Crazy Radio 2 and Mousejack are a key combination for testing keyboards and mice vulnerabilities on most common manufactures. Bastille found different kind of vulnerabilities against these wireless devices

Type of Attacks

  • Keystroke Injection
  • Force Pairing
  • Fake Mouse
  • Denial-of-Service

Manufactures Affected

  • Amazon Basics Keyboards
  • Microsoft Keyboards
  • Dell
  • Lenovo
  • Contact Me for More

Hardware

  • Crazy Radio
  • nRF24LU1+ Chips

Attacking Keyboards and Mices

Flashing USB Dongle to support promiscuous mode

First we will change our firmware from Crazy Radio 2 device allowing us to sniff and inject keystrokes into keyboards devices. The firmware is courtesy of Bastille Research and can allow the USB dongle to promiscuous mode.

Install Dependencies

sudo apt-get install sdcc binutils python python-pip git

Install Pip

sudo pip install -U pip

Install PyUSB

Here we need to pay attention to pyusb version used, some versions are incompatible with most attacking tools.

sudo pip install -U -I pyusb

Install Platformio

sudo pip install -U platformio

How to Install MouseJack

Mousejack have a pack of research tools created in Python by Bastille to test the USB dongle functionality, it is possible to flash the firmware and sniff raw data or even send raw tons. First we will flash our usb dongle and test if ready to sniff data.

How to Install MouseJack
How to Install MouseJack

Mousejack is avaiable at GitHub

Clone The Repo

kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/mousejack.git
kali@rpi3:~$ git submodule init

Flash Crazy Radio

Now lets compile our firmware and update crazyradio firmware with the new one.

Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares:

  • Nordic Semiconductor Bootloader
  • CrazyRadio Firmware
  • RFStorm Research Firmware
kali@rpi3:~$ cd nrf-research-firmware
kali@rpi3:~$ make

Flash the firmware over USB

kali@rpi3:~$ sudo make install

NRF24 Scanner

usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix
  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds

NRF24 Sniffer

usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

NRF24 Network Mapper

usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

NRF24 Continuous Tone Test

usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)

How to Install JackIt

kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/jackit.git
kali@rpi3:~$ cd jackit
kali@rpi3:~$ sudo pip install -e .

Sniff Wireless Keyboards using JackIt

kali@rpi3:~$ sudo jackit

CVEs List

MouseJack Announced by Bastille in 2016

How To install rtl_433