Author Archive

Within the research/Keykeriki section in the navigation you can find now two entries. One points to the 27MHz Keyboard sniffer project Keykeriki V1.0 and a second one pointing to Keykeriki v2.0 which works against modern NRF240xx chip based solutions.

Thorsten has presented our Keykeriki v2 work for the first time to a broader audience at the CanSecWest 2010 conference in Vancouver.

Practical Exploitation of Modern Wireless Devices is the title of the presentation and introduces the Keykeriki v2 as a (HW and SW) toolkit to sniff and inject traffic to a broad range of wireless devices, which are using the NRF24 series transceivers of Nordic Semiconductor.
Click here to download the slideset.

As promised during the talk, we release a first debug-  and developement version of the hardware layout here. The corresponding firmware sourcecode and binary is available here – this version allows attacking current models of the Microsoft Keyboards, that are using these chips. The code is a first release and is limited on purpose to this scenario (keyboard sniffing and remote command execution). Hopefully we can extend its layout to evolve to a software based, inexpensive software defined radio for 2.4GHz frequencies.

And no.. this is NOT limited to keyboards, only the released code is. We will update the rest of the Keykeriki section when Thorsten is back home. A detailed HOWTO will follow Thorsten on his way back to Europe.

During a little research we found again a nice little unique weakness in the beloved Blackberries. After a lot of stuff is published related to unsigned / signed trojaned application possibility… here is the way to distribute them (For your research education only!). You can actually force the blackberries to use the rogue access-point for Internet browsing without having special user interaction. The blackberry will not be able to reach is Enterprise server and so he decides to fail open. :-)

Blackberry Jacking from Max Moser on Vimeo.

No clue what would be possible with over the air installation or website embedded blackberry apps. Please drop us a line if you work on this topic. We might continue our journey as well..maybe joining forces?

P.S. If the allow hotspot browsing policy is set to disallow then it the BB is cut off when the GPRS/EDGE/HSDA connection goes down. Maybe it would be better if the default policy was set to disallow but it is configurable. – Lets face it, you wont be able to use hostspots at all (Even when your enterprise server is available) if you switch that one on. RIM was very helpful and pointed out the “disallow hotspot browsing” policy setting…..

It was great fun again to see how Keykeriki devices are built by many people with different soldering skill levels. SMD soldering is not very difficult if you got the right tools and some patience to learn. Most of the devices already run. For protecting the individuals, i added some filters to the faces, but the iPhone camera is so bad, I doubt it would make that much of a difference.