 Okay, welcome to a talk on key press hack by Farid Perez, Mauro Eldridge and Luis Ramirez from DC54111. Before we start, I would like to make a brief introduction to both our talk and the speakers. My name is Mauro Eldridge, I'm an Argentine hacker and I work as a cybersecurity architect. I'm the founder of DC54111 Argentina and I was a speaker for DEFCON, DEFESIVERIA, ROADSEC, Brazil, DRAGONJAR, Colombia, POSCO, Iran, Texas Cyber Summit, among other conferences. Now my co-speakers are going to introduce themselves. Thank you Mauro. Hello everyone. My name is Farid Perez, I am an Colombia hacker, assistant engineer and master in telecommunication. I work as a professor at the University of La Guajira and I am a member of DC54111 ROADSEC. Also, I'm being a speaker at DRAGONJAR, Colombia. I'm now a DEFCON in this village. Thank you Farid. Hello everyone. My name is Luis and Ramirez Vendoza from Colombia. I am an electronic engineer and hacker on the computer security and artificial intelligence. I am a speaker at the University of La Guajira. I am a speaker at DRAGONJAR, Colombia. I am a speaker at DC54111. Well, the objective of this talk is to show the assembly of a bad USB device discreetly mounted inside a keyboard with the ability to send the victim's keystrokes over the internet, like a remote keylogger. This talk focuses exclusively on the construction of this type of artifact and includes a video demo at the end. This is the tampered keyboard we are using. As you may see, it seems at first glance like a pretty normal classical keyboard. But, well, it isn't. Now, my co-speakers and friends Farid and Luis are going to explain the magic behind this electronic tampering. Thank you. In the first play, we have the keyboard. You can choose any type of keyboard that has a USB connector. In order to not see much of the alteration that we are going to make, the ESPH266 Wi-Fi module will allow us to connect the Arduino to an internet connection. In order to send the keyboard data to a database in MySQL, in order to have stored everything captured on the keyboard, to optimize the size it was decided to use the Arduino Nano so that it can be easily hidden on the keyboard in the translation of the keystroke to be stored in the MySQL database. A standard USB cable, which USB mini-bacon replaces the keyboard cable since it must be connected to the Arduino through which all the information must pass in order to apply the key lawyer. To receive this information, we will host a Q server with PHP MySQL and PHP MyAdmin in order to receive all the values entered by the keyboard. We will also have the Arduino programming interface where we will enter the code that is necessary to interpret if of the keystroke emitted by a keyboard and it must be sent to a store in the database. In this image, interface Arduino IDE in the PC and some sign, very important and very fundamental to have a lot of patience. To a keep good, restored bacon, this neighbor comes out the first thing and on many occasions it does the opposite of what you expect and even more so when you organize the circuit and the solder becomes damaged or some sign, very unexpected happens. Taking into account the hardware hacking 101, we have the plans that are completely the component usage in the project where if we want to do it ourselves we must have a normal keyboard or the model must use it in your country. The wireless network component for Arduino ESP8266 and Arduino Nano and standard USB cable, a C2 server, the Arduino programming interface on the PC and above all, most important, have a lot of patience. In this diagram, it is possible to observe the scheme tab our keyboard has because it represents the represent attached is shaped on each of the components detailed previously in order to the respective operation to obtain the information of each key entered by the BT. We have the connection diagram of each of the pins be which the Arduino Nano, the wireless interface for the Arduino, ESP8266 and the keyboard where they indicate exactly where the connection must be made for its proper operation. On the connection card for the B board there are many drawbacks at the time of welding and first contact in each of the terminal of side connection in the same way when it is not having the membrane and not making contact it will work regularly because it will not make enough contact for team to verify each of the pulsations made. You have in the image the representation of each of the components mentioned above for this respective assembly and operation. A image of the aforementioned cards fully operational. Here we are verifying if the keyboard or recognizing the computer. If the graphic we can observe the or modification did not alter the computer recognizing of the keyboard, here we are already assembling the keyboard for the benchmark testing. When a key is pressed it joins the connected card rows and the column with the data to the column this in addition to going to the computer. It also reach the Arduino it take read of the continuing which way for the signal to send to the Wi-Fi the model. This is how our the keyboard would look like on the inside. We can appreciate all of the piece are shipped and easy to gain into device. In that same way much and we are not saying that the bits can suspect anything. Here is the schematic the Arduino MTA speed connected serial which means that one that transmit and the other receive peri-pulsation is received by the keyboard board. The 13 don't waste the terminating which are the rows and the column of the keyboard PCB. Where a key is pressed the word and the clause that is the wrong and the column are in contact. The Arduino also wait for click. The coding is with me the translation to know which key press 15. The ESP also have received peri-pulsation to the Arduino not having a node on the connected and the PCB of keyboard. To simplify the coding with you the K-pad library see it may be the same principle. In G-Net to be to which pin are rows and which are columns. Here we can see a part of the ESP configuration ready and waiting for pulsation to send them to be the database. Here it demonstrated how the Arduino interprets every pulsation and turning it respective chart to be a story in the variable which will end either database or request to see to server. In the graphic we observe the code and send the information to the database. Now that you know how to build this bad USB keyboard let's take a look into how to use it to exfiltrate data. How does it works behind the scenes. So far we know that the keyboard it's tampered with an Arduino hack which acts as a buffer for the user's input data. This Arduino hack is connected to an ESP8266 which provides it with network functions. Basically it connects to any open Wi-Fi connection to relay the data. So whenever the buffer is full or certain time has passed the buffer closes itself and uploads the data by issuing an HTTP post request to our server, to the command and control server. Then on the server a PHP script is listening and parsing the data and sending it to our MySQL database. So you might ask yourself what are all these 28 rows? These are sessions and how do this keyboard manage the sessions? Well, whenever the buffer reaches a certain amount of data or a certain time of inactivity passes the buffer will close itself and we create what we call a session and upload it with a number. Whenever it is uploaded the buffer will be cleared and then a new session is created. So for example here let's take a deep look. Here we have session 11 where the user attempts to open gmail.com. Then certain time passes and the user jumps into another task that you may see on session 12. He starts writing anything else, a document or whatever, an email. Then on session 13 the user came back to gmail, he jumped back to gmail site and entered his or her credentials, his or her email and password. So how much will it cost to build this kind of device? Not so much actually. We have taken into account the most expensive prices available and even thought that it is not expensive at all. You can have a classic keyboard for $9 or $12 an Arduino Nano for $7 to $13 and the ESP8266 which is a very popular product for $10 or $12. And let's suppose you want to have a cloud instance for your command and control server. It will cost something around $5 a month. So for $30 or $35 you can have your hardware hacking cluster. Now it's time for a demo to see how the keyboard might work on our controlled environment and to jump into conclusions and questions and answers. You have to always be wary of any new device whether USB or not anyone and I say anyone could be a victim. Let's be honest here, will you have been able to detect this tampered keyboard in your environment for example if it was lying around the desks of your office? What makes this situation worse overall is that with a few dollars anyone could build or even buy a product of this type. Watch out for counterfeit hardware. Or just some days ago fake Cisco switches were found deployed in production environments and nothing less that than core switches. And think about it, if we were able to produce these apparatus with so few resources it is safe to assume that an entity with greater resources could produce them on a large scale. So if you want to get in touch with us at GitHub feel free to add us at Mauro Eldridge and DC5411 or on Twitter you have our handlers here we are always happy to talk about hardware hacking and hacking in general so don't be shy to join. And we are here to answer any of your questions so we hope you like this talk and we are looking forward to see you again next year. Thank you.