Full Report
In this post, I will recap some of the security research conducted on wireless keyboards and mice, and eventually show how current wireless keyboards and mice can be used to obtain a covert shell on a target computer. Around 2009, Max Moser realised that most wireless keyboards were simply transmitting the keystrokes in clear text. His initial research targeted systems using 27MHz radios. In 2010, he presented followup research targeting systems using 2.4GHz radios, which suffered from similar vulnerabilities. Manufacturers responded (eventually!) by encrypting the keystrokes, but most elected not to encrypt the mouse movements, because that would introduce latency and increase power consumption for no real benefit.
Analysis Summary
# Tool/Technique: Wireless Keyboard/Mouse Exploitation (Logitech Unifying Dongle Focus)
## Overview
This entry summarizes research and techniques leveraged to exploit vulnerabilities in contemporary wireless keyboards and mice, specifically focusing on Logitech Unifying dongles, to establish a covert shell connection on a target computer. The core weakness exploited is the potential for injection of payloads via the dongle's **Raw HID interface (HID++)**, which is used for device configuration like macros.
## Technical Details
- Type: Technique / Tooling (Exploitation Framework utilizing vulnerabilities)
- Platform: Primarily Windows (OS X is theoretically possible; Linux requires elevated privileges due to Raw HID permissions).
- Capabilities: Injection of arbitrary commands/payloads (including reflective DLL injection) via the receiver dongle, resulting in a covert, non-interactive command shell.
- First Seen: Initial research on clear-text transmission dates back to 2009 (27MHz) and 2010 (2.4GHz). The specific exploitation against Unifying devices leveraging HID++ followed research in late 2019 by Rogan Dawes and Marcus (P4wnP1 fame).
## MITRE ATT&CK Mapping
This technique spans several phases, primarily focusing on execution and persistence via a physical/trusted interface.
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- *Note: This is achieved indirectly via HID injection.*
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1055.009 - DLL Side-Loading (Mention of reflective DLL injection is a related mechanism observed in some deployments)
- **TA0004 - Privilege Escalation** (If the shell requires root/admin access, as on Linux)
- **TA0011 - Command and Control**
- T1090 - Proxy (The established channel acts as a command-and-control mechanism)
## Functionality
### Core Capabilities
- **Keystroke Eavesdropping/Injection (Historical Context):** Initial research demonstrated clear-text or insufficiently encrypted transmission of keystrokes on 27MHz and 2.4GHz systems (pre-encryption fixes). Mouse movements often remained unencrypted even after keyboard encryption was implemented.
- **HID++ Abuse (Logitech Focus):** Exploiting the Raw HID interface (HID++) on Logitech Unifying receivers, which legitimate firmware uses for device configuration (e.g., macros), to transmit arbitrary data.
- **Cooperative Payload Delivery:** Utilizing the existing, trusted USB device (the dongle) to maintain a persistent, covert channel without requiring the attacker to leave their own malicious hardware connected.
### Advanced Features
- **Covert Shell Establishment:** The technique deploys scripts (e.g., PowerShell) on the target machine that open a communication channel back through the Unifying dongle.
- **Payload Delivery:** LogiTacker tooling manages the secure transmission and retransmission of payloads to the PowerShell instance running on the victim machine.
- **Persistence:** The established PowerShell process can survive the temporary unplugging and replugging of the LogiTacker dongle, though suspension/hibernation may cause loss of connection.
- **Evasion Tactics:** Deployment scripts can employ techniques like moving and hiding the PowerShell window to conceal operation from the user.
## Indicators of Compromise
Since this framework relies on manipulating legitimate hardware protocols, traditional static IOCs are rare unless specific deployment tools are used.
- File Hashes: N/A (Specific to the deployed payload, e.g., PowerShell scripts).
- File Names: N/A (Specific to the deployed payload).
- Registry Keys: N/A
- Network Indicators: No external C2 communication is inherently required; the connection flows back to the attacker's specialized dongle (LogiTacker).
- Behavioral Indicators:
- Uncharacteristic low-level radio traffic on 2.4GHz originating from a Logitech Unifying receiver device outside of expected keyboard/mouse timing.
- Execution of PowerShell commands initiated via unexpected input vectors (detected if the HID layer inspection reveals non-standard reports).
## Associated Threat Actors
The techniques described originated from public security research (Max Moser, Marc Newlin/MouseJack) and specialized researcher work (Marcus/P4wnP1, Rogan Dawes/SensePost). No specific established APT group is cited as extensively using this *exact* Logitech HID++ technique yet, although similar physical access/USB abuse concepts are common.
## Detection Methods
- Signature-based detection: Limited, as the final payload often uses native system commands (PowerShell). Anti-virus (Kaspersky noted) has been observed catching deployment steps, specifically reflective DLL injection.
- Behavioral detection: Monitoring USB device behavior for activity inconsistent with standard peripheral interaction, particularly interaction with Raw HID interfaces.
- YARA rules: Not applicable without a specific, known payload hash or binary deployment file.
## Mitigation Strategies
- **Hardware Security:** Use wireless devices from vendors that implement robust, modern, end-to-end encryption for both keystrokes and mouse movements.
- **Firmware Updates:** Ensure all wireless peripheral firmware (dongles and devices) are updated to patch known vulnerabilities (e.g., post-MouseJack updates).
- **Physical Security:** Restrict physical access to systems, especially concerning USB ports, as initial deployment requires physical connection of the attacker's modified dongle or the target's existing dongle being compromised.
- **Linux Host Hardening:** Ensure standard users do not have read/write access to Raw HID interfaces (`/dev/hidraw*`), mitigating the ability for a compromised standard user process to leverage this vector.
- **Endpoint Monitoring:** Implement EDR/AV capable of detecting reflective DLL injection techniques used during shell deployment.
## Related Tools/Techniques
- **MouseJack (2016):** Vulnerabilities allowing injection of keystrokes via unencrypted mouse reports using the keyboard report identifier (2.4GHz devices using nRF24L01).
- **USaBUSe:** A prior technique demonstrating abuse of the Raw HID interface, which the Logitech Unifying attack vector is described as being "almost perfectly aligned" with, applied over a legitimate adapter.
- **KeyKeriki (2009/2010):** Early research into clear-text vulnerabilities in 27MHz and 2.4GHz wireless keyboards.