/radio-hackbox

PoC tool to demonstrate vulnerabilities in wireless input devices

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

SySS Radio Hack Box

The SySS Radio Hack Box is a proof-of-concept software tool to demonstrate the replay and keystroke injection vulnerabilities of the wireless keyboard Cherry B.Unlimited AES.

SySS Radio Hack Box

Requirements

  • Raspberry Pi
  • Raspberry Pi Radio Hack Box shield (a LCD, some LEDs, and some buttons)
  • nRF24LU1+ USB radio dongle with flashed nrf-research-firmware by the Bastille Threat Research Team, e. g.
  • Python2
  • PyUSB

Automatic startup

For automatically starting the Radio Hack Box process on the Raspberry Pi after a reboot, either use the provided init.d script or the following crontab entry:

@reboot python2 /home/pi/radiohackbox/radiohackbox.py &

Usage

The Radio Hack Box currently has four simple push buttons for

  • start/stop recording
  • start playback (replay attack)
  • start attack (keystroke injection attack)
  • start scanning

A graceful shutdown of the Radio Hack Box without corrupting the file system can be performed by pressing the SCAN button directly followed by the RECORD button.

SySS Radio Hack Box usage

Demo Video

A demo video illustrating replay and keystroke injection attacks against an AES encrypted wireless keyboard using the SySS Radio Hack Box a.k.a. Cherry Picker is available on YouTube: SySS Cherry Picker

Cherry Picker Demo Video

Pi Radio Hack Box Shield

The hand-crafted Pi shield simply consists of an LCD, some LEDs, some buttons, resistors, and wires soldered to a perfboard.

Pi Radio Hack Box Shield front Pi Radio Hack Box Shield back Pi Radio Hack Box Shield breadboard design

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.