redox-w-firmware icon indicating copy to clipboard operation
redox-w-firmware copied to clipboard

Published 20 hours ago verified publisher icon mattdibi

Keyboard hijacking and monitoring caused by hard coding channel table and gzll base address.

Open sealpp opened this issue 3 years ago • 1 comments

Hey there.

I made 2 set of keyboards. When I using them, I find that the two keyboards will interfere with each other when they work at the same time. After further testing, I found that the cause of this problem is hard coding at:

  • gzll base address:
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-keyboard-basic/main.c#L214
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-keyboard-basic/main.c#L215
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-receiver-basic/main.c#L92
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-receiver-basic/main.c#L93
  • channel_table
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-receiver-basic/main.c#L47
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-keyboard-basic/main.c#L32
    • https://github.com/mattdibi/redox-w-firmware/blob/a193645e1b7f70f1637878c5ae9830aebc2de828/redox-w-keyboard-basic/main.c#L35

Not only the interference between keyboards, but also serious security problems:

  • An attacker can use a receiver of the same specification or a receiver with higher power to monitor user keyboard input from a long distance.
  • An attacker can use a signal transmitter of the same specification or higher power to control the target host from a long distance.

I think the address and channel should be determined according to user input, and users should be informed of certain security risks.

sealpp avatar Jul 09 '22 08:07 sealpp

Hi there, everything you reported is indeed correct and already brought to my attention here and other multiple occasions.

I think the address and channel should be determined according to user input

It is in the form of the hardcoded addresses you linked.

users should be informed of certain security risks.

This is an area that needs improvement for sure. I'll try to update the main docs ASAP.

mattdibi avatar Jul 11 '22 19:07 mattdibi