THE JOURNAL OF KOREAN INSTITUTE OF ELECTROMAGNETIC ENGINEERING AND SCIENCE. 2016 Dec.; 27(12), 1075 1083. http://dx.doi.org/10.5515/kjkiees.2016.27.12.1075 ISSN 1226-3133 (Print) ISSN 2288-226X (Online) Implementation of 2.4 GHz Wireless Keyboard and Mouse Electromagnetic Signal Analysis and Manipulate Systems 김상수 오승섭 나인석 Sang-Su Kim Seung-Sub Oh In-Seok Na 요약. 2.4 GHz, 3,. 2.4 GHz USRP GNU (Radio) 2.4 GHz,. (Address), PC. Abstract Nowadays, the use of wireless input devices has been increasing on the basis of high convenience and portability. In particular the most widely used wireless keyboard and the mouse to use the 2.4 GHz frequency band, but due to the third party receives the electromagnetic wave from leaking when the radio equipment it is easy to obtain the personal information and the vulnerability is also being reported consistently. In this paper, implement a system to analyze and manipulate the packets of 2.4 GHz wireless keyboard and mouse using USRP device and GNU Radio package for verify the vulnerability of 2.4 GHz wireless keyboard and mouse. Using the construction system has attained a equipment specific address and key information by analyzing the communication protocol and the packet structure of the device was proved that a user can operate the PC to send the random key from long distance. Key words: Wireless Keyboard, Wireless Mouse, nrf24l01, USRP, GNU Radio. 서론 PC PS/2 USB. PC, IPTV., 3. 27 MHz, LIG (Electronic Warfare R&D Lab., LIG Nex1) Manuscript received August 30, 2016 ; Revised October 21, 2016 ; Accepted December 9, 2016. (ID No. 20160830-094) Corresponding Author: Sang-Su Kim (e-mail: sangsu.kim82@lignex1.com) c Copyright The Korean Institute of Electromagnetic Engineering and Science. All Rights Reserved. 1075
THE JOURNAL OF KOREAN INSTITUTE OF ELECTROMAGNETIC ENGINEERING AND SCIENCE. vol. 27, no. 12, Dec. 2016.,, [1]. 2.4 GHz [2] [5]. 2010 CanSecWest KeyKerki v2.0. Microsoft 2.4 GHz. Amiccom A7125,., [2]. 2015 KeySweeper GSM. 2.4 GHz Nordic nrf24l01+ (chip) GSM Adafruit FONA (chip), SMS. PC,. [4]. MouseJack AES., USB [5]. 2.4 GHz, PC. 그림 1. USRP N200 Fig. 1. USRP N200 equipment. USRP N200 GNU Radio. USRP ADC, DAC, DUC, DDC, RF, IF RF, RF IF [7],[9]. USRP N200 1. GNU Radio RF. GNU Radio Python, C++. [8].. 무선키보드 / 마우스전자파신호분석 Microsoft Wireless Comfort Desktop 5000. 2, GFSK,,. 그림 2. / Fig. 2. Signal analysis step of wireless keyboard/mouse. 1076
2-1 [1 단계 ] 주파수영역확인 1. FCC ID( ) [10]. 2,403 2,480 MHz 2 MHz, GFSK., 24 4 6. 1. / 3. USRP N200 (UBX-40) (ANT2400Y12-WR), GNU Radio S/W WX GUI FFT Sink., 2,480 MHz Subset B. 2-2 [2 단계 ] GFSK 복조 2 1 GF- 표 1. / Table 1. Channel of wireless keyboard & mouse communication frequency. Channel group Subset A Subset B Subset C Channel Frequency (MHz) 0 2,403 Channel group Channel Frequency (MHz) 12 2,405 1 2,419 13 2,425 Subset D 2 2,478 14 2,444 3 2,468 15 2,452 4 2,429 16 2,423 5 2,450 17 2,446 Subset E 6 2,470 18 2,456 7 2,480 19 2,474 8 2,421 20 2,417 9 2,431 21 2,427 Subset F 10 2,472 22 2,448 11 2,454 23 2,476 그림 3. / RF Fig. 3. RF signal of the wireless keyboard/mouse. SK. GFSK GNU Radio S/W GMSK Demod. 2-3 [3 단계 ] 패킷분석 3. FCC ID Nordic nrf24l01 [10]. nrf24l01 Enhanced ShockBurst TM, 1 32 (byte). 4 [6]. (Preamble), (Address) 1 10101010, 0 01010101.,. (Packet Control Field) 6 (Payload length), 2 PID(Packet Identify), 그림 4. Enhanced ShockBurst TM Fig. 4. Enhanced ShockBurst TM packet format. 1077
THE JOURNAL OF KOREAN INSTITUTE OF ELECTROMAGNETIC ENGINEERING AND SCIENCE. vol. 27, no. 12, Dec. 2016. 그림 5. Fig. 5. Packet control field format. 1 NO_ACK flag. 0 32, 000000 0 (ACK ), 100000 32. PID,. PID MCU. NO_ACK (Auto Acknowledgement). 5 [6]. CRC(Cyclic Redundancy Check),,., 5, 0xCD. (Key Down) (Key Up) 16, (Key Idle) 8 [11]., ACK. PID, 6., 5, 0x66., 19, 8. 2-4 [4 단계 ] 입력정보확인., 7 4 (Header), 2 (Sequence ID), 2 (Metakey flags), 7, 1 (Checksum) [11].. KeyKerki v2.0 Microsoft 8. 11 XOR [2]. a, 그림 7. Fig. 7. Analysis of key down packet payload format. 4 그림 6. Fig. 6. Packet generated when wireless keyboard key input. 그림 8. Fig. 8. Format of wireless keyboard payload encryption. 1078
그림 10. Fig. 10. Result of wireless mouse payload analysis. 그림 9. a Fig. 9. Result of wireless keyboard key a analysis.. 9. 0x0A, 0x08. 0x78, 0x38, click 0x90. 0x09, 0x03.,. Shift, Alt, Ctrl. 2. USB HID. 2, HID (0x04= a ).. XOR 4 (0x29) XOR (0A ^ 78 ^ 09 ^ 01 ^ 4D ^ 43 ^ 04 ^ D6( 29) = A6).,, XOR. 10., 11, 2 0x01, 0x 02.. XOR, 0x 65 XOR. 2-5 무선키보드 / 마우스전자파신호분석결과확인 GNU Radio Companion., 표 2. Table 2. Key information of Metakey flags. Metakey flags 0x4300-0x4301 Ctrl(left) 0x4302 Shift(left) 0x4304 Alt(left) 0x4305 Window 그림 11. GNU radio Fig. 11. Implementation of GNU radio analysis software. 1079
THE JOURNAL OF KOREAN INSTITUTE OF ELECTROMAGNETIC ENGINEERING AND SCIENCE. vol. 27, no. 12, Dec. 2016.. 7 m 95 %.. 무선키보드 / 마우스전자파신호조작. 12,, GFSK, RF. 3-1 [1 단계 ] Address 확인 1.. 3-2 [2 단계 ] 송신패킷구성 2.,, 14. HID, XOR 그림 12. / Fig. 12. Step of wireless keyboard/mouse signal manipulate. 그림 13. Fig. 13. Confirmation of communication address. 그림 14. Fig. 14. Manipulate signal transmission program.., CRC,,,.,. 3-3 [3 단계 ] GFSK 변조 3 2 GFSK. GFSK GNU Radio Companion S/W GMSK Mod. 3-4 [4 단계 ] RF 신호송신 4 3. (2,403 2,480 MHz) RF. 3-5 무선키보드 / 마우스전자파신호조작결과확인.,. 15. PC. (Windows+r), cmd. C (Test_demo) (rd c:\test_demo),. 1080
,. PC,. (Windows+r),. PC. 그림 15. Fig. 15. Implementation of manipulate software.. 분석및조작시스템구축. 18. 4-1 시스템분석및조작성능 그림 16. Fig. 16. Manipulate result of delete the folder. PC,., RF PC. 19.. 8 m 100 100 %, 30 m 100 100 %. 4-2 최대조작가능거리분석 그림 17. Fig. 17. Result of download and execute the file. 그림 18. Fig. 18. Block diagram of analysis and manipulate system. 1081
THE JOURNAL OF KOREAN INSTITUTE OF ELECTROMAGNETIC ENGINEERING AND SCIENCE. vol. 27, no. 12, Dec. 2016.., 1.5 km 81.04 dbm, 1.5 km. USB RF 3.. 결론 그림 19. Fig. 19. Analysis and manipulate system. (1). log db,,,., 30 m. (1) 30 m 69.87 db. 2.03 dbi, 2.19 dbi, 0 dbm, 74.09 dbm 7 db 82 dbm 표 3. RF Table 3. RF specification of wireless keyboard and transmission system. 2.48 GHz 20 dbm 0 dbm 12 dbi 2.03 dbi 2.19 dbi 7 db 82 dbm (1) 2.4 GHz, 1.5 km PC.,, PC., 3 (sniffing), PC.. References [1] M, F hnle, M, Hauff, "Analysis of unencrypted and encrypted wireless keyboard transmission implemented in GNU radio based software-defined radio", Hochschule Ulm, University of Applied Sciences Institute of Communication Technology, 2011. [2] Schroeder, Moser, "Practical exploitation of modern wireless devices", CanSecWest, Mar. http://www.remoteexploit.org/content/keykeriki_v2_cansec_v1.1.pdf [3] Travis Goodspeed, "Promiscuity is the nrf24l01+'s Duty", Feb. 2011, http://travisgoodspeed.blogspot.com/ 2011/02/promiscuity-is-nrf24l01s-duty.html [4] Samy Kamkar, "KeySweeper", 2015, http://samy.pl/key- 1082
sweeper [5] Mark Newlin, Bastille, "MouseJack", Feb. 2016, https:// www.bastille.net/technical-details [6] Semiconductor, Nordic, "nrf24l01+ single chip 2.4 GHz transceiver product specification", Jul. 2007, http://www. nordicsemi.com/eng/products/2.4 GHz-RF/nRF24L01P [7] Ettus USRP N200 Web page (https://www.ettus.com/ product/details/un200-kit) [8] GNU Radio Web page (http://gnuradio.org/redmine/projects/gnuradio/wiki) [9],, "USRP GNU Radio IEEE 802.15.4 ", 21(11), pp. 1214-1219, 2010 11. [10] FCC ID Application Database Web page (https:// fccid.io) [11],,, "GNURadio 2.4 GHz ", 2016, p. 208, 2016 6. [12],,,,, "USRP RIO SDR 5G LTE-TDD HD ",, 27(5), pp. 445-453, 2016 5. 2008 2 : ( ) 2007 12 : LIG [ 주관심분야 ] 1993 2 : ( ) 2012 8 : ( ) 1993 1 : LIG [ 주관심분야 ], 1989 2 : ( ) 1989 1 : LIG [ 주관심분야 ], RF 1083