DEF CON 25 - Mark Williams, Rob Stanley - If You Give a Mouse a Microchip

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

reminds me of the time apex got caught holding tab+delete at the end of a match https://youtu.be/_c-N1oLADQg?
why did I never find this talk :S

👍︎︎ 17 👤︎︎ u/otherchedcaisimpostr 📅︎︎ Sep 30 2020 🗫︎ replies

"...as long as your cheat isn't a known cheat and you wrote it brand new for that one, you're probably gonna be able to get away with it."

👍︎︎ 14 👤︎︎ u/thejullus 📅︎︎ Sep 30 2020 🗫︎ replies

Just don't let players bring their own hardware, problem solved. LoL does it like this for years

👍︎︎ 12 👤︎︎ u/KantonL 📅︎︎ Sep 30 2020 🗫︎ replies

Video Description on Youtube: The International, a recent esports tournament, had a 20 million dollar prize pool with over five million people tuned in to the final match. The high stakes environment at tournaments creates an incentive for players to cheat for a competitive advantage. Cheaters are always finding new ways to modify software, from attempting to sneak executables in on flash drives, to using cheats stored in Steam's online workshop which bypasses IP restrictions.

This presentation describes how one can circumvent existing security controls to sneak a payload (game cheat) onto a target computer. Esports tournaments typically allow players to provide their own mouse and keyboard, as these players prefer to use specific devices or may be obligated to use a sponsor branded device. These "simple" USB input devices can still be used to execute complex commands on a computer via the USB Human Interface Device (HID) protocol.

Our attack vector is a mouse with an ARM Cortex M series processor. The microcontroller stores custom user profiles in flash memory, allowing the mouse to retain user settings between multiple computers. We modify the device's firmware to execute a payload delivery program, stored in free space in flash memory, before returning the mouse to its original functionality. Retaining original functionality allows the mouse to be used discreetly, as it is an "expected" device at these tournaments. This concept applies to any USB device that uses this processor, and does not require obvious physical modifications.

This delivery method has tradeoffs. Our exploit is observable, as windows are created and in focus during payload delivery. The advantage to this approach is that it bypasses other security measures that are commonly in place, such as filtered internet traffic and disabled USB mass storage.

👍︎︎ 7 👤︎︎ u/OhMyGodImSoBad 📅︎︎ Sep 30 2020 🗫︎ replies

Discussion Thread - General focus of discussion here is on the concepts, not the exact specifics (i.e. not making accusations, just discussing reality).

Fact: With prize pools entering the tens of millions in extreme cases, there now exists a tremendous financial incentive to develop extremely sophisticated cheat software for video games.

Fact: This video demonstrates that there exists technology which could enable someone to hide any such sophisticated cheat software very covertly in a place that security has quite simply overlooked.

Fact: There exists a large portion of the CS:GO fanbase that becomes irrational when the topic of cheating or cheating allegations arises.

Fact: There exists a large portion of players of FPS games who honestly believe players like Shroud have reached "godlike" skill, far surpassing the pinnacle of what we saw in previous eras, i.e. Fatal1ty. Many of these people are also largely or completely ignorant of said previous era.

Fact: Shroud and people like him stand to benefit to the order of (I believe, I've never looked into their wealth) tens of millions of dollars in income by utilizing sophisticated covert cheat software to defraud Twitch viewers or cheat at esports tournaments.

Fact: The people who would be responsible for detecting this type of cheating would stand to take massive financial losses if this type of cheating were to be discovered to be taking place at any scale. Sales of gaming accessories and hardware would decline as well as sponsors pulling out of tournaments. It would be a tremendous financial hit - it would basically be the 1983 video game crash all over again but scaled up about a hundred-fold in terms of the amount of money involved.

TL;DR: The incentive to cheat at tournaments is so extremely greater than the risk of being caught that there is no rational argument against immediately implementing far stricter security protocols at ALL ESPORTS EVENTS.

👍︎︎ 7 👤︎︎ u/OhMyGodImSoBad 📅︎︎ Sep 30 2020 🗫︎ replies

I've been saying this for years, don't let players bring their own hardware. Even if no one has used it, proof that it can be used maliciously..

👍︎︎ 5 👤︎︎ u/throwaway27727394927 📅︎︎ Sep 30 2020 🗫︎ replies

Captions

hi everybody I'm a mark and this is and I'm Rob and this is if you give a mouse a microchip it will execute a payload and cheat at your high stakes video game tournament and this is going to be a talk about video games a little bit of hardware hacking a little bit of vulnerability research and a lot of trying it out at home alright so brief history of competitive gaming 1958 kind of the first video game you know you're kind of precursor at a pong or breakout 1972 is the first recorded sponsored video game tournament it was a game called space war built in the 1960s and that was a like five or six player game competitive had to run on gigantic lab computers and rolling stone sponsored a space war Olympics in 72 the prize for which was a subscription to Rolling Stone which I assume was worth more back then than it is now this is a picture from last year at the International which is a dota 2 tournament and the International 2016 had teams from all over the entire world it had a twenty million dollar prize pool 19 million of it was crowd funded by fans of the game buying in-game cosmetics and game items 17,000 people were watching that game at the venue live and over five million people were concurrently watching the finals online for the for the grand finals so over 40 years eSports has gotten a little bit bigger and you can kind of see that you know there's some money riding on it now so eSports events have some kind of unique security challenges you've got these massive temporary networks that have been set up in a matter of days maybe weeks if you're lucky and they might only be used for three or four days and you know you're setting them up in convention centers or on sports arenas you've got up to a hundred or two hundred computers or you know other gaming systems being plugged into them potentially and you've got hot seat computers so you know you'll have stage computers that are set up and some teams will play on them and then they'll get offstage the next set of tunes will plan on and you're gonna have all these different people using these machines or the course of the day or the weekend these computers generally require internet connectivity because pretty much every popular game nowadays has two phone homes that you know they're making sure you're not playing on your own private servers or you know doing anything illegal and most of these tournaments require you to support player owned peripherals you know everyone brings their own mouse everyone brings a keyboard they're familiar with their devices you know they like how they work or oftentimes they have an obligation to use their sponsored branded devices as well computers at these events typically close a lot of kind of obvious attack vectors you have internet access restricted so you can't go to csgo cheats comm and download Sameach sees right player accounts don't have admin that's kind of a gimme drivers and configs are often pre-installed a lot of times you'll have hot swappable SSDs and every player has you know a storage device associated with them so when they plug it into a computer all of their drivers and set up and you know everything is all good to go USB mass-storage is disabled so you can't run your executables off of a thumb drive you sneak in there and extra USB ports are disabled often in the BIOS and sometimes even by dumping some epoxy in there but again these players are able to plug their own mouse and keyboard into the computer so I decided to hack with the mouse why I found a mouse with what I considered to be an overpowered micro controller and then I found out more recently that a whole bunch of different mice from our wide variety manufacturers are using the same family of micro controllers that has a whole you know a bunch of extra capability is that they're not really needing and I you know anecdotally I think there's not really enough scrutiny over devices at these eSports tournaments just from what I've observed oh we're missing an image all right so I have a gaming mouse with a SD micro STM f32 f103 CB micro controller it's an arm cortex m3 processor it supports their st-link programming interface just to build a reprogram it easily at 128 K a flash memory that's that's a lot of space and I'm hoping that there's some space in there for me to add some additional code it's got lots of buttons it's got RGB LEDs you know make the kids buy it so the goal here is to connect to the microcontroller that's built into this mouse insert some code that acts as a USB keyboard and when you plug the mouse in sends a whole bunch of keystrokes to you know create and then execute a payload on the target computer unplug itself and run the original mouse code and like the point here is you know I show up to this eSports tournament I got my mouse on my keyboard if I plug the mouse in and it does you know whatever and then doesn't work after that well now I don't have a mouse and if I show up there and I plug the mouse in and I look around real sneakily and then I unplug that Mouse and I throw it away and I plug another mouse in also kind of obvious so we want to be able to like hide our you know code injection in the mouse and still be able to use the mouse afterwards so it's you know less obvious so record scratch isn't that just a rubber ducky in a mouse yes it is the one of the takeaways of this presentation is that all USB devices have microcontrollers in them and whether it's like an 8 kilobyte pic microcontroller or a 1 megabyte you know arm super overpowered microcontroller any USB device can you know someone can open it up attach that microcontroller and really replace the code that's on with anything they want so these are the hardware tools we used if you want to try this at home there's the STM micro discovery development board which is it has both an onboard ARM processor that you can use to like initially test and develop your your code whatever you want to do with it and it also has some jumpers that you can disconnect that let you program any external armed devices so it can be used both for development and for attaching to your target device and one of the most convenient things about these boards is that they cost like 10 or 15 bucks so there is a very low barrier to entry to doing this kind of thing and then you need a mouse you know with an ARM Cortex processor or whatever else you're targeting you need a soldering iron you need some wires softer tools these are all free uh STM micro made the processor we were looking at so we just basically use their whole suite of free utilities and then you know we got into obstinate the end because we need to be able to look inside the binaries and we didn't have the money for Ida all right so we open this mouse up and we see a micro controller it's pretty small you've got a mouse wheel there for size we need to talk to this micro controller somehow so we're gonna go to the documentation we're gonna find this a chart that you see on the right and it's got you know a whole bunch of teeny tiny text on it and you look through over the magnifying glass and you find out that for the st-link programming interface you need 1014 for clock and 13 for digital like data and out and the ground pin and then you get really excited and you've had a couple beers and you're like I'm a really good solder and you know I used to do this in college and I had a microscope back then and really good equipment and now I have this little like thing that doesn't even melt the solder but you're like I'll do it anyways and you get this those pins are real screwed up and this was the first mess we lost so then I flipped the board over and I found solder pads for ground clock and data [Laughter] [Applause] [Music] which are the exact pins I needed right so the takeaway here is if you spend 30 seconds to look at both sides right you can avoid nuking a 60 80 dollar Maps so run to the second piece of hardware and we've got our you know wires connected and we're doing a lot better this slide is more to help you along if you're following at home this just describes the pins on the development board that you need to connect to the pins we just soldered from the mouse so you can look at that if you want to recreate it this is that discovery board we've got this st-link connection jumper you pop those two jumpers off plug your wires into the mouse this is our required hacking picture where we have wires you know exploding all over the pace and some you know some exposed to good boards every presentation has to have one of these oh and my highly technical insulating scotch tape because I didn't have electrical tape on hand so we're attached to the mouse it's plugged into our you know programming interface we plug it in and it's still doing Mouse things because the manufacturer very smartly disabled things like debug and reprogramming when it's plugged in and you know out in production so good job that was awesome but we have physical access to this thing we've opened it up we've read the manual so we know how to get it into a you know programmable mode so this was a little bit trickier because there weren't any communion pads for this so using one strand of stranded core wire applied three volts to the boot zero pin which there's an arrow pointing towards it and ended up actually smoking another Mouse doing this because we shorted it out another voltage line on the processor it's a little tricky but on the third Mouse we finally connected to the microcontroller and this is the st-link utility you can see we're getting you know a bunch of hex information in the memory there and you know we're in if we want to keep the mouse working and we want to add code to it we probably want to save this original set of firmware that's running on it if we just pull this off and modify it and screw it up we're gonna have to go buy a fit Mouse and I'm running out of my mouse budget is dry enough so we're gonna extract this original Mouse binary we're gonna build an application that registers registers as a keyboard dumps a whole bunch of text on the computer saves it and then you know execute that program and we're gonna find empty space in the mouse's binary and insert our application and we're kind of just hand waving through that whole code dumping software because it would be really boring to explain to you how to just write arm code so we're just gonna go through the interesting parts of the heck instead alright so once we're connected we're gonna open up notepad we're gonna type out an encoded PowerShell script which is going to decompress itself fork and execute in the background and then it's just gonna delete itself after forking because you know we don't want to leave any traces right so what the mouse itself is gonna do is save that to temp hack dot bat and that's because generally speaking as a user we can usually write to temp or somewhere along those lines we're gonna close notepad and then we're gonna run that temp hack bat I think it really speaks to mark a nice friendship that when I was writing this hack I'm overall so first off there's this base64-encoded like powershell script and then even beyond that I actually wrote a little hexer Python script that would convert it to hex that he just dumped into a care buffer in the code itself and then just you know trusted to run that so kudos for trust and so this is basically a slide or if you're following along at home on basically the syntax to use for hobbs dump to essentially adjust things and get it to basically output in the right form and so what we're we're really looking for here is a nice big spot of like just tons of zeros to put our code in and so it looks like we found that all right so this is gonna get a little dry for a couple seconds here but this is kind of the important information you need to know if you want to build an armed application at an offset in that ARM processor because they expect to start at the beginning and that's not gonna work for us so there's this since we've since we found a whole bunch of zeros at address you know ten a zero zero in that binary we think hey that's probably a good place to put our code so we need to edit some files to link and so that you know the software knows and compiles for that location in this flash LD file there's actually two important things that we found it defines the size of the stack here and arm stack is subtractive so that's both like the starting point and the size when we were looking at the binary from the mouse we noticed that it had a very small stack like a 70 and all the software we were building had a stack size of like 5,000 much larger and when we tried to run our code with that default small stack size from the mouse it just completely didn't work we needed way more space so that's one of the values that we had to modify the other thing is that you know just specifying the flash memory area instead of starting at address eight million it starts at address eight million 10800 and then over in this system dot c file we're defining the vector table offset for that same starting point because there's a vector table at the beginning of your arm program and that's important so the arm boot process by default address eight million contains this vector table that i just mentioned the very first piece of data stored there is the location of the stack pointer in ram again it's subtractive so basically like the size and the location all-in-one and then it at address four is the location of the entry point of your program so that processor gets power it sets the stack pointer and then it immediately breasted branches to the address at that offset zero four and then on the right there's this little gotcha for arm programming if you're doing any branch operation you have to have bid zero will be a one or also a hard fall upon you and it's just telling the process or some internal execution mode so how do we execute our code we'll patch the vector table to get the match to run our application we need to find the entry point of the code that we built and fortunately we said or so we have to do this AAB dump again do it at the memory offset of you know what we're running our code out of and then we just look at the beginning of that file and we can see that you know our codes entry point is 801 365 so we're gonna patch the values at 0 0 and 0 4 and that binary we extracted from the mouse with these new values so on the left and this st-link utility we've got that you know 2 million a 70 in the 8th millennium 141 and then we just updated those two memory locations for our new code and now we need to add it to the binary so using your hex editor choice and a b8 to that offset in the code where hopefully all those zeros are and use the elite hacker tool copy-paste to add all of your code into them into that binary so the mouth should now run our application and it did but it didn't do anything else so I plugged it in I got this whole keyboard dumping thing it you know I typed out my program saved and executed I gave myself a whole bunch of high-fives but then it just sits there and it's a dumb break afterwards so we need to make it returned to the original functionality and this is where I called my buddy Rob and he gave me a whole bunch of help here so overall the really cool thing is you can actually turn basically any device into a rubber duck using the process that we just described using nothing but C code so now the cool thing is to be able to do this kind of stuff and retain the original functionality of whatever device you're using and so in comes some sneaky assembly usage where we essentially need to save the state of the mouse kinda as it was before so this is a picture of how the entire memory of the mouse essentially looks like and so like from the vector table down to the mouse entry in the mouse and the hack main and hack end in the hack entry and then below that's a little bit of our own little data that we inserted there so all of this is basically just going everything in red is essentially in main at that point and so the control flow is the vector table is gonna kick us off and it's going to hit the hack entry which is then gonna call in to hack main and then once we're done executing our payload we're actually just gonna fall through to the end of the you know just into the like last assembly that's there which then calls into the mouse entry point which then runs the mouse or in your case if you are doing any other like device that you want to use it would be that instead so this is just some of the assembly for what's going on in kind of each of these pieces so this first part is now our new entry point so when we patch the vector table this is the first thing we do so one of the things we need to save is the address of the stack pointer that the bootloader gave to us to start with and we also need to push any of the registers that the bootloader might have set up for us that the mouse is going to need so for any of you that have ever like written a packer done any hot patching this is kind of how you make sure you don't mess up the state of the thing itself finally we're going to load our hack entry into r0 and go ahead and branch so now after our applications run and we've done everything bad that we want to do we're gonna fall through here to this jump to Mouse code and essentially this is just going to restore everything back the way it was so essentially putting the stack pointer back restoring the registers loading the desired stack.size that the mouse originally wanted because we had different stack sizes and then setting the stack pointer going ahead and loading backed up you know back into r0 the entry point of the mouse itself and then branching to the original mouse code and then this is a slide that just basically describes the data that kind of follows after that these are all of our offsets and other things that we put in there the really cool thing about when you do inline assembly and see is you can actually use labels they're really helpful and they save you a lot of time and then oh sorry and at the very end we put feed beef which is just some bread crumbs because it gets really annoying to find your code over and over again so this was just to find it very quickly and it will save you some time so now we thought that we had you know everything good and ready to go we had you know this whole control flow where we power on we execute our code we restore the processor state to its original you know initialized area we branch back to the mouse code and we have a mouse unfortunately what actually happened is we plug it in it runs our code it you know our USB hardware input device stops it goes to the mouse's we like see the mouse initialization happen and then it faults somewhere and my code tries to initialize again and we were just getting in this like infinite reset loop on this mouse where it was initializing and initializing and initializing and initializing and one of the more difficult things about this like I mentioned was that when the mouse code initialized all of the debugging was disabled so I didn't have any insight as to what was happening and I you know it was basically a black box that just kept turning on and turning off and turning on and turning off so I'm thinking like how can I fix this you know it all been information and I'm looking up you know how debugging works on our and I'm like well debugging requires interrupts and I can debug my code maybe I can make some changes to this binary or you know maybe I've screwed something up and these interrupt tables by having my code run before the mouse's code that's running so I you know did a little bit of research and found out that arm interrupts use this change processor state command and there's a CPS ie to enable interrupts CPS ID to disable interrupts and there's some flags for configurable handlers and all fault handlers and at this point I'm thinking you know I'm using interrupts but I'm probably using you know different interrupts and the mouse is using because it needs to build a register all these button clicks and scroll wheels and you know the optical sensor and you know some crazy high rates so they're probably using a lot more interrupts than I am and I'm thinking you know maybe maybe it's using some of these enable or disable commands and since I've overridden these handler flags it's actually turning off stuff that it needs so I'm looking through and I'm looking for these instructions in the obstinate output and I find two instances where this interrupts disabled instruction was being called and I replaced both of those instructions with a no op just skip right over it and I crossed my fingers and it worked so that was really cool so now we're you know fully up we got a working mouse we're good to go so I am thinking that I was just disabling some interrupts that it needed and you know now we're good and happy and now we're gonna try to do a demonstration so I have this mouse right here it's got some wires coming off of it because you know makes it look cooler and I didn't bother stopping them all back in but we're gonna go ahead and try this so plug it in or you want to talk about this sure so overall weird you know this is obviously very obvious if we were doing it for real we would do some of the rubber duck tricks to hide this but this is for you so that you can see the the fact that it's working and is it's basically writing it out some other things you know this is a PowerShell script and you might be thinking well you just block PowerShell and boom you're done well I think that lacks imagination so you know there are other vectors that you might be able to leverage by writing out like for instance maybe the games console itself allows you to type into it in the command itself you know has some kind of vulnerability that gets you code execution or you write out like some kind of HTML or and then just you know exploit the browser instead there's a bunch of different vectors that this kind of technique opens up and as you can see he's using the mouse it worked [Applause] so our little cheat demo here if you're if you're like Rob and you're not really that good at doom you can go ahead and give yourself a whole bunch of armor and you know maybe you want a slightly better weapon maybe you want unlimited ammo and maybe you just want the kilomole button so for a real hack generally speaking in eSports tournament you wouldn't go with stuff quite as obvious as this you would professional gamers really only need a little bit more of an edge than mark and I need so generally speaking it's some kind of aim helper that takes like a three pixel off headshot and gives it to them as a headshot instead very subtle things that are hard to find and just a little kind of FYI in terms of like detecting the fact that you're cheating like this using an external cheat the anti cheat technology is very much still in the same spot that antivirus is in and it's mostly just you know partial file hashing and maybe a little bit more magic but as long as your cheat isn't a known cheat and you wrote it brand new for that one you're probably gonna be able to get away with it so they're kind of closed this out we have more like thought challenges than really a conclusion you know can we defend against extra code in this device you could have you know can we defend against exactly what we did so you could have your application like look at the reset vector when it boots but you could also have your added code rewrite the reset vector after booting you could hash your entire flash space but that would make it so that you can't store user modifications like you know Mouse DPI settings or you know configs that you want people to be able to save and you could also have that you know added code and change the hash value or even clear the flash that it executes out of because you have capability to clear flash memory inside arm you could get into some more hardware based timber detection these arm ships have some like basic temper stuff and then you can buy more expensive like secured core ARM chips that have more advanced hardening features but then you get into this cost trade-off you know no one wants to buy a $400 or super secure Mouse that's just too much money so if we're not really gonna change the mice around or the keyboards or whatever can we defend against this kind of payload style you can only in out you know we could we could get some software to only allow normal behavior from peripherals right if I plug in a mouse and it dumps out 2,000 characters per minute that's you know probably not what it's supposed to be doing you could try to get everyone to sign and verify their drivers and flash of all other devices that's never gonna happen whitelisting executables could get you pretty far right you know if you only allow the game executable to run on these tournament computers or if you whitelist executables in your you know office environment then people can come in and you know hide whatever software they want inside the Power Cell you could force everyone to use USB to ps2 adapters that's probably not gonna work too well people like their sub one millisecond response rates for their mice and keyboards and you can provide trusted hardware right I mean if you let people walk in with whatever USB device they have you really have no guarantee what's running on that so you might just have to keep a whole stockpile of you know mice and keyboards for every sponsor and brand and manufacturer and whatever and just run from there so we have source code up on a bit bucket and then these are all their references we use to get through this whole you know process from start to finish arm application notes all the st-link utilities and if there's any questions I guess will be up here people taking pictures on it [Applause]

Info

Channel: DEFCONConference

Views: 24,551

Rating: undefined out of 5

Keywords: DEF CON 2017, DEF CON 25, DEF CON, DC25, hackers, security conference, Mark Williams, Rob Stanley, ARM, ARM Cortex M, Hardware hacking, USB

Id: gRWjd6o4LO4

Channel Id: undefined

Length: 29min 19sec (1759 seconds)

Published: Thu Nov 02 2017