Introduction: The keyboard is one of the most common hardware in life. The wireless keyboard and mouse are favored by many people because of its convenience and beauty, so how safe is it? How can we protect against attacks?
This article is excerpted from "Hardware Security Attack and Defense Secrets".
1. The rise of wireless keyboards and mice
There are many ways to connect the keyboard to the computer. Wired keyboard and mouse are the most common in life and have a wide range of applications. However, wired connection not only limits the operating distance, but also causes inconvenience to carrying. Not only that, the cumbersome cables can easily clutter the desktop. Wireless keyboard and mouse solve the above problems very well. Wireless keyboard and mouse are divided into Bluetooth type and 2.4GHz type. The wireless mouse referred to in this article generally refers to the 2.4GHz type. It is worth noting that although the working frequency band of the Bluetooth keyboard and mouse is also the 2.4GHz frequency band, the Bluetooth communication protocol is used, which conforms to the Bluetooth standard. The 2.4GHz type of keyboard and mouse mainly refers to wireless products developed using exclusive wireless protocols. For 2.4GHz wireless keyboard and mouse, an adapter is usually plugged into the USB interface of the computer, and the mouse and keyboard are powered by batteries.
2. The basic principle of wireless keyboard and mouse
The main difference between wireless keyboard and mouse and wired keyboard and mouse is the signal transmission method. Wired keyboards and mice use wires to transmit information, while wireless keyboards use radio to transmit information. Early wireless keyboards used the 27MHz frequency band, and the wireless receivers at that time were much larger than today's integrated chips. Most products currently operate in the 2.4GHz ISM (Industrial, Scientific, Medical) frequency band. Below we briefly introduce the working principle of wireless keyboard. When the keyboard is pressed, the single-chip microcomputer inside the keyboard detects which key is pressed by the principle of matrix scanning, and the corresponding key has a corresponding code; the single-chip microcomputer uses the wireless transceiver module to transmit the key information through radio; After receiving the corresponding data, the adapter on the device will transmit the key input information to the computer operating system through USB. In this way, the transmission of the key information is completed. The hardware part and the communication data part of the wireless communication will be described in detail below.
3. Hardware parts
If you want to really understand the structure and basic principles of the keyboard, disassembly is a very direct and effective method.
The picture above shows the disassembly of a wireless keyboard. The lower right part is a battery slot, and the red wire is a power wire that supplies power to the microcontroller and wireless module. The most common type on the market today is this type of membrane keyboard. The reason why the membrane keyboard replaces the mechanical keyboard is not that the quality of the mechanical keyboard is not good enough and the feel is not good. The feel and service life of mechanical keyboards are better than those of membrane keyboards, but they are gradually withdrawn from the market because of the high cost. Recently, due to the pursuit of product quality, mechanical keyboards have gradually become popular.
The membrane keyboard is divided into three layers, which realizes no mechanical wear and tear. It is characterized by low price, low noise and low cost, and has occupied most of the market share. What we often use now is the membrane keyboard. The structure of the membrane keyboard is very simple. In addition to the upper and lower covers and key caps, after disassembling the keyboard, you will also see rubber caps (but in fact they are all made of silicone now), three membranes, circuit boards, and circuit boards. on the IC. If you look at the film again, you can also see the conductive printed paint. The principle of the membrane keyboard is quite simple. Among the three membranes, the top is the positive circuit, the bottom is the negative circuit, and the middle is a non-conductive plastic sheet.
Next, put the pressing module (usually including the keycap, the movable module under the keycap, and the rubber cap) on the top. When the finger is pressed down from the keycap, the upper and lower membranes will contact and energize to complete conduction.
However, we are more concerned with the RF part of it. That is, which chip it uses to complete the transmission of data. In this way, we can more easily find the right direction for research.
The picture above shows the radio frequency part of the wireless keyboard, which uses the nRF24L01 chip designed by Nordic. The black square is the chip, surrounded by peripheral devices required for the normal operation of the chip, such as capacitors, resistors and other devices. The yellow serpentine pattern on the left is the PCB antenna. It is a way of using wires on a printed circuit board as an antenna. The advantage of this kind of antenna is that it is smaller and cheaper than the external antenna, but the disadvantage is that the distance is short, which is suitable for places where there is no strict requirement for distance. This wireless transceiver chip is a key part of understanding the basic principles of wireless keyboard and mouse communication, which is helpful for our research on wireless keyboards. The following will introduce some basic conditions of this chip.
nRF24L01 is a single-chip wireless transceiver with protocol analysis function designed by Nordic Company, which is suitable for low-power wireless application scenarios. nRF24L01 works in the global open ISM frequency band (industrial, scientific and medical frequency band), within the frequency range of 2.400GHz~2.4835GHz. Because nRF24L01 is only a wireless transceiver without integrated microcontroller, it needs to work with microcontroller and a small number of peripheral devices when using it. We can operate and configure nRF24L01 through SPI interface. Through the SPI interface, the internal registers of nRF24L01 can be read and written to complete its configuration and all other operations.
The wireless device uses GFSK modulation. The user can modify the channel, output power and data rate of the wireless device. nRF24L01 supports three rates of 250kbit/s, 1Mbit/s and 2Mbit/s. At present, the data transfer rate of 2Mbit/s is widely used.
The following figure shows the circuit reference design schematic diagram officially given by Nordic. Most companies develop according to this, unless some companies have special needs for certain aspects to adjust the schematic. Many manufacturers will conduct secondary development accordingly to produce modules of the chip.
The figure below shows the finished module of the chip.
The module only leads out the necessary power and control interfaces, and other peripheral circuits have been integrated on the module. The advantage of this is that it is more convenient to use, and there is no need to care about the peripheral circuits and antenna parts of the chip. The design of the antenna is a difficult point in circuit design, and small mistakes may have a greater impact on the communication distance. Therefore, many manufacturers use well-designed modules instead of redesigning this part themselves.
The picture above shows the pin sequence diagram of the module, which can be connected to the microcontroller. The corresponding pin functions are as follows.
The module retains 8 interfaces that users need to use. The No. 1 and No. 2 pins are the power interface, which supplies power to the module. Pin 3 is the chip enable interface, which is used to set whether the chip works in receive mode or transmit mode. Pins 4 to 7 are the four wires used for SPI communication. CSN is used for chip selection chip, that is, the chip's SPI communication enable. SCK is the communication clock provided by the microcontroller for SPI communication. MOSI is the data interface for the single-chip microcomputer to send data to the module, and MISO is the data interface for the module to send data to the single-chip microcomputer. The 8th pin IRQ notifies the microcontroller module that the data has been received by level jumping when data is received. The advantage of this method is that the single-chip microcomputer can complete other tasks when it does not receive data, and it does not need to constantly query whether the module has received data. Of course, this interface can also be used, but as mentioned above, it is very inefficient to constantly query whether data has been received. Another disadvantage brought about by this method is that the single-chip microcomputer is always in a working state, which is not conducive to dormancy, and will cause a substantial increase in power consumption.
The purpose of configuring and operating nRF24L01 can be achieved through the above physical interface. Knowing the hardware is not enough, the study of communicating data is still a required course.
4. Communication data part
nRF24L01 支持数据包的自动装配,自动发送确认包和重发数据包。它支持1 至32 字节的负载长度。能把收到的包自动分解,得到需要的负载部分。nRF24L01 拥有6 个通信信道,最多支持1 对6 的星形网络。
上图为nRF24L01 的数据包格式,其中包括了1 个字节的前导码、3 至5 字节的地址、9 个比特的包控制段、0 至32 字节的负载段及CRC 校验码。数据包内各个部分在整个通信中扮演着不同的角色,有着不同的作用,下面将对它们做详细介绍。
前导码用于让接收端的解调器和输入的比特流同步。这里的前导码的长度是一个字节,序列是01010101 或者10101010。至于具体是哪种前导码,与紧接在前导码后面地址的第一个比特有关。如果地址的第一个比特是1,则前导码被自动设置为10101010。如果地址的第一个比特是0,则前导码被自动设置为01010101。这些措施用于保证有足够的过度时间来稳定接收器。简单地说,前导码的存在主要是为了让后续的数据流接收更加稳定。
这里的地址是发射器发送给接收器的。地址用于该数据包被正确的接收器侦测和接收,而不是被其他设备错误地接收到。当我们在接收器中写入地址后,可以方便地过滤掉不是发送给自己的数据包,保证接收到的数据包至少地址是正确的。我们可以通过设置名为AW 的寄存器,调整地址的宽度到3 个、4 个或者5 个字节。
上图为数据包中的包控制字段(Packet Control Field),它涉及对数据包的控制工作,主要包括负载长度字段(Payload Length)、包识别字段(PID)和自动应答的非确认标志(NO_ACK)。包控制字段包含6 比特的负载长度字段。当该器件作为接收端设定为动态负载长度时,该负载长度字段用于指示负载有多长,以便于快速读取负载。当设定为静态负载长度时,就用不到该字段了,因为每次的负载长度都是固定的。
两个比特的包识别字段用于检测接收到的包是新的还是重传的。包识别字段是为了防止同样的负载被多次送到单片机中重复处理。当发送端每次发送新的数据包的时候,包识别字段的值都会增长。在接收端的器件会根据包识别字段和循环校验码(CRC)决定该数据包是重传的还是新的。当多个数据包丢失后,这次的包识别码就可能和上次的一样,如果这样的话,nRF24L01 会比较两次的循环校验码。如果两次的循环校验码相同,最新接收的数据包就会被认为是上次接收数据包的备份而被丢弃。
可选的自动应答特性控制着非确认标志(NO_ACK)。当自动应答这个特性被利用时,这个标志才有效。设置这个标志为1,告诉接收器这个包是不需要被自动应答的。
负载(Payload)是用户定义的数据内容。它的长度可以是0 至32 字节。用户可以把需要传输的数据放在负载字段里传输。循环冗余校验码用于数据包的错误检测。在数据发送前,发射器会根据发送的数据产生循环冗余校验码。当接收器接收到数据时,也会根据接收到的数据产生循环冗余校验码。最后,接收器会计算接收到的数据校验码,并和直接接收到的校验码进行比对,如果相同则认为数据在传输过程中没有出错,如果不相同就认为出错了,需要采取重传或者其他措施。该字段可以被设定为1 个或者2 个字节,并且从地址开始计算,也包括了包控制字段和负载。
![[Figure 11]](http://img.blog.csdn.net/20170119100701052?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvYnJvYWR2aWV3MjAwNg==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
5 如何防御
有线键盘记录器在有些单位或者某些场景,作为按键日志记录设备是必须使用的。请不要随意取下,以免引起不必要的误会。
对于个人而言,有线键盘记录器这种攻击手段要防御说容易不容易,说难也不难。说容易是因为这种外接设备肉眼可见,说难是因为要用软件检测非常难,几个简单的防御方法如下。
首先,提高防范意识。使用台式机前检查一下,看看后面是不是被装了“小尾巴”。当然,每次都看太麻烦,可以选择将机箱放在肉眼可见的桌上,没事瞅一眼。使用笔记本电脑的话,随时看下就好。
其次,不熟悉的人送的键盘,不要随意接受!或者发现自己的键盘有被拆卸过的痕迹,也需要注意!也许,键盘里面,就藏着一块电路板,在你不经意时,窃取了你的账号和密码,继而以此为突破口窃取更多的机密。当然,还是自己去市面上买的键盘相对放心。
再就是,输入关键信息时,用软键盘输入比较好,前提是电脑本身的软件安全要做好,如果中了木马被录屏就没办法了。
对于无线键盘监听的防御,很简单,不使用无线键鼠就行!特别是在办公室用台式机或者笔记本电脑时,完全没必要使用无线键盘,手机和iPad 用屏幕键盘就可以。如果必须要用无线键盘,可以考虑自己做一个转换的硬件,将USB 有线键盘转换成蓝牙或者无线键盘,至于方法,与无线键盘记录器是一个原理。
最后,安全没有绝对,但也不要被谣言所恐吓,保持良好心态,小心谨慎,定期更换强密码很重要。
特别是对于掌握公司或者机关单位重要账号密码的工作人员,请提高自我安全防范意识。
警告:非法窃取他人信息是违法行为,本节内容仅供学习参考!切勿犯错!
We will introduce to you a classic case of wireless keyboard and mouse monitoring and hijacking "MouseJack" in tomorrow's push: MouseJack can take advantage of some problems with wireless mice and keyboards to disguise as a keyboard and achieve the effect of any keystroke.
This article is selected from "The Secret of Hardware Security Attack and Defense", click this link to view it on the official website of the blog post.
If you want to get more exciting articles in time, you can search for "Blog Viewpoint" in WeChat or scan the QR code below and follow.
