>>Hey guys, thank you for coming to our presentations. It is called key logger video mouse or how did we turn our KVM into a raging key logging monster. So before we begin meet the team. My name is Yaniv Balmas and joining me is Lior Oppenheim aka, the mad scientist and we are researchers for check points or technologies. So let's drive right into our problem. So our problem as with my other computer science problems starts with computer so we have computers and we have many computers and we have a lot. And the problem is each of these computers actually need ASCII board video and mouse set in order operate and when we have a lot of these computers then we have a lot of keyboards and video boards and mice and this creates a lot of mess on your desk so we can't figure which monitor go to which computer and the thing is that this is an age old problem and was solved with this device called KVM. For those that are for some reason not familiar within device. It is short for keyboard video and mouse. And what it does is it is used to connect the same set of keyboard video and mouse to one or more computers. Right so it all works something like this. If you have two computers under your desk and they are both connected to a KVM device which is connected to a keyboard video mouse on your desk and now everything is routed to computer number one and everything is cool and you can play your favorite video game and suddenly your boss steps in your office and you just managed to push the button and boom catastrophe is avoided, everything is now routed to computer number two. So that is easy and that is how it works so where can we find the KVM devices. So we can find them on your desks such as the example I just showed you before or we can find them inside your server X and that is because they holds something like eight servers and it only makes sense to put a KVM in there in order avoid having eight sets of keyboard video and mouse. And last but not least, we can find KVMs in very secured environments and is because in those environments we have several networks and some of them are pretty sensitive and some of them are just a corporate network connected to a internet and for a user than needs to work on some of these networks at the same time, it only makes sense to have a KVM on his desk. So to sum it up KV Ms every where. In every technological environment that you go do you find a lot of these just laying around here and there. So let's take a look at evolution of KVMs along the years. So it all started off in 1980s or 90s with something that looks like this and known as AV switch and just a electronic box that you connect from the board to keyboard video and mouse set and when you switch to B board everything is routed to the B board. And that worked really fine. That is until technology advanced just a bit and came to be USB keyboards. When we have USB keyboards KVMs need to be evolved also and they is how we met these modern KVMs. They contain some USB stack in order provide like smooth transition between the boards and a lot more other features like you know DVI outputs HD MI outputs and they support millions of keyboards and all that stuff. And the next evolution is when we met this stuff called matrix KVMs. They controls thousands of computers and use big environments. So obviously, we consider KV Ms evolve a lot over the years but the problem is a lot of guys still considered those as those same old stupid boxes. But obviously you know, they are not those stupid boxes. Take a look at some of these KVM features. They have hot keys and on screen display menus and web menus inside them so those devices run code. They are minicomputers sitting on your desk and thinking okay so if the run code then what can we do with them. So what the one common thing between all the features that I just showed? So the one common thing is all the features require the KVM to be and to process key strokes. They don't just take the key strokes from the keyboard and pass it on the computer. Now they have a Parsitan see where it is and maybe that is like a combo that you just pressed and the thing is if they process key strokes all we food to do is find a way to alter the execution flow just a bit and find some kind of free memory space in there and then we can store those key strokes over there and we just dump them out and so we achieve the key log. That is not a software key loggers because no software is running on your computer. It is like running at minus four. I lost track of the readings during the past few years. But that is not the hardware key logger also because there is not a hardware key logger involved in this. You connect a -- KVM to your computer. Right? So that is really cool and that was our subject. Sorry for that. I think there is (indiscernible) in here. And what we did I didn't want to work on my KVM because I kind of need it so I went to our help desk department and told them, my KVM kind of broke and I need a new one and they said okay just grab this one and take it. So I took it and I went to my office and opened the box and started unboxing it. So first thing I take out is KVM. And then there is some KVM cables and one cable that looks like this and manuals and warranties and a CD which one was called firmware upgraded utility and the other file named (indiscernible) so we were thinking okay so this file had like really high levels so it was compressed but we could not really decompress it with any method we tried so both me and LIOR are advanced guys so we this runs on windows then we said we can try and reverse engineer this and extract it. So that should be a easy task. All know when we tried to analyze this update utility it turned out not such a easy task and that is because we kind of figured out this utility is used upgrade the entire line of KVMs. Contains of thousands of functions and on top of that it is like a C plus plus code and really messy thing we didn't want to mess around with it so but when we (indiscernible) bugger then we saw what we expected to see. I mean, this thing reads this ping file and presses it on to decompression function and stores output at some kind of space so we went to this memory space and looked what was stored in there and hoped that we can find our firmware. So this is what we found. A blob and looks like this and this is kind of imagine representation. So we started looking at some of these features. 11 so one of them is that this is 64K long blob and the other thing has a low level so that means no longer compressed and those are not encrypted and has no strings not a single one. That kind of looked a bit strange to us but we kept ongoing so we made some frequency analysis and tried to compare with other firmwares and nothing came close. Nothing. So what we did is use (indiscernible) for those that are not familiar that is tool to find signatures of known firmwares and really cool to and we use this on this blob and got zero results. Nothing at all. Then we were just sitting at this blob and saying we don't know what to do with it. So we must find another way so that was a complete failure. So at this point we had two options and one could be to go back to firmware utility and reverse engineering this and but that would be a really tedious job. Might take us days or weeks or months and we don't really feel like doing it and the other option would be to be creative about it and by being creative you must understand how the process works. So remember that I showed you, that is the serial cable connects to ports on your computer and then connects to KVM and you run utility and some how it test this blob and test it to the device on the cable. So all we need to do is just to download some kind of software and then hopefully we can just have to analyze the serial protocol and extract the data from it and then don't really need to reverse engineer this thing and that is pretty cool and that is what we did. So challenge accepted. So we start sniffing the serial particle and we're stiffing it, stiffing sniffing and that is what we get. What you see is serial protocol and messages marked with red are from the KVM particle and yellow is to 2KVM. So let's start analyzing this thing. So first thing we noticed is that each of these messages has some kind of fixed header to it and that has the X volume of 4655. Fifty-five which is representation of FU. (laughter) all right. So we were thinking, is anybody trying to tell us something and yes, they are trying to tell us something. They are telling us this is firmware upgrade. (laughter) so we kept on analyzing this and next thing we notice is this is some kind of code. Goes like A0A1A2A3 and most of these is composed of A3 messages so this tells us that this part must be some kind of handshake and this part must be the date transfer and that the part we are interested in. So we can find some kind of sequence number in each of these data messages and goes like it is goes the 0123 up to end of file and that is cool. And now there is only one thing missing because each serial protocol need to have some kind of checks to it in order nor both sides to validate the data got from side to side and this is it. (indiscernible) that is our checks and balance. So we would not find anymore problems so we figured out that everything is analyzed. So all we have to do now in order to get data from it get rid of handshake part and take a look at the data part and then again get rid of all the serial protocol related bytes and put it together. Guess what it is the same old serial blob. All these devices all these firmware utility update take this blob and pass it to the device on the serial cable. So again, this got us -- everything is happening inside the device so next step is only step is we failed, to open up the device so that what we did and looks like this under the hood. Now our first impression of this we are software guys what are we doing looking at something like this. This is lot of electronics in there. What can we find out from this and we felt depressed and it and went to the bar opposite of our office and had a few shots and then you know we said we might not be hardware guys but we try and find out what the chiefs and maybe they will give us a view about what is going on now, is this firmware actually being processed. So we did just that. So first thing we noticed is there are two big chiefs over there and we know nothing about it. It is the vendor name on them and just judging by the amount of pins we think they are (indiscernible) but we don't know anything more nana so. So they are just big light boxes to us and the other thing is (indiscernible) called PLD which is programmable logical device and what it is just if you programmer you open up the UI and design your own logic severe and burn it into the chip and the chip runs the circuit. So we know it is PLD but we have no what is logic is running inside it. So you can say that is another light box for us. And then we kept ongoing and we found something we know. That is memory. 2K we know what it does you write stuff to it and read stuff from it and also connected to something called (indiscernible) which again, know I remember from any University days something about flip-flops and but at this point I have no idea what it does. We just left with one chip over there which turned out the be the most interesting chip of them all. That is (indiscernible) processor for those that are not familiar with this, that is advance version of 8051 and intelligence based chip and actually runs intelligence 8051 assembly which is easy to learn and thing is this the really common in the embedded world. You can find these chips from anywhere to toasters to space shuttles. It's really that versatile. So okay. We now have everything mapped and now we need to understand how the firmware flows inside the PCP. So we know that it goes into through this port and goes somewhere into the device but where. If it goes up the 8052 chip but it can go up the basic chips or you know maybe some kind of combination or maybe chunks of it goes to each chip or maybe it goes to one chip and then to other. We don't know. That is a big mystery to us and what we did in order solve that mystery is google it up and when we did that we can find this PCP which is same KVM as we use only this one has eight ports while ours only has four ports. Same vendor, same everything. And look at it there is something really interesting about this because you see those big black boxes I talked and there are two of each. To double the ports and two of these chips and the PLD is the same. However, there is only one external ram and only 18,052 chip so this is like a big moment and we any okay so maybe this 8052 chip is brains behind this KVM and maybe this entire blog is just going in there. So now all we need to do is understand the 8052 chips being upgraded so each of these 8051 or 8052 chips has integrated UR port in them and UR again nor those that are not familiar is just acronym for universal transmit I think. And what is it is generic serial protocol and so now we just need to understand which chief pins are responsible for this upgrade process and in order do that we can just be able to do the test and we saw the UR port the connected to this chip and those are (indiscernible) pins that are used for the firmware process. 13 so now just a matter of using logic and find it out. Challenge accepted. So 30, 45 China mills shipping days later, we can finally use logic. We ordered this device a logic analyzer and called logic and what it is just does a couple of wire was clips and you clip them on the to the IC pins and then you see the electronic signals going on it and that is cool so what we need to do now is use this logic analyze it and tap those pins and just look at the signals going on during the firmware update process. So it looks like this. We connected to export and other ones just ground so we can differentiate ones and zeros and doing that we opened the logic (indiscernible) and took a look at that results and that is what we see. We have packets going from the UR port and to the UR port and if we Zoom out of this picture we can see a pattern. These lines are going to UR port and these are going from the UR port. It is serial protocol right. So now what we need to do is take all these signals and put them in the right order and then we can see a serial protocol going into the UR port containing the actual firmware right. Does that look familiar? Yes. That is the same serial protocol that we just saw before. So what's great failure. What can we do now. We did everything now. Now we need to open up the chip and we don't like messing with chemicals and stuff like that so we at this point thought that is complete failure, but then we give it second thought we said, there are something now that we know that we didn't know before. I mean, before that, this big blob we doing know what it was being translated into it was complete mystery and now we kind of pretty sure this is being translated into 8051 assembly because it goes into the 8052 chip so if that is the case then maybe we can some time (indiscernible) ourselves and get the firmware. So I'm not a big code breaker but I do know one good code breaker his name is Lior and he's a bit mad. But that is okay so I went to his office and gave him a promise of the vegas ticket and got him to joint the project. So please welcome LIOR. (CLAPPING) >> Thank you. So let's do recap of what we already know. So again as he said this blob is translated into 8051 something. That is our assumption and also this translation is happening somewhere inside the 8052 chip. So all we need to do is break this and this is not encrypted or compressed so sort of (indiscernible) scheme so we need the break the (indiscernible). Challenge accepted. So this is same blob as before so now let take a look at the end of the blob, you see in yellow the blob we have (indiscernible) 53 almost to the end of blob and you think well this might be like zero (indiscernible) at the end of the firmware which we know is coming but for us 8051 was the same operation. So all we need to do is take the blob and start with 53 and then we get this and maybe this is it or I don't know. Let's take this blob and open it. This is what we get. So at first it looks like really good. I managed to disassemble all the (indiscernible) but if you take a closer look you see that something is wrong. You see the last two lines are move A coma R6. It is twice in a row. Maybe in 8051 you need to do everything twice in order to make sure it is happened. I don't know. But you notice something here is wrong. So we took another binary and (indiscernible) 8051 and we got the same picture. (indiscernible) so we have this strong assumption of what is going on here but just to make sure we took these picture of the cat and we opened up and guess what the same thing all over again. So then we realize that if you believe hard enough, everything can be 8051 assembly. But doesn't help too much so we are back to your blob. And we decided to keep this operation because we thought that it is moving in the right direction. (CLAPPING) What is happening here? So moving in the right direction but now we can take a look at the last eight bytes. They are not the (indiscernible) and let's take a closer look on them. So we say what does this eight bytes mean? There are some clue left to us (indiscernible) we are safe thank you. >> I kid you not. I have somebody else's bag. I'm like, the fucking bottle is not in here and in fact none of my stuff is in here. So I have a bag for sale. (laughter) we will be right back. >> Okay. Try to keep going. So is there a clue that someone left us? I don't know. But at first we thought this might be some checks and error correction so we took these bytes to calculate the checks of the blob and also the CRC and some other logarithm and none of them were a close match to our byte. So as far as we know it is not some sort of error correction. And then we thought well, right until now we only analyzed is single version like the one that came with -- the single firm versus but a we know the website there are many more so we downloaded some of them and let me show you this table of the bytes of many different versions. And you see that this numbers are not random. Like, you see that A1 byte repeating 70 times so not random. So we are thinking that this byte some how represents some data but again it is opposite so we can see what it is. And then our moment came and we decided to take these -L bytes and release them next firmware versions as stated by the vendor. And then we saw some pattern forming up here. Like you see this byte like 99 -- 99 up here is three times in the first row and also three appears three times in the corresponding firmware versions and number A1 appeared twice in the second row so could be the four or one appearing twice but it is the four but why because it is consistent throughout different versions. So we did some work and found the mapping between every value from the eight byte and the corresponding digits and then we like we didn't know what to do with it and then we thought like let's take this value and also see their presentation. So (indiscernible) value and you see here there is this constant portion of byte which is like constant and also there bits in the middle that keeps changing and not only changing but they are incremented. They are following those over the counter. The counter in the middle of the bytes is weird so we thought maybe we should be like rotate the entire byte three positions to the right and the counter will move to the right end of the byte so we did that and then we got these values. And I guess that most of you will recognize these values but for those that don't, those are as key values, they are the same -- they have ASCII values that we want. They are mapped to the digits that we found earlier. So now we know that these are portions and sounds good and do the operation on the blob and when you do this you get the blob change and now we actually have like string and I don't know if you can see through here but there are strings and looks like a basic 64. But you she looks really good but the sequence of the byte is not correct so let's take a closer look on this one. So this is 24 byte from the string. Here they are. I will try and continue. So it is 24 bytes like string and it is divided into eight byte chance and what do I mean by that, some of the characters are misplaced but they are only misplaced within their own chunks so let me try to explain this better. The A, the I and the Q in the first position are in the correct position. So just move this down and the GOW should be moved to the second position. And the CKS third position always in the correct position and from there on, that is it. We found (indiscernible) which fixed the sequence of the bytes in the strings so let's take these table that we found outand operate it of the entire blob and guess what, we managed to break the (indiscernible) and got meaningful 8051 assembly. (CLAPPING) thank you. >> Guess what, we have a tradition here at DEF CON for first time speaker these guys got in it. Seems like they are doing well. You guys like this talk? >> (CLAPPING) >> All right. To DEF CON, to the new speakers and all you knew attendees. (CLAPPING) good job. Wait. Hold on. Yep. That is what it is. >> So it is assembly with loops and control so we know that now that we break -- we succeeded in breaking the (indiscernible) so now let's have some fun. So we know how two break the scheme and we can now design our own custom firmware and implement our key logger inside it and up load to KVM but first we need to (indiscernible) so we need to learn some 8051 assembly. So for your convenience we did the review. So on the plus side it is very easy to learn language and even many students are learning it and has only 40 instructions on the downside I don't know if it is a compiler problem but some functions are not really functioning. You see the code jumped to middle of the function and doesn't do all the logic it is supposed do and really hard to reverse and those there is just a single memory (indiscernible) and the firmware keeps a back up and restores the register and causes code mayhem and it is hard to reverse, and in the end the register keeps on changing and it is happening because of the register banks and so it is like regressing between different banks and you need to keep the value of the register so in the end we decided to give it one and a half stars of the five and we appreciate their effort but (indiscernible) much better so we will stick with this one. But now let's take a look on the actual code so these are taken from the this the visual representation of the main function so let's take a look in it so this part is responsible for heat sparing. Heat is the (indiscernible) and responsible for passing the inputs from the keyboard and this is part is responsible for the (indiscernible) he is handling. You see -- you can like press some keys and it will change the ports and this part on bottom is responsible for left control (indiscernible) of the operation it is change the light in the keyboard so this part is responsible for that. And this is interesting part, this part is responsible for the keyboard emulation and why this is so interesting at first we thought (indiscernible) the key logger, it's pretty like sounds (indiscernible) but now we know that KVM is responsible for keyboard and not only read the keyboard inputs but type the computer its own key strokes and implement some sort of rubber duckie (indiscernible) on each and ever port so let me show you scenario where we can use this ability, with this malicious KVM. So let's say we have internet connected network and also a area connected network and say this security experts spends hours in creating secure connect ability in the network to prevent any misuse but in the end the users that computer. And each of these computers need to have a set of keyboards mouse and screen. And the user is upset so creates this mess on his desktop and the purchasing department and ask for a KVM and they give him one and connect KVM to the network and now you only need one set of keyboard and mouse. And what would happen if this KVN is infected with our malicious firmware. Say this malicious agent can wake up in the middle of the night and start typing things to some computer and you will say of course this computer is password protected but I will ask you, who do you insert your password to the computer. Using keyboard which is connected to KVM so we know the password. So we can log into the computer and type some command which who download into the computer and now we have (indiscernible) over this computer and you can reboot your computer and you can format it and change it completely and we can still effect you every time we want from the KVM. But that is not it. Our malware can type itself to the memory space of the KVM and from there the KVM can change port to the computer and type the malware back and now we have two malware on each of networks and using the KVM we can connect these two malwares and back to CNC server on the internet. So the CNC server can control using the KVM and the malware inside got the computer and you see this breaks segregation of course so I want to show a quick demonstration of this scenario. >> So what you should see on your screen in a second this guy can code break but can't connect. Just a second. Can you see it? No. Okay. So what you see on the screen that is supersecured network computer. The most difficult part of our writing this malware KVM is to transfer the file from the internet computer to super secured computer so LOIR had the computer over there and he will just start our malicious KVM in just a second. No hands. So what we're doing now is starting a neat trick of creating a certificate of base 64 sting and then using the certified to decode it again and make it binary. So we're typing the binary file that we want to transfer from the computer to the supersecure network and this would take a few more seconds. Twenty minutes, we have time for that? No. So interesting thing how do we do the up link and the thing is we use the keyboard for that. The keyboard (indiscernible) is some space in it that we can pass bytes back and forth and you know there is more than three like five because two of them are Japanese so we have spaces and we can transfer data back and forth from the computers with the KVM. So that is what you see here. And it feels like it's going to end. Just about now. Do you have any jokes? No, ran out of jokes. (indiscernible) that's the end of it. And that is it. We encrypted the file and our certificate and (indiscernible) decode it now we have a binary file and we run it. That's it. (CLAPPING) so the KVM can do one more thing if it works. Hey that is our presentation. So a lot of you guys are asking you needed to have physical access in order do that and the answer is yes. Our research our POC used physical access and there are two things attack factors that are possible during this scenario one of them is give me 30 seconds alone with your KVM and it will be hacked and you can attack the supply change and we have known some incident where this happens and other thing is we use the KVM that didn't have update over internet but the same vendor and lots of others have those so this can be upgraded using IP and then can be attacked remotely and some of these KVM have web menus that let you do the firmware upgrade process and they are password protected but you know KVMs are not expert proof. Just googling it up we found all of these CVEs that are related to KVMs and broke the web menu and let you up load your own firmware so these can be done remotely. And what can you do? I mean, well first of all know your environment. Sometimes you don't really have to connect the KVM to the internet computer that is supersecured network so just know the vulnerables. The can be done. We just showed you this. So if you can avoid it, then please please do. And sometimes of course you can't avoid this and when you can't avoid this you have this creature called secured KVMs and they are military grade KVMs but I know no one that uses them because they cost like 10 times more than this here but you know sometimes it is money well spent I think you are not convinced of that and the last thing is just be innovative. We just sat in our office and said what can we do in order do that and we saw one presentation here that kind of maybe solved this problem and what we did is like install agent on each desktop and it can small key logger and just checks stats of key logging so you know the thing is we heed the type a lot of key strokes fast and same as a lot of over stuff and the stats change and we see the user is not using backspaces or the difference between the key strokes are small then we know something is going on and all we need to do is pop up this message box which will mess up the entire process and will make our job a thousand more times difficult so not a perfect solution but it is a cool thing and you know I guess we can be innovative. And that is it guys. Thank you. Any questions? >> (indiscernible) >> That was a regular USB keyboard but could work on every keyboard. >> (indiscernible) >> So the question was if we use like a keyboard smart card would it still work? The answer is yes. If you need to log on to computer with a smart card it will prevent the attack but if it is password protected we know that so we can log in as the user. Anyone else? thank you! (CLAPPING)