Radio Hack Box - Tool to Demonstrate Vulnerabilities in Wireless Input Devices


The SySS Radio Hack Box is a proof-of-concept software tool to demonstrate the replay and keystroke injection vulnerabilities of the wireless keyboard Cherry B.Unlimited AES.

Requirements
  • Raspberry Pi
  • Raspberry Pi Radio Hack Box shield (a LCD, some LEDs, and some buttons)
  • nRF24LU1+ USB radio dongle with flashed nrf-research-firmware by the Bastille Threat Research Team, e. g.
  • Python2
  • PyUSB

Automatic startup
For automatically starting the Radio Hack Box process on the Raspberry Pi after a reboot, either use the provided init.d script or the following crontab entry:
@reboot python2 /home/pi/radiohackbox/radiohackbox.py &

Usage
The Radio Hack Box currently has four simple push buttons for
  • start/stop recording
  • start playback (replay attack)
  • start attack (keystroke injection attack)
  • start scanning
A graceful shutdown of the Radio Hack Box without corrupting the file system can be performed by pressing the SCAN button directly followed by the RECORD button.


Demo Video
A demo video illustrating replay and keystroke injection attacks against an AES encrypted wireless keyboard using the SySS Radio Hack Box a.k.a. Cherry Picker is available on YouTube:



Pi Radio Hack Box Shield
The hand-crafted Pi shield simply consists of an LCD, some LEDs, some buttons, resistors, and wires soldered to a perfboard.