UBERHid: Wifi keylogger and HID injector

December 26, 2019 infosec hardware hid 8 minutes to read

UBERHid is a USB MitM Wifi keylogger with keyboard and mouse injection capabilities desinged and implemented by @kripthor. The project is still in early phases of development however it already allows on to perform keylogging and inject keyboard/mouse payloads. I had the opportunity to meet @kripthor during the BSides Lisbon 2019 and to get one UBERHid DIY kit.

Malicious Programmable HID (Human Interface Device) are, typically, microcontrollers programmed to act as a USB HID keyboard and mouse, and set to send certain keystrokes and mouse movement. These can work on a plug and deploy basis (e.g. the classic USB Rubber Ducky), can act when some variable changes (e.g. deploy a script when the ambient light goes bellow a given threshold1) or be remotely accessible (e.g. WiFi). Cheap versions of these devices include the ones based on Digispark Attiny85, and I did something to make it easy to deploy new Ducky Scripts2.

The advantage of a USB HID is that it does not matter if autorun is disabled or not. By default, most operating systems seem to automatically install and configure USB HIDs as soon as they are inserted, regardless of the privilege level of the current user.3

Adrian Crenshaw has an article section on how to detect and mitigate this kind of malicious devices3, and @pmsosa created a daemon that can defeat these devices4. Even so, these only protect the injection of payloads, not the keylogging part.

As far as I could find there is only one solution in the market that does something similar, and it’s too expensive (price ranges from 70 to 105 EUR): KEYVILBOARD. However, the most expensive version has some extra features, such as support for 2G communication.

Bill of Materials

Qty. Description Obs.
1 UBERHid PCB Designed by @kripthor
1 Arduino atmega32u4 Board is designed for DM Micro AU version (Beetle with 18 pins)
1 ESP8266 ESP-12E module Module to solder
1 MAX3421EEHJ+ USB USB Peripheral Host Controller 32-Pin
5 10kΩ Resistor SMD.
2 33Ω Resistor SMD.
2 18pF Capacitator SMD.
1 XTAL TXC 12Mhz SMD.
1 2k2 Resistor 2.2KΩ SMD.
1 FTDI FT232RL USB to TTL Serial 3.3V/5V USB Adapter or equivalent. Used to program the ESP8266.

  • All the components can be found in the usual online stores such as Aliexpress and eBay.

Schematics

UBERHid PCB

UBERHid Schematic

Schematic

UBERHid Wiring

Details of the wiring between the ATmega32u4 and FTDI programmer. Note that the ATmega used in this case was an SS Micro version which does not have the same pinout as the recommended DM Micro AU Beetle Leonardo, which fits directly in the PCB pinout layout.

Wiring

Soldering

The components must be soldered accordingly to the above schematic. Some extra details and protips:

  • Start by sodering the smaller components, especially the MAX3421 chip, the SMD resistors and capacitors and the XTAL crystal.
  • Two pins stay right bellow the ESP8266 chip. You have to be sure that these pins do not make any contact with the ESP8266 after the soldering is completed. I used a little of heat-resistant isolator tape to avoid any contact and soldered the pins on the other side of the board.
  • Solder the ESP8266 before the remaining pinouts to have more space.
  • Finish the soldering by adding the remaining pins and the USB port.
  • The atmega32u4 can be soldered directly on top of the UBERHid PCB, although some jumper cables can also be used to make it possible to reuse it to other projects.
  • Clean the board using isopropyl alcohol.

How to program the devices

Firmware is available here. This project is still in early development, stay aware of bugs and missing features.

Using Platformio

ESP8266

  1. Connect the FTDI to the PCB pins as depicted in the wiring scheme above.
  2. GPIO0 needs to be grounded to get into programming mode.
  3. Uncomment the follwing lines in platformio.ini:
    src_dir = ${workspacedir}/firmware/UberHID-ESPUSB/.
    data_dir = ${workspacedir}/firmware/UberHID-ESPUSB/data/.
    
  4. $ platformio run -e esp12e sanity check
  5. $ platformio run -e esp12e --target upload --upload-port <dev/ttyUSB*> uploads firmware
    • Replace <dev/ttyUSB*> with your device, e.g.: dev/ttyUSB0
  6. $ pio run -e esp12e --target uploadfs --upload-port <dev/ttyUSB*> uploads filesystem (data folder)
    • Replace <dev/ttyUSB*> with your device, e.g.: dev/ttyUSB0

Arduino Leonardo (ATmega32u4)

  1. Plug-in the Arduino Leonardo in one of the computer USB ports.
  2. Uncomment the follwing line in platformio.ini:
    src_dir = ${workspacedir}/firmware/UberHID-Leonardo/.
    
  3. $ platformio run -e leonardo sanity check
  4. $ platformio run -e leonardo --target upload --upload-port <dev/ttyACM*>
    • Replace <dev/ttyACM*> with your device, e.g.: dev/ttyACM0

How to use it?

  1. Connect the device between a keyboard and a computer.
     ----------     ---------     ----------
     |Keyboard| <-> |UBERHid| <-> |Computer|
     ----------     ---------     ----------
    
  2. Connect to the device access point.
    • It can be visible or hidden depending on the configuration on file Config.h in firmware/UberHID-ESPUSB. Other configurations available are the access point name and password.
     #define WIFISSID "UBERHID"
     #define WIFIPASS "uberidiota"
     #define WIFICHANNEL 7
     #define WIFISSIDHIDDEN 0 //1 for hidden
    
  3. Navigate to 192.168.4.1

    UBERHid Homepage

  4. You can see the keystrokes in realtime and inject keyboard and mouse commands. Also, you can RickRoll your friends.

Final Result

I still need to reduce the jumper chaos with smaller jumpers or with the other version of the ATmega32u4 that plugs directly into the designed PCB. And a 3D-printed case!

There are still a lot of features under development, such as adding support for Wifi attacks that can be performed using an ESP82665,6. Meanwhile, if you have some spare time, watch the talk by @kripthor at Bsides Lisbon on the creation of UBERHid here.

References