 Today we're talking about the universal RF USB keyboard emulation device. You know, some things, they lend themselves to good acronym. But I can't have trouble with this one. So the best I can come up with was EarthFoodCAD. So today we're going to talk about EarthFoodCAD. Some work better than others. But we have to do the obligatory about the author. So we'll fly through this and then get on with it. My name is this. And I'm all of these. And I'm also one of these, except I'm not this kind. So I'm more like this kind. Except sometimes I have to put on one of these so that I can think like one of these. So that I can keep a server room which is supposed to look like this from looking like this. And I'm kind of into this except it looks like this. And I have to wear one of these. And you won't find it here, but you will find it here. And it looks a little like this and I've won some of these. Alright, so that's it. Let's go back for a quick review. We see that I'm kind of into this. And I'm sort of into this. And I've been told I look a little like this. Or maybe more like this. But in any case, I've never been involved with this particular one of these. Alright, so that's me. Let's start. The universal RAF USB keyboard emulation device, or FUKED, consists of two parts. At the top we have a transmitter. And at the bottom a USB, essentially a USB receiver, a microcontroller. Here's a quick overview and then we'll get with the demo and talk about it a little more. Basically a microcontroller is plugged into a computer secretly. This is a physical attack, but it has certain advantages. You look kind of suspicious. We know you own a box. When you get the box out, you open it up, you take the hard drive out, you start doing that. And that's kind of hard to do in somebody's office while they're watching you or while you're walking by. This physical attack means plugging in this receiver and leaving. Then attacks are triggered remotely by RF from the transmitter. And we'll see how that's done. Let's do a live demo. Time to pray to the demo gods. Alright, who brought a machine? No malicious attacks here that will volunteer and bring it on up. Come on up. Come on up. Anybody else in the USB power devices? I'll tell you what. Wait right here. We got ladies first. But hey, you get this cool looking t-shirt. Alright? Everybody gets a t-shirt. Alright, come on up. Come on, let them up here. What size t-shirt do you have? Large. It's medium, medium, medium, medium, medium. Does it work on Linux? It says universal, doesn't it? Large? Alright, who's next? What size? Large. Large. Whatever you prefer. Let's see if we got some more larges. Oh, another large. I know you. Well, I know your talks. Large. Oh man. Let me see. One more large. I don't know if you saw what they say. They say, I make the internet work in big letters and the little letters are, you're welcome. They're cute. I get lots of comments on them. Alright, we got a little Windows box up here. Alright, you guys will see bigger pictures later on because you can't see this here but I've got pictures in the presentation. And it actually works pretty well for laptops because most people use a docking station, right? They stand up, they walk away, they don't check the back of their docking station. They just plug their machine into it in the mornings. At least that's the way it's worked for me. And again, we'll go in more detail in a second but I'm going to select an attack. This looks like Windows. That's zero one. Attack zero one. So we set the attack and then we hit transmit. Whoa, and away it goes. So much for live demos. We'll try one more time. Oh, we can't see. Oh, let's try moving. Alright. Which way? Let's see the whole thing. Let me look at this. We're not seeing any of this. This should be a mirror. Alright, hang on. Let me reacquire. Alright, let's try that. Can we reacquire this one? Oh, much better. Thank you. What are you supposed to sacrifice to the demo gods? I'm not sure what it is. Where do you find those? Okay, in any case, set the attack and hit the transmit button. And away it goes. Wow. An amazing demo. Thank you very much. Alright, well guys, if you guys want to come talk to me in the over in the speaker room, this is actually a setup. She's my co-worker. And we have this bet about whether or not I can get anybody else to volunteer to come up and volunteer their machines. Oh yeah, you got your shirt. And I got a few more of these t-shirts for anybody else who wants them. I'm good. Alright, so let's get back to the rest of it. That was the demo. Which I think went remarkably well. You always have to have a backup plan in case that fails. That also gives us a chance to take a look at what happens. So what really happened was that this device pretends to be a keyboard. And so it uses keyboard shortcuts and execute commands with the permission of the user. In this case, it uses the Windows key and an R to pop up this run dialog box. It executes notepad.exe. This is a non-malicious example, but you know it could just as easily be any arbitrary command. When that window comes up, it gets a focus and it's able to type in that window as well. So you see that you can run an arbitrary command and then send it information. Now you're doing this blind. This is prescripted. It's run by this microcontroller that's plugged in the machine, which also gives us some other abilities to do some cool stuff. It's universal, so it has to run on Apple, too. And here's what it looks like. Pretty much the same thing. The key sequences are the same. They're pretty much the same on Apple. Now Apple, I thought with Apple everything was supposed to just work, but in this case, probably because of the dinner fire I have up, it says, hey, I don't recognize this keyboard and could you press the key to the right of the shift or something to help me identify it and then it's okay. So of course you can script all that in as well. But the easiest thing to do is let the user do it. I did this, you know, a couple of guinea pigs around my office. They should know better, but I'm like, hey, I've got this real cool thing. I want to show you, you know, they say yes, I usually get permission. And so, you know, in the morning before he gets there, I plug it into his machine. Later on during the day, I come in and I do the demo for him. I get the little transmitter, I hit it, it opens up this box in his machine, he's like a maze, how did you do that? You know, you control my machine with RF. So we went through the little talk and how it works, you know, it's done the keyboard emulation and I plugged in this microcontroller, he's like, oh yeah, he's a smart guy. He's like, yeah, when I got here this morning, there was this pop-up thing and I just clicked through and, you know, I forgot about it. That's always the best thing, just let the users do it. Oh yeah, and it can't really be universal without Linux, of course. Now, in Linux, it just works. You don't get any pop-ups, you don't get any messages, you plug it in and it goes, you're done, you're good. And in this case, pull up a shell and type into the shell, which again, you recognize you could execute any kind of arbitrary command that you want to execute. All right, so let's talk a little about, you know, what might you want to do, what can you do with this kind of resource? Some of the things may be political style attacks. I know kiddie porn tends to be a big issue. You can imagine bringing this up on somebody's machine and you can also combine with a denial of service attack. You can denial of service the mouse on the machine. You pull it all the way down to the bottom right and it's moving so fast that you effectively have no control, right? You're trying to bring it back, but you can't. This thing types a lot faster than you do. I think you can overwhelm the keyboard buffer, keyboard strokes too. I haven't done that yet. I'm missing kind of the top of the, I'm missing the title of those slides. Anyway, if they're logged into Facebook, you can post Facebook commands. Apparently this was a real one, maybe. They forgot their boss was on there and said some pretty ugly stuff and got fired. So usually when you're doing a Trojan Horse kind of attack, you have to get the user to do the work, right? They have to download the stuff and they have to install it and it's a lot of hard labor, but here you can script it, right? You're running with their permissions on their machine after they log in. Some other things you could do is write an email or FTP. Of course you can remove any file that they have access to if you want to. The same thing about being logged into other accounts like eBay or PayPal. Maybe it's just enough to insert, I was wondering how do you get somebody to install a root certificate authority if you're not DEF CON? Maybe that's enough, right? You automatically install it and from then on you can man in the middle of them. Since it's also a microcontroller, this screen is... Can we try reacquiring it? We're missing the top and the bottom. Nope, maybe. Oh, much better. Since it's a microcontroller, you can also time delay it, right? The scenario goes, you're plugging in the receiver when somebody's not there. They stepped out for lunch or before they get in in the morning or after they leave. This is the kind of physical attack that you might do while you're talking to somebody even. You're standing up behind their desk, you're sitting behind their desk, the computer's on the floor, you drop something, you slide in a USB key. Still a physical attack, but it's much less intrusive than trying to open the case. But anyway, since all the attack is run from the receiver, that's the microcontroller, you can also put a delay on the trigger. You might trigger the attack as you walk by. You see that they're sitting at their machine and they're logged in and it might not run for 30 seconds or five minutes or some other time delay. That way, you're not around, you're not in the area when it actually executes. Right, let the user do the work for you. Let the user do the work for you. We might see some of that. Alright, so what does it look like? Here's what the receiver looks like. It's a teensy microcontroller, 18 bucks, small, fun, easy to play with. You can't quite see the land behind it, the RF receiver land back there that soldered on. The quarter's just to show the size so that you can see that it's pretty small. You could probably fake a USB key maybe slightly larger than a USB key, maybe not. It depends on how big the USB key is. This is what the transmitter looked like that I built. And by the way, we're going through the nodes here by the time we get done, this should be easy for you guys to do. We've got code and everything that you need here. But this is the one that I built. Power switch, some input buttons and some lights to show me what attack that I'm going to do. In particular, I'm using the first two bits to represent basically the type of attack, well the operating system. I select zero one on those first two lights for Windows. One zero, which is two for Mac. Three for Linux. Four for keyboard and mouse type attacks. And then I use the other two bits to select the actual attack. You might plug it up and decide what attack that you're doing later on or maybe you see what OS they're either running or they're in at the moment. And then the transmit key. After you enter it, you have transmit. So you can set it up for this transmitter, which is kind of big. You can set it up off of the transmit, stick it in your pocket, keep your finger on it and when you walk by hit transmit. Inspiration. I've seen some other people doing some work with this. I saw Adrian Crenshaw, the iron geek do this one. He was programming with a dip switch. And when I saw it, I thought timing. I want to be able to time this. I got to wait. There's no magic about user credentials. I'm waiting for the user to log in and then I'm going to use his credentials. So blind timing's a little hard. And so I thought a radio frequency trigger would be the way to go. I think Adrian's going on and doing some more experimentation with it and he's doing a talk in a little while so you guys look for that. And whenever I find you I'll meet you. I owe you. All right. Three components primarily. This transmitter expensive, right? 395. Sources in the back. It's pretty small. You can see from the quarter there. Easy to use. Receiver. A little bit bigger. A little more expensive. 495. And finally, they're both run by this teensy microcontroller. 18 bucks. USB connector. Reset switch. All the power ground and data lines around the outside. I really like this teensy microcontroller. And the guy who built it said, make sure you let the guys know that you can do it for other things than breaking stuff. And I said they're not interested. So in any case, it's really cool and we'll talk a little more about it in a minute too. The receiver looks like this. Seven wires. You can solder seven wires. Your receiver's done. That's all. Well, okay. Eight if you add the antenna. The antenna's optional, but it adds to the range. They claim about 150 meters. That depends on the transmitter voltages. I really haven't played a lot with it yet. Not very hard. That's what the actual schematic looks like. It's going to show you which pins to hook where. The receiver has several of its pins duplicated. It has multiple power and ground pins. And I'm not really an RF engineer, but I've heard that it doesn't work as well if you don't power them all and ground them all. So I connected them all up and it seems to be working pretty well. Transmitter data sheet is pretty easy. Power, ground, data, antenna. That's all you need and you're done for the transmitter. Other than if you want to build a custom user interface. Right. In this case, I built four buttons or three buttons, four lights and a switch. I should put some other pictures, but a lot of that really is junk I found around the house. I pulled those little buttons out of an old DVD player that was bad. That's what's hiding behind the buttons that are on there. The little switch, we have dollar stores where I come from. You buy everything in there for a dollar and there was a little nightlight. I had those switches and batteries that I used in another project, so that was great. And there's the pin assignment for the teensy. I have a bunch of these cards. If you guys want one of the cards about the teensy, see me in the question room afterwards. And I'll hand them out thanks to Paul, the guy who built it. Again, I love their Arduino and their great devices to work on. And if you haven't done stuff like this and I know some of you have and some of you haven't, I think this is a great little device to start with. I've been played with lots of microcontrollers a little off and on over the years and I like this one a lot. There's a schematic for the interface. Four lights, three switches. You guys have done this before, any pull-up resistors? Well, those are built in. You can turn them on on those data lines so you don't need those pretty easy to do. I built it in this eyeglass case just because it was handy and cheap and had plenty of room and seemed pretty solid. Cut it out, screwed it in. Had room for big batteries relatively big. Those are AAA's in the same case. This is where the magic happens. This is the receiver. And it's tiny. It's teensy, I guess. The teensy's on top. The receiver's on the bottom. A little bit of epoxy to hold it together. You can case it up if you want to. Build something around it. The actual adapter there is available from Deal Extreme. You can buy lots of junk from them. That's a great place to buy cheap electronics from China. It turns out the receiver is always receiving bits. It's picking up noise and it's deciding 1-0, 1-0. You get a continuous stream out of it. That's kind of difficult because we're looking for particular information. I built a simple transmission frame to deal with that. It begins with a three or more byte carrier of AA and Hex. Then it's followed by a command sequence number. We'll talk about that in a second. And then the command byte. That's the attack that the receiver is going to run. We identify it with a byte. Right now I'm just using four bits, but you could easily run up to a byte with a code that I've got. And finally, a check sum. Again, this radio frequency can be pretty noisy. We want to make sure that it was received correctly. We don't want to run the wrong attack. Maybe it was supposed to be a demo and it ends up erasing all their files. All right, the transmitter also for each attack transmits that frame 10 times. Again, it's for redundancy and noise. And at this point people always ask, well, isn't that running the same attack over and over again? And the answer is no. The command sequence number is four. So the receiver, if it receives a valid command frame and the command sequence number is the same as the previous number it received, it doesn't execute it. It has to be a different number. That way you can send the same command transmission frame over and over again multiple times. And the receiver will only execute it once. The transmitter will, and somebody else asks me, what if you want to hack it more than 127 times? I don't know. The transmitter will actually roll over and start back at zero. And the receiver really doesn't care. It just wants to know that the number isn't the same as the last one. It can be any new number as long as it's not the same as the last one. That way you don't have to worry about maybe you tried to transmit an attack and it didn't receive it. Quick look at the software. Again, the teensy is great to work with. Over the years I've worked with different microcontrollers and I mean, maybe I should take one step back. I know some of you have done this, some of you haven't. The microcontroller, the device with a processor, it's a memory and maybe some more permanent storage to store programs in. Typically they're pain in the butt to work with maybe historically. You get this little computer and then you're trying to wire up a bunch of memory and then you've got to learn a new assembly language to program the thing in. And that's just nuts. More recently, the Arduino and this is the same environment that the Arduino is programmed in. But it looks like this. It's written a lot like C and you see the development environment there on the right. Very simple, but it works. And then the loader on the left. You press a little button on the up here. I can't see anything with this little pointy mouse. But anyway, you press one of the buttons up there. It compiles a code. It uploads it to the teensy in one step and you're done. Whatever you want to run on there is just done. Again, we're not going to get in depth into the code. It's available online. You can pull it all down and write yourself. All that development environment it runs in Windows and it runs on Linux. So you can run it wherever you prefer. Let's see. Again, just to give you some idea what the code looks like. You've got integer, it does floating point math. I can't believe it. I don't have to write a multiple instruction. That's just awesome. For the RF carrier here, this is on the receiver side. So it's looking for three or more bytes of AA hex. That's identifying the sub coming frame. When it finds it, it recognizes that the frame is coming. Here's the actual code that executes the attacks. And a couple for the example. The first one here is this mouse DOS kind of attack. Basically it just moves the mouse to the bottom right of the screen. It keeps moving the mouse down and right, down and right, down and right continuously. And it does it faster than you can move it. I like the next one. The next one's kind of cute. Let's assume that you have a screen lock that comes up nine minutes and somebody who likes to walk away from their box. So you set the timer in this case for nine minutes and every nine minutes you move the mouse one pixel and then move it back one pixel. Cool, right? So I think it's sweet. You can't even see it, even if you're looking at it. And once every nine minutes you've got to be kidding me. So if they get up and walk away from their box that's fine. You can keep it unlocked as long as you want. On the other hand, if somebody's looking at their box by the time they see it it's too late. It's like, hey, there's a window. What's that? Oh, what was that? It must be a windows thing. You know, it's calm. And as long as it doesn't come back, you know, they don't care. Sometimes they're screen slow because now it's all getting streamed across the network. And again, just for an example, the Linux attack here's the code for it. It presses the alt key, the f2 key. It opens a num terminal and it types g edit in it. And then it types, you know, this machine was pooned by Monte. So the code is simple. It's straightforward. Easy to do. And it's online. If you want it, there it is. This presentation, by the way the one on the disk is a little out of date. I mean, it's still valid, but I've got a lot more stuff in this one. So the full talk is there too in the code. All right. A quick look at some other implementations. You know, I'm a little paranoid and I haven't tried to travel on an airplane with anything like this. I've heard stories. I saw a teensy device that was built into an Altoids 10 online. Well, I'm trying to figure out if I can carry this on the airplane. And apparently somebody went through the screen with this little teensy in this Altoids box and holy crap, you know, what's going on? And they called the bomb squad. I don't need that. And the bomb squad decided that they couldn't definitively say that it wasn't a bomb. So what do they do? They take it out to the park a lot and they blow it up. And you see this picture of little bits of Altoids 10 all over the place. And I've got a feeling that I don't think a cavity search will be near as much fun as a TSA makes it out to be. So anyway, I built another one and I shipped one through the mail and brought the other one with me. I really didn't have trouble with the one I brought, but this one might be a little more or less conspicuous. I'm not sure which, but it's just a hollowed out cell phone with the interface in the front cut out the circuit board with a dremel tool and laid the teensy and the transmitter in the back. I actually used the buttons they were already there on the cell phone, so I soldered up to the buttons, select the attack with the top two buttons and transmit it with a bottom one. The real James Bond thing is that for some reason they've got a switch, see the button labeled power and that's triggered by the antenna. So I push the antenna in, it turns on, you pull it out, it goes off. I just thought it was cool. And it looks like this on the front, but you know, you could be walking around with a cell phone in your hand and who's not and nobody's going to pay any attention to what's going on. This little red wire, I've got a little clip on there, it's the safety it keeps it from being turned on. And there's another receiver, just encased in Instamorph plastic and if you haven't played with that it's great stuff, it's kind of expensive. You heat it up, I think to about 140, basically you put it in hot water and you can pull it out and mold it and when you get done it's very rigid, very, very useful. But you know, I'm looking around the house and I found this and you got to love Happy Meal toys because they have screws, right? You unscrew it and they just fit. The transmitter went in sideways and the Arduino went this way and it was a little spring loaded toy right it would roll across the floor and so the USB plug fit right out the back. And like I said up here, you write something like 8G on that and somebody will pick it up and plug it in for you, right? That's all you need. All right, well that's pretty much it. Sources are here where you can find the stuff and you can find it cheap and the schematics are in there. If you want to find me, here I am. The latest stuff is on that site. If you want to ask me questions, about training or whatever, give me a yell. Some shout outs to Adrian Crenshaw who did an earlier version. Paul who built the teensy, the Arduino folks who are doing lots of cool stuff with the Arduino. And that's it for me. I've got a couple of t-shirts. When we go over to the room, what room are we going to? Anyway, I think they're marked. So thank you guys very much. I hope you all enjoyed your time at DEF CON.