Forgot your password?
typodupeerror
Hardware Hacking Security Wireless Networking

Wireless Presenters Attacked Using an Arduino 69

Posted by Soulskill
from the watch-out-steve dept.
An anonymous reader writes "This week Dutch security researcher Niels Teusink described a method of attacking wireless presenter devices at an Amsterdam security conference. He had a demo showing how it is possible to use an Arduino and Metasploit to get remote code execution by sending arbitrary keystrokes to the presenter dongle. He has now released the code and made a blog post explaining how it all works. Better watch out the next time you're giving a presentation using one of these devices!"
This discussion has been archived. No new comments can be posted.

Wireless Presenters Attacked Using an Arduino

Comments Filter:
  • Huh huh huh (Score:2, Funny)

    by Anonymous Coward

    You said "dongle".

  • hmmm.... (Score:5, Funny)

    by girlintraining (1395911) on Sunday July 04, 2010 @11:21AM (#32791930)

    Useful for:

    * Corporate espionage
    * Screwing with professors at school
    * Pissing off Steve Jobs.

    We all know which one's most likely.

    • by N!k0N (883435)
      Definitely screwing w/ professors...
    • by yincrash (854885)
      well, because the devices send any keyboard command, you can take over the machine and do anything. however, if you just want to wreck havoc with powerpoint, then you could probably just bring your own keyboard presenter and it will probably work the same way. like someone using a remote control on your tv
      • by Kemanorel (127835)

        Most presenting devices have at least rudimentary pairing between remote and dongle. At least I know that the Keyspan remote I've been using for the last 5 or more years works that way. Just bringing another remote of the same kind would likely do nothing.

        • by dkf (304284)

          Most presenting devices have at least rudimentary pairing between remote and dongle.

          Yes, but a lot of projectors also have remote controls, and they're usually not paired. Switching things off mid-presentation is deeply annoying to the presenter.

          (I say this because of a presentation I once saw a friend do where his remote would (IIRC) bring up the configuration menu every time he switched page. Funny, but it forced him to switch to manual control.)

    • Re:hmmm.... (Score:5, Funny)

      by Dragoniz3r (992309) on Sunday July 04, 2010 @12:51PM (#32792338)
      I guess we all know what Gizmodo will be doing at the next major conference.
    • Re: (Score:3, Funny)

      by antifoidulus (807088)
      Wait, you mean Apple's newest product ISNT "iGoatse"? Damn, and here I had my credit card out ready to go.
    • Nice try, but Steve Jobs doesn't need any remote controls for his presentations. He has a special receiver that he communicates with via his RDF.
  • by Anonymous Coward on Sunday July 04, 2010 @11:39AM (#32792006)
    While Bluetooth certainly has its issues and took a while to address all the early security concerns, I really wish wireless device creators would stop rolling their own protocols. With limited engineering, they are almost certainly guaranteed to do it badly. As of Bluetooth 2.1, all communication aside from service discovery is encrypted. There are still pairing exploits and implementation defects, but at least they have the core idea right. In order to monkey with a Bluetooth presentation remote, you would have to (a) discover the shared key during the speakers presentation, (b) convince the presenter to redo pairing prior to speaking and somehow get them to pair with your evil device instead (has a Bluetooth man-in-the-middle attack been tried yet?), or (c) give up and settle for just jamming the communication, causing a whopping 30 seconds of confusion. If you design a wireless protocol now without over-the-air encryption, you are doing it wrong.
    • by mc6809e (214243) on Sunday July 04, 2010 @12:02PM (#32792112)

      While Bluetooth certainly has its issues and took a while to address all the early security concerns, I really wish wireless device creators would stop rolling their own protocols.

      Yeah, but then the maker would have to licence the technology and that adds cost. The chip used in the device doesn't come with Bluetooth. It's a very simple chip.

      I suspect that the problem here is that the engineer just didn't think about security.

      • Re: (Score:3, Informative)

        by rawler (1005089)

        AFAIK, Bluetooth is License-free. That is, the protocol, and all related specifications are free for implementation.

        Of course you may still need to pay a little for a chip that implements it, but the same thing goes for any wireless chip, and I doubt Bluetooth is THAT much more expensive?

        • by DeadCatX2 (950953) on Sunday July 04, 2010 @12:50PM (#32792330) Journal

          Whereas your average Arduino board is about $20-30 or so, an Arduino board with Bluetooth costs about $150.

          http://www.sparkfun.com/commerce/tutorial_info.php?tutorials_id=148 [sparkfun.com]

          Yes, Bluetooth is that expensive. The ArduinoBT board uses an off-the-shelf BlueGiga WT11. Newark sells those for about $60.

          http://www.newark.com/bluegiga/wt11-a-ai/class-1-bluetooth-2-0-edr-module/dp/15P4005 [newark.com]

          Mind you, this is a Class 1 (i.e. long range) transmitter, using BT 2.0 and not BT 2.1. Compare this to a standard RF transmitter and receiver, which is a couple bucks per chip...

          • Re: (Score:3, Informative)

            by flux (5274)

            Hello? You can buy Bluetooth-USB-modules for as little as $3 from Amazon. And that is the price for a single item sold to a consumer. The prices of development-kit-level items is hardly comparable to the actual price to implement Bluetooth in a mass-produced gizmo.

            I wonder how come you didn't find that the 433MHz wireless modems cost $40 at Sparkfun as well..

            I believe a large reason, if not the largest, for not using Bluetooth in simple wireless gadgets is the amount of electricity it takes compared to a si

            • by DeadCatX2 (950953) on Sunday July 04, 2010 @02:01PM (#32792686) Journal

              Do you mean the Bluetooth USB modules used to add Bluetooth support to a PC that doesn't have it? Unfortunately, an embedded system doesn't have a desktop-class processor to run the Bluetooth stack.

              Oh, and those el-cheap-o Bluetooth modules you're suggesting are probably very out-dated, which is why they're so cheap. That $3 module probably cost more when it was less than a year old and they weren't trying to dump the inventory that they can't sell at a higher price...

              • by dkf (304284)

                Oh, and those el-cheap-o Bluetooth modules you're suggesting are probably very out-dated, which is why they're so cheap. That $3 module probably cost more when it was less than a year old and they weren't trying to dump the inventory that they can't sell at a higher price...

                But for keyboard simulation, you don't need a fancy high-speed module. You're talking a few bytes per second. A cheap module should be enough. Hardware that can do anything is more expensive than hardware which is more specialized to its task; flexibility costs.

                • by mrmeval (662166)

                  The Arduino has 16k of flash memory and 2k of ram. It has exactly one hardware uart though other pins can act as software serial devices. It cannot act as a USB master like a PC without some help though it can act as a USB peripheral i.e. a usb to serial device. I may be able to hack apart that bluetooth dongle and get access to the bluetooth chip but I suspect the USB and bluetooth are integrated in one ASIC which won't allow that.

              • by adolf (21054)

                Ah, yes. The old "it cost more, therefore it must be better/newer/faster" generalization.

                So, go have a look [google.com] at what's actually available. You'll see that while the prices do vary wildly, there is very little variation in terms of the actual products (aside from packaging) other than a handful of products that appear to actually be independently engineered (which is not necessarily a good thing).

                Just to pick one particular product: B&H sells it [bhphotovideo.com] for $11.95. Computer Geeks has the same one [geeks.com] for $7.99.

      • Re: (Score:3, Informative)

        by drinkypoo (153816)

        Yeah, but then the maker would have to licence the technology and that adds cost. The chip used in the device doesn't come with Bluetooth. It's a very simple chip.

        If there is demand, Wal-Mart will be happy to sell an unlicensed Bluetooth transmitter like the ones you can buy from DealExtreme, except in some packaging more elaborate than that usually used for crack rocks (i.e. a tiny ziploc.) That will help keep the costs down. :)

        Of course, if all us nerds just tell all our non-nerd friends to stop buying the non-Bluetooth versions because they're broadcasting their passwords to the world, then a percentage of them will listen, and we can help stick a nail in the coff

      • by aztektum (170569)

        I suspect that the problem here is that the bean counters didn't care about security.

        That's usually been my experience.

      • by g253 (855070)
        Or the engineer did think about security, but the managers & accountants said no ;-)
    • Most of these devices don't use frequency hopping (FHSS) or even DSSS or any kind of interference resistance algorithm. Also, they run on 2.4ghz band because it's license free.
      All you need is a dumb laptop running Linux, or even any other OS, with a wifi card.
      All you have to do is set the card into raw mode (on Linux, usually setting monitor mode) to be able to inject packet.
      Once done, inject packets as fast as you can on the same frequency. The packet contents doesn't matter at all. And done, jammed.

      Works

    • Bluetooth is very complicated compared to other options, which content themselves basically with providing a serial port. This complexity and licensing costs add significantly to devices.

  • ...the presenters can't advance their PowerPoint slides...

  • The blog entry commented especially that the hack is possible in part because the wireless devices use a one-size-fits-all protocol; hence the presentation remotes are capable of communicating keyboard and mouse commands even though they are really neither a keyboard nor a mouse.

    In other words, our desire for things cheap and shiny has made us vulnerable yet again. Its the lead-paint-on-toys problem, but this time the victims are not children.
    • Re: (Score:3, Insightful)

      I would agree that the desire for "cheap" is arguably behind this problem; but I would disagree about "shiny". The problem isn't that the protocol is general purpose(particularly in those cases where the receiver was sold in a set that contained a mouse and/or keyboard in addition to the little PPT remote...) but that absolutely no useful effort was made to apply what we already know about authentication and encryption. For just slightly more, you could just have a bluetooth device that(while certainly not
    • by Vellmont (569020)


      In other words, our desire for things cheap and shiny has made us vulnerable yet again. Its the lead-paint-on-toys problem, but this time the victims are not children.

      Who are the victims? People giving presentations? And they're victims to people being jackasses?

      Sorry, I just don't see that as comparable to children (or anyone) being poisoned by lead. Security is always about risk. There's a million ways to be a dumb ass during a presentation, be it the tv b gone [wikipedia.org] or something about equally as childish b

      • by moortak (1273582)
        If it just allowed minor presentation interrupting issues it wouldn't even be all that notable of an event. The catch is that it allows remote code execution. That is a little bigger than a whoopee cushion.
  • Then only outlaws.. or something like that..

  • Yeah, no big deal that some one used an AVR or PIC microcontroller to do something.

    You need to put away your toys and be a man by stepping up to an ARM microcontroller.

It's later than you think, the joint Russian-American space mission has already begun.

Working...