Wait till the green LED stops flashing, and the "DAPLINK" volume is re-mounted.
6. Push the "IF BOOT / RST" button again, in order to boot the LOGITacker firmware.

2.4 April Brother nRF52840 Dongle

The April Brother dongle provides a removable drive, which accepts uf2 file to program the dongle.

To program the dongle follow these steps:

• disconnect the dongle from the host
• double-click button on the dongle (through the tiny hole)
• copy logitacker_apr-dongle.uf2 to the removable drive 'NRF52BOOT'
• the dongle will restart
• remove the dongle from host
• reinsert dongle to host

The proper file to flash with the Programmer app is build/logitacker_aprdongle.uf2.

After flashing the firmware, the dongle provides 4 new interfaces (USB serial, USB mouse, USB keyboard and USB HID raw). The serial interface could be accessed using PuTTY or screen on Linux.

Reference: "Terminal Settings" section of nRF5 SDK documentation - https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.sdk

2.4.1 Remark on LED issues of aprbrother dongle

The aprbrother dongle has LED issues, which are not caused by LOGITacker. See here for reference: https://github.com/AprilBrother/ab-hardware/issues/1

2.4.2 Remark on bootloader

Once LOGITacker has been flashed, double-tapping the hardware button does not start the bootloader anymore (UF2 flash mode).

1. In order to get back to the bootloader, unplug the dongle
2. Press and hold the hardware button (use something which fits the small hole)
3. Re-plug the dongle with the button still pressed
4. The blue LED should "soft blink", this indicates that the dongle is in bootloader mode again
5. Copy the intended UF2 firmware image to the volume named 'NRF52BOOT' to flash a new firmware

3 Basic usage concepts

LOGITacker exposes four virtual USB devices:

• USB CDC ACM (serial port) - this port has a console connected and is used for CLI interaction
• USB mouse - used to optionally forward mouse reports (captured from RF) to the host
• USB keyboard - used to optionally forward keyboard reports (captured from RF, decrypted if applicable) to the host
• USB HID raw - used to optionally forward raw RF frames for further processing (usage as additional control interface planned)

LOGITacker provides an interactive CLI interface which could be accessed usin