What started off as a quick prank-hack to re-map a colleague’s keyboard turned into a deep dive in understanding how keyboards work. [ch00f] and his other work place colleagues are in a habit of pulling pranks on each other. When [ch00f]’s buddy, who is an avid gamer and montage parody 1337-sp34k (leet speak) fan, went off on a holiday, [ch00f] set about re-mapping his friend’s keyboard to make it spit out words his friend uses a lot – “SWAG” “YOLO” and “420”. But remapping in software is too simple, his hack is a hardware remapping!
The keyboard in question used mechanical keys mounted on a keyboard sized PCB. Further, it was single sided, with jumper links used in place of front side tracks. This made hacking easier. The plan was to use keys not commonly used – Scroll Lock, Print Screen, and Pause/Break – and get them to print out the words instead. The signal tracks from these three keys were cut away and replaced with outputs from a microcontroller. The original connections were also routed to the microcontroller, and a toggle switch used to select between the remapped and original versions. This was eventually not implemented due to a lack of space to install the toggle switch. [ch00f] decided to just replace the keyboard if his friend complained about the hack. A bit of work on the ATMega PCB and firmware, and he was able to get the selected keys to type out SWAG, YOLO and 420.
And this is where a whole can of worms opened up. [ch00f] delves in to an explanation on the various issues at hand – keyboard scanning/multiplexing, how body-diodes in switching FET’s affected the scanning, ghosting and the use of blocking diodes. Towards the end, he just had the word SWAG activated by pressing the Pause/Break key. But he does get to the bottom of why the keyboard was behaving odd after he had wired in his hack, which makes for some interesting reading. Don’t miss the video of the hack in action after the break.
Continue reading “1337-sp34k Keyboard”
[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.
The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.
[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.
Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.
For those of us who worry about the security of our wireless devices, every now and then something comes along that scares even the already-paranoid. The latest is a device from [Samy] that is able to log the keystrokes from Microsoft keyboards by sniffing and decrypting the RF signals used in the keyboard’s wireless protocol. Oh, and the entire device is camouflaged as a USB wall wart-style power adapter.
The device is made possible by an Arduino or Teensy hooked up to an NRF24L01+ 2.4GHz RF chip that does the sniffing. Once the firmware for the Arduino is loaded, the two chips plus a USB charging circuit (for charging USB devices and maintaining the camouflage) are stuffed with a lithium battery into a plastic shell from a larger USB charger. The options for retrieving the sniffed data are either an SPI Serial Flash chip or a GSM module for sending the data automatically via SMS.
The scary thing here isn’t so much that this device exists, but that encryption for Microsoft keyboards was less than stellar and provides little more than a false sense of security. This also serves as a wake-up call that the things we don’t even give a passing glance at might be exactly where a less-honorable person might look to exploit whatever information they can get their hands on. Continue past the break for a video of this device in action, and be sure to check out the project in more detail, including source code and schematics, on [Samy]’s webpage.
Thanks to [Juddy] for the tip!
Continue reading “Keystroke Sniffer Hides as a Wall Wart, is Scary”
Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.
We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. Both devices are based on the Teensy development board. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse.
The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.
The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.
With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. We’d like to see the two projects merge into a single codebase that supports both operating systems. Bonus points if you can do it on our Trinket Pro. Video demos of both projects after the break.
Continue reading “Plug Into USB, Get a Reverse Shell”
MIDI instruments are cool, but they’re not laser cool. That is, unless you’ve added lasers to your MIDI instrument like [Lasse].
[Lasse] started out with an old MIDI keyboard. The plan was to recycle an older keyboard rather than have to purchase something new. In this case, the team used an ESi Keycontrol 49. They keyboard was torn apart to get to the
creamy center circuit boards. [Lasse] says that most MIDI keyboards come withe a MIDI controller board and the actual key control board.
Once the key controller board was identified, [Lasse] needed to figure out how to actually trigger the keys without the physical keyboard in place. He did this by shorting out different pads while the keyboard was hooked up to the computer. If he hit the correct pads, a note would play. Simple, but effective.
The housing for the project is made out of wood. Holes were drilled in one piece to mount 12 laser diodes. That number is not arbitrary. Those familiar with music theory will know that there are 12 notes in an octave. The lasers were powered via the 5V source from USB. The lasers were then aimed at another piece of wood.
Holes were drilled in this second piece wherever the lasers hit. Simple photo resistors were mounted here. The only other components needed for each laser sensor were a resistor and a transistor. This simple discreet circuit is enough to simulate a key press when the laser beam is broken. No programming or microcontrollers required. Check out the demonstration video below to see how it works. Continue reading “MIDI Keyboard with Frickin’ Laser Keys”
Many of our readers are familiar with the gold standard of classic PC keyboards – the bunker with switches known as the IBM Model M. The Model M’s Apple contemporary is the Apple Extended Keyboard and they are just as highly sought-after by their respective enthusiasts. Though discontinued almost 25 years ago and incompatible with anything made in the last 15, the codenamed “Saratoga” is widely considered the best keyboard Apple ever made.
[Ezra] has made a hobby of modernizing these vintage heartthrobs and rescuing them from their premature obsolescence. In a superbly documented tutorial he not only shows how to convert them to USB (a popular and trivial hack), but teaches you how and where to smuggle a Raspberry Pi in as well.
After disassembly, the project requires only a little bit of chisel and Dremel work before the soldering iron comes out. [Ezra] was fairly meticulous in removing or redirecting the Pi’s connectors and hardwiring the internals. Only 3 pins need to be traced from the original keyboard and [Ezra]’s ADB–>USB Rosetta Stone of choice is the Hasu Converter running on a Atmega 32u4 clone. Balancing cost, range, and power draw from the Pi, he settled on the TP-LINK WN722N for his WiFi solution which is also tucked away inside the case. A single pullup resistor to finish it off and [Ezra] was delighted to discover it worked the first time he plugged it in.
Keyboards from this era use actual momentary switches that audibly click twice per keypress. In our world of screens-as-keys celebrating the lack of tactile constraints, using beasts like the Model M or the AEK to force transistors to do your bidding is like racking a shotgun during a game of lasertag – comically obtuse but delightfully mechanical.
If you are looking to expand on [Ezra]’s tinkering, he has already made a wishlist of additions: a toggle switch to lobotomize the Pi back into a plain USB keyboard, an internal USB hub, and a power switch.
Hear the video of an AEK in action after the break (or loop it to sound productive while you nap).
Continue reading “Vintage Apple Keyboard Revived As Standalone Computer”
We’ve all seen the cheesy hacker scenes in movies and on TV. Three dimensional file system browsers, computer chip cityscapes, and other ridiculous visualizations to make the dull act of sitting at a keyboard look pretty on the silver screen. While real hackers know those things are often silly and impractical, sometimes we do go out of our way to pretty things up a bit.
Hollywood might be able to learn a thing or two from this latest hack. [Yuri] modified his Linux terminal to change the color of the back lights on his laptop’s keyboard. It’s the kind of thing that actually would look good in a modern hacker movie, and [Yuri] is living proof that it’s something that a real-life hacker would actually use!
[Yuri] has been running Simple Terminal. The Simple Terminal project aims to build a replacement for the default xterm program that removes all of the unnecessary features and simplifies the source code. It also aims to make your terminal experience prettier. Part of making things prettier means that you can choose the font color for your terminals, and of course each terminal window can have its own color if you so choose.
[Yuri] happens to own an Alienware laptop. This laptop comes with RGB LEDs behind the keyboard, allowing you to light them up just about any color you could ever want. [Yuri] thought it would be cool if his keyboard color matched the font color of his terminal windows. Thanks to AlienFX, he was able to write a simple patch for Simple Terminal that does exactly this. Now whenever he selects a terminal window, the keyboard automatically switches colors to match the text in that window. Be sure to check out the video below. Continue reading “Simple Terminal Hack is Fit For Hollywood”