Blinking hell - Data Extraction through Keyboard Lockstates

Blinking HellBig things in small packages

Matthew Phillips @phillips321Richard Hicks @scriptmonkey_

BackgroundBsides Las Vegas 2011• David Kennedy (Rel1k) – “Using the Teensy for so

much more...”

2

Exporting Data

3

Research

• Software can toggle the key lock states• Teensy can emulate a keyboard

(CAPS,SCROLL,NUM)• Can we see the status of the lock keys

from the teensy?

4

Solution• Hidden in Mouse

• Once again Iron Geek deserves credit

5

Summary so far...• Keyboard lock states are broadcast signals• Teensy is capable of reading them• Easily hidden in benign objects

6

• Can we signal?• How do we control it?• How do we retrieve the data in a

usable form?

How do we get the host to talk?…

7

How do we get the two to play nice?

8

1. Waiting for special “Knock”

3. Teensy now in “record” mode and waiting for first bit

7. Teensy now has control.8. Read state of Num Lock

9. Unset Scroll Lock10. Set Caps Lock

2. Turn Scroll on 3times within 5secs

4. Set Num Lock to identify first bit5. Clear Caps Lock6. Set Scroll

11. VBA Has Control, Repeat Steps 4 to 11 until EOF.

12. Send “FF” to signal EOF to teensy

Scenario

9

Demo TimeWill the demo gods help us? Not going to try!

Wrap up

• Works with other file types• Demo speed can be improved upon• Vendor ID can be changed• Others have now done this

11

Questions?

• Matthew Phillips• @phillips321• www.phillips321.co.uk

• Richard Hicks• @scriptmonkey_• blog.scriptmonkey.eu

• Assembla code will be up soon (see twitter)

12