Radio Hack Box – Tool to Demonstrate Vulnerabilities in Wireless Input Devices

March 31, 2017November 18, 2017 haxf4rall2017 0 Comments Hack wireless devices, intercept wireless keyboard, keystroke injection vulnerability, radio hack box

The SySS Radio Hack Box is a proof-of-concept software tool to demonstrate the replay and keystroke injection vulnerabilities of the wireless keyboard Cherry B.Unlimited AES.

Requirements

Raspberry Pi
Raspberry Pi Radio Hack Box shield (a LCD, some LEDs, and some buttons)
nRF24LU1+ USB radio dongle with flashed nrf-research-firmware by the Bastille Threat Research Team, e. g.
- Bitcraze CrazyRadio PA USB dongle
- Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)
Python2
PyUSB

Automatic startup
For automatically starting the Radio Hack Box process on the Raspberry Pi after a reboot, either use the provided init.d script or the following crontab entry:

@reboot python2 /home/pi/radiohackbox/radiohackbox.py &

Usage
The Radio Hack Box currently has four simple push buttons for

start/stop recording
start playback (replay attack)
start attack (keystroke injection attack)
start scanning

A graceful shutdown of the Radio Hack Box without corrupting the file system can be performed by pressing the SCAN button directly followed by the RECORD button.

Demo Video
A demo video illustrating replay and keystroke injection attacks against an AES encrypted wireless keyboard using the SySS Radio Hack Box a.k.a. Cherry Picker is available on YouTube:

Pi Radio Hack Box Shield
The hand-crafted Pi shield simply consists of an LCD, some LEDs, some buttons, resistors, and wires soldered to a perfboard.