blinking hell - data extraction through keyboard lockstates
DESCRIPTION
Using a small, cheap and freely available programmable usb device it is possible to export data from a computer system without being detected as a typical usb storage device. We have developed a PoC that is demonstrable, and our current research is now focused on defeating endpoint security solutions that track vendor and device ids of usb devices.TRANSCRIPT
![Page 1: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/1.jpg)
Blinking HellBig things in small packages
Matthew Phillips @phillips321Richard Hicks @scriptmonkey_
![Page 2: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/2.jpg)
BackgroundBsides Las Vegas 2011• David Kennedy (Rel1k) – “Using the Teensy for so
much more...”
2
![Page 3: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/3.jpg)
Exporting Data
3
![Page 4: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/4.jpg)
Research
• Software can toggle the key lock states• Teensy can emulate a keyboard
(CAPS,SCROLL,NUM)• Can we see the status of the lock keys
from the teensy?
4
![Page 5: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/5.jpg)
Solution• Hidden in Mouse
• Once again Iron Geek deserves credit
5
![Page 6: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/6.jpg)
Summary so far...• Keyboard lock states are broadcast signals• Teensy is capable of reading them• Easily hidden in benign objects
6
• Can we signal?• How do we control it?• How do we retrieve the data in a
usable form?
![Page 7: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/7.jpg)
How do we get the host to talk?…
7
![Page 8: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/8.jpg)
How do we get the two to play nice?
8
1. Waiting for special “Knock”
3. Teensy now in “record” mode and waiting for first bit
7. Teensy now has control.8. Read state of Num Lock
9. Unset Scroll Lock10. Set Caps Lock
2. Turn Scroll on 3times within 5secs
4. Set Num Lock to identify first bit5. Clear Caps Lock6. Set Scroll
11. VBA Has Control, Repeat Steps 4 to 11 until EOF.
12. Send “FF” to signal EOF to teensy
![Page 9: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/9.jpg)
Scenario
9
![Page 10: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/10.jpg)
Demo TimeWill the demo gods help us? Not going to try!
![Page 11: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/11.jpg)
Wrap up
• Works with other file types• Demo speed can be improved upon• Vendor ID can be changed• Others have now done this
11
![Page 12: Blinking hell - Data Extraction through Keyboard Lockstates](https://reader035.vdocuments.us/reader035/viewer/2022070318/557629b0d8b42a4e1c8b53bf/html5/thumbnails/12.jpg)
Questions?
• Matthew Phillips• @phillips321• www.phillips321.co.uk
• Richard Hicks• @scriptmonkey_• blog.scriptmonkey.eu
• Assembla code will be up soon (see twitter)
12