KeySweeper Lab

so let's get started with the presentation so key sweeper uh quick disclaimer please don't do stupid things with this uh you can intercept uh microsoft keyboards with this you could get a lot of trouble um yeah who am i i'm john i like computers uh quick shout out so sammy i don't know how to pronounce that last name but this guy is awesome so you might know him uh from myspace he did the sammy worm so if you ever saw that on myspace that was him actually shut down my space servers for a period of time because of that i think he went to jail but then he came back out now he's now he's a good guy

right so good guy uh he's the one who actually put all this code together he used a bunch of other people's research but he did a lot of novel stuff himself so i want to make sure i thank him uh links to all of his stuff also brian gray kevin cody brian right here kevin back in the corner these guys were awesome they helped me out with this we were here over a month ago trying to put this thing together making sure it works kevin's been doing a bunch of work uh with this um and we'll get to it at the end but some hoarding stuff and being able to do key injection things like that uh brian did a lot of

the initial technical work the um the components he probably made this kit 20 times over at least so big thanks to both of those guys you'll notice that some of the videos are coming from these guys too um and the code is mostly hooded uh posted by brian on his github or control u dot net or whatever yeah that's the website so thank you you guys uh so start downloading it seriously it's not a virus i swear uh but if you are uh planning to do this lab and you have a laptop with you please start downloading that stuff uh as has been mentioned a couple of times if you're using linux uh the ftdi drivers we have found or well

i'll say brian has found uh is mostly already already in there so that shouldn't be a problem uh yeah so keysweeper101 so this is mostly out there as a reference to you guys um these are links to different parts of sami's presentation um reviewing different parts uh uh analyzing different parts of how case people works um this is his stuff uh i'm essentially just going to summarize this for you so you don't have to go watch his like 28 minute long presentation you can watch my 20th minimum presentation instead um so a real quick technical summary of what's going on here so the first thing that these guys did is they did a little bit of intel uh

figuring out um can i get one of those fortunately um just trying to figure out what these keyboards use and it's not just this keyboard although we have three of them over here this is just a great example one there are multiple microsoft keyboards that are filed under this fcc id right and this sseid uh if you if you look it up and it's printed on all the keyboards you can find out essentially what it's going to be using on the airwave so you can find the exact frequencies uh 403 to 480 right 78 megahertz and then um they went a little bit further and actually ripped the thing apart and they were able to find this energy1h

chip inside of it um so that kind of gave them the starting point for this whole project then we've got sniffing on a budget so how they kind of wanted to address the the question of how do we get how can we get promiscuous mode in a small form factor for cheap uh and this one guy travis goodspeed uh did an awesome write-up on this and sammy used his research to do a lot of stuff and improved on it a little bit but so the problem is uh with these these nrf uh 24l01 buses uh you're you're gonna get the mac address ripped off uh while you're receiving it so during rx it's gonna get ripped off

and there's a great explanation at this link why that's actually specific to uh like ubertooth and glue bluetooth but it's very similar so essentially the mac is used as a as a way to synchronize a little bit as a field and so it kind of gets chopped off by the chip itself um but travis goodspeed used these five trips and was able to get these really cheap less than a dollar a piece nrfs to sniff in promiscuous mode and find what the mac address is so the tricks they did was limit the mac disable check songs you know you can kind of look into the stuff for your app and i'm going to explain it a little bit

on the next slide so here is an example of that's called a packet right here's an example of a packet going from the microsoft keyboard um to the little usb stick that you put in your laptop or whatever right um so under normal operation this is kind of what you got right so there is this noise right so uh kind of unimportant but i've heard references that it actually is important that it has to be oh well um i i've actually reached out to travis i i don't really have clarification on why oh isn't important but um so this preamble and i'm not gonna go into all the details if you want all the details

you can just ask me later um but so you have a preamble of either five five or a and hex um and that's because it's either one oh one or one one one one or a one or one i don't know because they just kind of need to find the right gauge you know off on and then you've got this mac sync field so it's uh five by five sections here um and you'll notice that it starts with cd that'll be important later um and then the payload so if that be you know whatever that's the payload that's that that's the actual heat that's going across and some other stuff some headers or whatever uh do you need a seat brian

over there oh we're good okay sorry yeah we have a couple more seats out there if we need to grab them um so anyway so this is normal operation here right um so you're gonna get all you're gonna get is the payload all this stuff over here is gonna get truncated now here's essentially what they were able to do with manipulating this device a little bit um so they were able to abuse you see that that's pointing off the chart here they were able to abuse background noise uh which is really cool so they noticed that if you just sniff you get a lot of zeros and a lot of f's so a lot you know a lot of nothings and

a lot of somethings um and then you also got a lot of a's and a lot of fives and all four of those are important here and the the reason they theorized why they got a lot of a's and fives is probably like a clock on off you know just keeping time or whatever uh they got like this feedback and that actually was very helpful here so you got this preamble um which is is going to be that on off on off uh and then you uh they set the mac address actually illegally um to uh two sections uh typically it's supposed to be three or five uh so in the spec it actually says three to five but they

were able to get it down to two uh which helps them do the rest of this so they set the mac to the preamble um which is that o and then the aaa which is normally preamble but that's what they get from noise um and then everything after the mac sync field the device thinks is the payload so that so you're now capturing the actual payload and the mac address so you essentially have promiscuous uh snipping on this device now so you're able to grab the mac addresses uh because typically in order to listen to a specific conversation you need to vote you need to hard code in the mac address in here we got

promiscuous mode and you could find out what the mac address is stuff that's going over the airways so really really cool stuff um uh and then we've got thomas mike i'm not going to hit all these points like i said we can talk about it later if you want um the key one here is again you'll see oxcd uh the mac of microsoft keyboards is always in double quotes uh starts with oscd and that's that's really really important and all of this other stuff is uh ways that sammy was able to tune this thing down to make it more efficient you know using smaller bands for searching um only using the aaa preamble instead of the aa455 preamble stuff like that

so these are all improvements on what travis uh did uh and now so now we're gonna get into the video so we've got these packets going across the wire uh you're using your keyboard and you know it's uh the communication is a is encrypted uh using cbc uh with a 256-bit key so like most of you would say like blue crap it's like it's pretty strong it's pretty legit like how are we gonna break this well it's actually extra word with the mac address it's not really as encrypted so um so for most of you guys that know like if you're just gonna do a straight x or like that's marginal security unless you're doing something like a one-time pad we

have a huge key like it's marginal security um so what they do is they xor uh with the key and the keys the mac address so they're xoring the plaintext with the key and they're getting their ciphertext now this is susceptible to something that's known as a known plain text attack so if you have the plain text and you have the ciphertext you can get the key all you need to do is xor the key with the circuit text uh and you get the panels um or i'm sorry i i take that wrong but you could also x or the ciphertext plaintext and get the key that's the inherent problem with just doing xor is if you have any two of the

three parts you can get the other one but just excellent um and then you've got the hid code and the hid code i think it stands for human interaction device or something like that human interface human interface device yeah so um so that's the code um where um that's that's that is the uh table or like the the values um that the keys map to in hex um and um you'll see because it's our cd which i mentioned before we don't actually need the mac address to be case and i'm going to show you that right here so this is a packet this is a this is an actual example of a packet um so you've

got this uh four section uh right here this is essentially the header and then you see in the middle so uh ciphertext key text um the the key is just the mac address going over cd cd cd just repeating over and over and over and xoring this plain text which this is this is the juicy stuff right here and then you're getting the cycle test and this is what we actually see over the wire right you're actually seeing the cyber text over the wire but because of how this works um so it the cd it always starts with cd right and because of where the hid code sits as far as an indent goes it's always

going to match up with the first repeat of the mac address which is cd you know it's always going to be cd so you know the the key for the hex that you actually care about the hid code is going to be cd and then you can obviously see the cipher text because you're snipping on the air so you can get the plain text right off the bat so it's kind of it's kind of funny and it's kind of sad at the same time how bad this is so yeah i just want to focus on that and then you also notice that the checksum is blank because the checksums are optional and they just turn them off

so um the software so the software is originally available there that's sami's github um and i want to make this clear to everyone who's putting together a kit by default these kits allow pickup by other kits so if you are intercepting and storing things on flash and someone makes one of these back tracer devices and comes near your device your device is going to give everything to this other device so that just means if you're going to use this stuff be careful because other people could technically pick it up it's it's made by default you can disable that but that's how yours are flash right now you want to re-flash them you can do that

but that's all yours are flash right now because it's mostly default and essentially all it's doing is um uh using this other pipe um and it's looking for this um this snapper dress it's just something that standing hard-coated and then if you if you set up a back tracer which is a pickup device uh it's gonna essentially use that it'll just go around and pick up all all your keys um so it'll it'll both if you have stuff in flash it'll just iterate through the flash and dump it over to this this back tracer uh but it'll also shock them so as it's getting them live it'll shock them over to the to this pickup box too so you could you

could kind of do a mesh network where you can just like repeat things over example um and then so one of the problems that we discovered when we were trying to do this and just go straight from his code is that there's a lot of assumptions of libraries and we weren't sure which versions or which libraries he was using just has an include statement here's the name of the library you know good luck go find it um so brian my man over here uh went out and found them all put him in his github and so now you can just get cloned his github and you got all the libraries right there it's great i mean i did i did it

straight like git clone this this github and then i flashed on there to work beautifully so it does work perfect uh so thank you a lot brian um so that's just a quick summary of how this thing works i didn't want to take too much time i just wanted to explain like how this stuff works you want to talk any more detail but any of those specifics um first of all you can get to these slides with the qr code right and then just ask me questions off that or ask kevin or brian because i think the three of us are pretty solid and stuff so uh let's let's go on to the lab um so

here's here's our kit um so i'm gonna just well no i don't remember um so you got the nrf um which is the uh chip yeah is this chip the one in the ufc bag um so this is the one that actually does the rx and the tx uh the the um the transfer and receiver um and one thing that you should note about this uh is that we found it to be somewhat fragile uh i haven't found it to be some scratcher mine works beautifully uh he had burnt like three of them in a row so um so all this to say is um before uh make sure you have solid contacts before you plug it into the usb don't have

something hot and try to model around with getting this because that variability and the power i think is these things don't handle it very well um the w25 puncher jump right so that is just this one meg little flash thing we're not going to be using this today but this is a super cheap like 50 cents or something expansion part for more local storage it just gives you a meg so you can store more stuff locally uh the reason why we're not using this today is because it requires like two to one connections and that makes it a lot more complicated so we left this out we do have we have we have done it i have

pictures of it and um so we'll we can talk about that if you're interested uh five-fold charger which you took out um yeah so that is this charger this charger was chosen specifically because it just has a nice little um phillips screw in it um and you can just unscrew that and then on the opposite side there's a little hinge so lift this side up and then the side of the where the charger the usb is has that little hinge you can pull right out and then inside there you'll see that there's just a little bit of epoxy in the back you just break that off it'll come straight out like on the shelf it's

really easy to pick up uh then we've got the arduino pro mini this is the brains um i don't see it in here that's right yeah so that's the brands it's an arduino it does our arena thing um the usb the ttl the tdi it's this this cable um this is how you're going to interface so this is both how you will provide power to your arduino and how you will read the serial coming from it so this is how you will know uh if uh you got a lock you have to have that zero connection and provided that power uh for our demo today um if you want to try and stick it in one

of these things you would provide provide the power from here and you would just be banking on the back of it locally or send them out via sms um those are the things that it captures uh and then a bunch of other stuff so you should have 24 inches two feet of uh solder so you'll see all these solder irons around here um that should be more than that i did it with like eight inches on the first time uh so not very efficient i did it with eight inches so 24 inches should be way more than enough and if you need more like i've got like more than a pound or more than half a

pound over up here um some pin headers uh we can explain that there's diagrams later explained on how to use those uh solid core wire which makes it a little bit easier for that pin through hole soldering and then a clothespin so the way that we uh and this is actually brian's idea again um we're recommending to use this is for some of the soldering it'd be great if you can afford helping hands it's not here uh but you know we don't have 20 of them so instead you can uh kind of like use it to hold up like however however you can get it to fit i'm sure you can get it sideways but

i don't like in my hair um so get these to fit up and get the nrf to fit up and so you can kind of get a better angle when you're soldering and that's essentially the purpose of the clothespins uh that was like a last-minute addition um so downloads uh here here's the place to get clone ftdi drivers uh and the arduino sdk the arduino sdk is what you're going to be using to interface with this to flash it if you're going to flash it but also to pop up in your stereo monitor every arduino is verified functional all the ones that i can tell at 1 15 200 by and that that's going to

be it'll it it should just do it by default however some of the other people that helped us out um kevin o'brien saw that on the 57 600 so if you're having problems or you're seeing garbage coming from it try to pop up the 57 600 see if that fixes it i i personally tested these like last week every single one of them making sure they were flashed properly and that they would go through the channels properly and they all worked at 115 200 so all right so the basic boat and this is going to be this is more of like a reference for you guys to use on your laptops but um so it's already flashed um

but this is essentially the way to connect this ftdi this thing to two yards so um these colors are the colors of the stdi you can see at the end there are four different colors um and then you'll connect it to these pins uh on the arduino and you'll say what pins uh because there are enough uh and i provided them to you so there are you'll see a four section don't write that um it's it's just a little bit easier to have it as a four section and then there's a single if you or lose any of those i have like 400 of them up here so i can give you a replacement but i try not to lose them

but for me to keep breaking off um so yeah so i tried to give like short descriptions on the ones that aren't as clear um txrx um yeah if you have any questions at all about this please ask because if you start doing things backwards you could fry the board um but it's going to be hard for you to see but there's a reset switch on these right it's just a little button the opposite side of that is where you're going to be doing this stuff so the opposite side of the switch and i mentioned that down here opposite side of the board from the reset switch um so the second step uh if you were

going to flash it that would be the first step this is the second step this is going to start soldering so you're going to want to wire up the nrf again the nrf is the one the usc bag has eight pins yeah um so and we i provided wire and we we gave a mapping of what wires should go to what pin just to make things a little bit simpler um because if you're using like all the same color it's hard to tell you have to you know uh uh visually trace it every time so just these labels should be on your arduino or i'm sorry on the nrf i'm sorry yeah yeah these are what the

functions are on the nrf uh these are the pins on the nrf and if you flip the interrupt around it actually says like one two three four the the one pin has like a square around it i think or a circle or something yeah yeah so um so that's how you can know what that is if you have any questions about which one is which don't just start soldering just ask a question to me kevin ryan should be good um excuse me go ahead turn on your soldering iron so they're heating up it takes them a while thank you and if and if anyone does not have a soldering iron and has a kit uh be

friendly uh find a friend sorry we don't have 20 20 cats unfortunately i have one if we really need one i brought mine but mine's like way crappier than these ones and there is one more up at the station over here if somebody wants to stand over there and do it where is it thank you i can't cook it um so here's the third step so you're going to connect the wires that you just soldered to your interactive to the arduino primitive pretty straightforward this is this is uh through-hole soldering pretty pretty easy stuff um this was like pseudo my first time soldering and i did it on the first try so like it's not

very hard stuff it is hot though don't burn yourself i hurt myself uh and then you're gonna watch the world burn so you're actually gonna lock onto a keyboard and you're gonna be able to decrypt keys uh we have three examples over here i'll plug one in and start typing or whatever uh and you can see if you have a lock um so you're just gonna power the arduino uh connect via serial you're gonna pop open your arduino ide which is the thing you downloaded before uh and then you're gonna open the serial models from the top right it might just have this symbol but if we mouse over it will say serial monitor all right click

that and then we have a how-to video as well which this guy is seriously the man for he used that uh gopro there and put it right over he went the whole way through uh a to z made one of these has is a video it's like eight and a half minutes fast forward through the boring stuff uh and it has a demo at the end it's it's awesome stuff like if you if you're not clear and you can't go to one of us or you want to do this at home this video is your tool um so uh that's that's it for now uh we're gonna do a demo uh we're gonna do live a

little bit later um demo i wanna show you guys what this will look like at the end so here's here's mine um we've called it the heptapus because it kind of looks like an octopus but it only has seven size so i have a microsoft keyboard turned on and plugged into my laptop here um so it's just it's just typing keys and it wouldn't matter if it was plugged in here or plugged into someone else i just didn't have anyone else to plug this into um and then i went in here and uh so once i open this up you can't see this i went to tools and serial monitor uh that opens this up

um and essentially we could reset this if we want i'm not gonna risk it since i know i have a lock and what i did was i just held a key down but you don't have to hold the key down you just have to be essentially using it um and it's sending these signals across and this thing is going through the different channels and it's trying to get a lock on what channel or what couple channels this thing is working on so you can see

there we go so t it was just working four seconds ago so it gets a little bit sketchy because it is over there t

that's actually not what i typed all right so it gets a little bit sketchy sometimes if you have rf congestion on the 2.4 because this thing's just listening to a certain sliver of 2.4 but there we go see it's working a little bit better now i just got cast off of it so this thing was talking over the wireless and my key sweeper picked it up uh got a lock on it and it was decrypting it in the stream so like if you see someone putting like password and s-w-o-o-d you get the password so that's working yeah so it actually worked um and then you can see so i just reset it and you'll see this

is it's going through and looking at potential keyboards and trying to pick out what this keyboard is if i just press this key in it should lock onto it it really only needs one one packet to lock on and it should take less than a minute to do one of the other interesting things is that it's actually in the code it said once it gets a lock on the keyboard it actually uses that channel first the next time it works it'll stay there and it'll actually wait longer on that channel just so it doesn't have to search again if it doesn't have to here we go should we go live again space space t e s t

i m got every single letter first try locked it on from a first reset this stuff works so that's pretty awesome so melissa the story is if someone comes up to you and says can you hold down one key on your keyboard for like 10 seconds no so suspicious no no so this is actually so it scans each channel for i think like 200 or 500 milliseconds each yeah 500 milliseconds each and it can bust through all the channels um so as long as you hit a key this thing would only scan and it would probably take let me type an email if you're if you're using it for five minutes you're gonna get picked up okay so you don't have to

hit download but you actually are actively using the keyboard yeah as long as someone's actively using the keyboard it'll find that and lock onto it yeah so you don't have to press the key down that's just like to make sure it doesn't do like three rounds through before it finds it which realistically if you're gonna use this as a dropbox who cares if it takes three rounds to go through you might miss a couple a password or something like that but sure you're gonna get in the long term so when he says when he says go through you'll see it it'll say channel two three oh four or two four row four five six seven

that's literally gigahertz so it starts at two point four zero four i think um three three and then goes to four five six to eighty let's see so i just went to a new channel to channel my channel the shorter ones all right going to the next channel and what sammy did he went to the fcc and said what's this thing communicate on a microsoft's label for the nrf says it goes from 2.4.03 or zero three to two point four zero or eight zero so he took just that swap and it's going through each one of those yeah and that's an improvement he made over travis's research because travis was doing something like a hundred and eighty

uh microphones or something like that uh or 128 maybe and he spread it down to 78. so i'm going to unplug this so i don't short it on accident so by default the code if you grab it directly from sammy the code actually does more filtering than we do on this version uh you wouldn't normally get all that noise that's going through that's something that makes it a little bit easier to make sure that it's more

some enhancements to the kit yeah thank you a couple other things i want to run through so some enhancements to the kit um and some other demonstrations so at the end of this and you guys probably saw this before it um it showed uh an overlay of brian's hands typing in what he was actually going to which was the meetup page for still city and then the screen for the serial and you actually saw him typing in the password for chancer which is one of our best and most loyal uh um attendees so um and so that's these typical keyboards which are unencrypted there is a very small subset of microsoft keyboard that are aes

encrypted that still use the same spectrum so uh and actually so this was kevin that picked this up so he picked up a keyboard was like this is gonna be great and he finally got a lock and he's encrypted so this is what an encrypted keyboard would look like with the key speaker so you're still gonna get a lock on so you see if you don't do this stuff you just gonna lock and now he's typing so every time he press the key you'll see it scroll but there we go aes encrypted keyboard found locking on every time you press the key you can see it's going through but you're just catching the encrypted garbage so there actually is some aes

encrypted microsoft keyboards uh but they're a small subset and they're relatively uh rare and actually he said they were more expensive than like the cheapest uh actually yeah sorry there's 11 total wireless keyboards on sale for microsoft right now 10 are not encrypted the cheapest one you can buy is encrypted i don't know why why yeah so so i mean good on microsoft if they're making it easier for us to get into keyboards i think that's a good thing right um so anyway so i'm not gonna go through this other one um so next steps some real quick next step so uh you have the flash um chip in there that adds an egg you can do that

this is actually what it looks like this is brian putting it together uh you can see it's kind of a freaking mess like it's it's not easy there's i'm not i'm not criticizing his implementation of it it's just hard because you have these two to one connections where you where you just have to like inject essentially this the uh chip so it's kind of tough uh and then you can read up the prod i know what we can disperse around um uh so you can replace the charger guts uh which i'll hit this later but um kevin was able to find these at all these i think like three bucks a pop and they're a lot smaller and i'll show

you the next slide what the guts look like but they really um make better use of that large container for the charger uh but it does the same functions it'll still work as a charger but you can fit those other parts in there a little easier so you just like replace the guts and it's pretty good um there's other things you can do here too um you obviously power it from the charger itself instead of from the usb port uh link it to the leds so on the back of these chargers there's a little led and um so it's usually on and what sammy did was whenever you whenever you're capturing the key it blinks it turns off

so you can actually tell that it's working whenever that thing is pointing pretty cool and it's pretty like you know it's really surprising you really wouldn't notice that if it was just plugged into the wall like oh what's the blanket for like i don't know who cares um and then uh you can add sms uh but this kind of requires that you have a sim card um and then you can send it out you use the phone there's some other stuff that you can do for that uh but here's a schematic for how to do that and it's all available online it's just as you can tell a lot more complex than what we're working on tonight i want to kind

of keep it simple so here's some expansion parts so there is this breakout um so there's a this little breakout board is awesome it makes it a lot simpler so you don't have to use those four um uh four different connectors that are separate uh this kind of puts them all together it does like auto resetting and things like that so it'll push essentially push and post resets to the board whenever you're like uploading things and things like that and then it just goes over usb so all i did was um i think this is like mini b or whatever you just get a regular usb to mini b and you can plug into this

and you don't need any ftpi drivers it's a lot simpler and it works really really well this thing's pretty cheap too maybe 10 bucks or 15 bucks whatever plus shipping uh and then there's this spark electron which is this little stick it was just on a kickstarter that kevin showed me um and it was cool about this one is the kickstarter was funded and it was so over funded they're actually giving you two months of free data uh one meg data plan and the whole premise of this device is that it comes with a sim card that has a plan which is conducive to using it the way that you would want to use it right um and it has

2 and 3g support and that's pretty clutch so 2g is like kind of you know it's sunsetting it's it's going out probably the next year year and a half if that stuff's going to be gone so the phone only supports 2g and that's that's why i didn't buy one i would have bought one and tested it but like if it's gonna be worthless in a year who cares uh but then you say you can't get the phone up and they suggest that if you do that you get a t-mobile sim card and you do their pay-as-you-go plans but like i said i didn't do that because 2g is about to be gone uh then you can do

the 3.7 volt with the arm battery um so one thing that we didn't mention earlier is that these arena boards can actually accept they are 3.3 volt boards but they uh can accept i think you said like 10 or 11 volts nine volts nine nine volts okay yeah so it can accept up to nine volts and it kind of like brings it down to what's acceptable for the board like 3.3 so this 3.7 volt battery works perfectly fine because it just brings it down uh to 3.3 uh and then some other quick things so a replacement usb charger uh so all these have these for you know like i said uh here's a comparison the side by side so

this is the internals of the thing that you all have and this on the right is the internals of something like this uh so much smaller and it gives you a lot more room to place the other components um if you are totally like want to nerd out uh click this link about how powerful might be less than optimal with these rip-offs because this is a chinese rip off of a microcharger uh a guy did a pretty comprehensive analysis on uh why those aren't good for your apple devices or any really devices because the power is just so dirty it's not very clean so it's really good right up to it it's long so if you want to nerd out do that

and then there's another thing um uh 10 microfarad ferret uh capacitor uh helps with some uh non-clean problems with airbnb's like we said it kind of cleans it down to 3.3 not all of them are perfect if there are issues use a 10 microfarad uh it works so you can just uh add it between on the nr side between the ground and the vcc and brian did that on his model as well um and it's pretty simple you just saw it once you're done and that can clean things up there um uh and then i think this is my last slide yeah uh so keep sweeper plus plus so like improvements on keysweeper and there's actually more than this that

we've kind of thought of and talked about but uh and a lot of these ideas are actually from kevin bryant so don't i don't want to sound like i made these up myself but uh so key injection so sami's actually working on key injection so um you know taking over essentially the communication channel for these and saying that you're typing something that you're not you know remote code execution essentially using your keyboard so it's pretty cool stuff um uh so you could actually so kevin was working on a rubber ducky uh code port so rubber ducky is like a device uh if you look at like hack five like they do a lot of really cool stuff without these

other devices it does all kinds of crazy things you just plug in it's like a usb drive uh then the keycard keyboard so the key character is a project that almost does the exact same thing as this except they require it's a bigger board more power two nintendos things like that uh this is like a scaled down version of the key character project and i believe that they already have code for key injection uh but that just needs to be reported um so those are the three things for the injection uh keysweeper sweeper so actually like i said before you can you can uh pick up you can uh uh take the keys that are

being shouted from the keysweeper or you can you can pull off all the information off the flash tickets that's saved on me uh cause people are just like compiling a different uncommon thing one defined i mean it's pretty simple so you uncomment that and you have a device that goes and picks it up and this works off the 2.4 gigahertz so this works really well with parabolic antennas which are kind of designed more for the like the whole ism band like wireless uh and things like that and so uh you could use that and we could do long range uh key sweeper pickups so a sweeper of the key sweepers at long ranges um and you can

kind of just like sweep across and get pretty pretty pretty long distances it's mostly uh good for line of sight because the parabolics will work really well on a site um so like uh we live in pittsburgh mount washington has a great view of downtown yeah so uh so that's so that's one idea and then another idea that brian came up with which is really good i like um so like this pickup goes up over 2.4 gigahertz and it's kind of like dominant like it's just kind of tx it's going to transmit over this like just one four gigahertz section that if you have whoops wait i think you're going to listen to that if

you modern mode ids things like that but what if you use bluetooth for pickup right bluetooth is like would probably be one of the hardest things to monitor is because of how bluetooth work it hops over all kinds of different channels that it has and i was mostly made so that it didn't have like collisions and stuff back in the day but now it's great because it's really hard to watch like you have to be locked onto a specific device and kind of like understand it's hopping pattern to pick it up so if you wanted to um like pick up all these devices you could set up these devices to offload with bluetooth go pick it up

with bluetooth and good luck in an enterprise picking that up so great team uh and that's all i got so uh thanks everyone for coming out uh we can hang around for a little bit longer that guy calls the shots as far as how long we stay here um and if you guys have any questions uh you can contact any of the three of us or specifically you can just contact me and i can forward along and try to address it myself on the meetup page and cool