DEF CON 25 - Mark Williams, Rob Stanley - If You Give a Mouse a Microchip
HTML-код
- Опубликовано: 1 ноя 2017
- The International, a recent esports tournament, had a 20 million dollar prize pool with over five million people tuned in to the final match. The high stakes environment at tournaments creates an incentive for players to cheat for a competitive advantage. Cheaters are always finding new ways to modify software, from attempting to sneak executables in on flash drives, to using cheats stored in Steam's online workshop which bypasses IP restrictions.
This presentation describes how one can circumvent existing security controls to sneak a payload (game cheat) onto a target computer. Esports tournaments typically allow players to provide their own mouse and keyboard, as these players prefer to use specific devices or may be obligated to use a sponsor branded device. These "simple" USB input devices can still be used to execute complex commands on a computer via the USB Human Interface Device (HID) protocol.
Our attack vector is a mouse with an ARM Cortex M series processor. The microcontroller stores custom user profiles in flash memory, allowing the mouse to retain user settings between multiple computers. We modify the device's firmware to execute a payload delivery program, stored in free space in flash memory, before returning the mouse to its original functionality. Retaining original functionality allows the mouse to be used discreetly, as it is an "expected" device at these tournaments. This concept applies to any USB device that uses this processor, and does not require obvious physical modifications.
This delivery method has tradeoffs. Our exploit is observable, as windows are created and in focus during payload delivery. The advantage to this approach is that it bypasses other security measures that are commonly in place, such as filtered internet traffic and disabled USB mass storage. 
Наука
"Isn't that just a rubber ducky in a mouse ?..............yes yes it is"😂
Its keyboard tho
yo dawg i heard i like keyboards so i put a keyboard in your keyboard so you can type while you type.
@@forrift7845 CTRL+TAB+INS TO RUN SCRITPS GG
Lifted. Flusha 2015 - present
You are braindead, Flusha is not cheating and he never has.
Coder-Strike: Global Offensive
Counter Scripts
Cheaters-Strike: Global Offensive
Wouldn't a keyboard give you more room for adding your own microchips? I suppose the purpose of THIS hack, is that by physically inspecting the mouse, it would look normal, since the code is hidden on the factory chip and all hardware is factory hardware? Also, I didn't know you could get a mouse to type. Great work guys.
Exactly, i think they actually phisically inspect the mouse at some tournaments so this is a great way to hide the cheat.
Good stuff
this was really interesting
I wonder why they use mice at all, rather than a trackball or specialized game controller.
Yeah, ARM CPUs in mouses are kinda common. And you actually get better response with PS/2 peripherals.
that's a rumor made up by nostalgia, newer mice have higher refresh and dpi
@@moth.monster higher DPI yes, but not higher refresh rate
@@antonhelsgaun no goddamn way a ps2 mouse can get > 1 kHz refresh rate
COD Warzone streamers in tournaments are sweating.
*=insert Key & Peele sweat gif=*
Can somebody find a link to the exact discovery board they use? There seem to be a lot of STM32F4 discovery board on ST's site.
The SteelSeries Rival mouse seems very popular. I have seen a modified Rival 300 used at lan.
Ryan 9000 I'm pretty sure he's not asking about the mouse but the dev board they used. Also, the mouse in the vid is the Steelseries Sensei
you are right i'm asking about the dev board. from where do you know that, because of the sensei.bin xD
Visually looks like STM32F407G-DISC1, but it doesn't really matter, just pick any with the ST-Link
Does anybody know who these guys are?
It says in the title.. Mark Williams & Rob Stanley
WOW THANKS! Details are interesting too.
James Grachos yep, great talk.
What, do you want their home address?
So you guysl are some Beautiful Mind genius types then?
Why does the fit guy speak like he's incredibly nervous o.o
because he is incredibly nervous..
Makes sense.
I don't think securing the mouse is the good idea regardless, you could always get a different unhardened mouse.
the exploit isn't with the mouse, a switched rubberduck would work just as well.
for bigger tournaments you could have a sponsors provide sealed mice instead of the competitors.
checking the mice right before and using boxes that have a seal on the computer's ports to prevent insertion and removal once the device has been checked (using lsusb or similar to check for a keyboard)
though that doesn't prevent activating the hack with a set of keypresses, but it would make it harder.
having a log of inserted devices on the computer that is sent in real time to another machine might be the best way to detect this kind of hack.
This would never work if RDP L2 was enabled I don't know how come big manufacturer hires such noobs that don't enable RDP L2 or not event RDP L1 so at least it is not possible to dump the flash, really surprised. Contrary to what guys said even without elf you can do quite a lot if you are allowed to attach a debugger to a running binary.
"not possible to dump the flash..." You forget what conference this is. See "Glitching the Switch" for a high-profile example of getting the ROM from a secure boot processor of an ARM chip.
@@JohnDlugosz this has nothing to do with secure boot which is a different story, not yet implemented on Cortex-M apart from M33 and M23 cores. RDP L2 disables JTAG interface completely so you can't attach debugger to the CPU and you can't do anything. You would have to exploit potential vulnerability in exposed interfaces but it's highly unlikely you could do anything there. Only publicly known hacks on Cortex-M is www.aisec.fraunhofer.de/en/FirmwareProtection.html which doesn't exist away from STM32F0 series. Power glitching on RDP L2 won't work because interface physically doesn't exist anymore and OTP fuses are blown. Only way to extract firmware would be to do it under microscope.
because why the fuck do they think someone's going to hack their god damn mouse
I think his chin must be itchy
thanks to you that you explain stupid people to cheat in a high level :D
4.2.1 Equipment hand-in
All teams participating in the main event have to hand in their equipment on Wednesday, 11th of March until
22 CET at the location to tournament officials. If any player or team doesn’t hand in their equipment they
either have to use hardware provided by ESL or cannot participate in the tournament at all.
4.3 Configs and drivers
All participants have to send in their configs and drivers until a specific deadline set by the
tournament direction before the event. If any player or team doesn’t sent in their configs and
drivers they have to manually setup their config on site and play without drivers.
All equipment is checked before the event, there is no way a cheat could slip by this way.
@@Katt1n lmao yeah they do that but theres ways around it. Lmao, the coordinators honestly don't care enough.
damn i buy a private mouse lan cheat for 1000$lol
sorry mate, you're bad at soldering ;)
"I'm a really good solderer."
(proceeds to show some really nasty soldering of huge wires with no pre-tinning. lol)
Only kidding. :p You did say that the iron was barely working, and it is fun sometimes when you're eager to get a project started with what you have available at the time.
Sarcasm moron
Erm, yes, I did get that part.
also beer
You can't download skills...
what's your point? pro players are obviously good without cheats, but that doesn't mean for example an aimbot wouldn't give them an edge.
Cheats don't exist!
cant hack on vac
The problem being the tournament organizer will provide the mouse you want lmfao
They don't
No, CSGO proffesionals cannot cheat this way. These are the esl rules:
4.2.1 Equipment hand-in
All teams participating in the main event have to hand in their equipment on Wednesday, 11th of March until
22 CET at the location to tournament officials. If any player or team doesn’t hand in their equipment they
either have to use hardware provided by ESL or cannot participate in the tournament at all.
4.3 Configs and drivers
All participants have to send in their configs and drivers until a specific deadline set by the
tournament direction before the event. If any player or team doesn’t sent in their configs and
drivers they have to manually setup their config on site and play without drivers.
ESL (in this case) checks files, drivers, configs, everything, before the event. There is no way something like this could slip by.
So? You could simply activate your code by a sequence of button presses, maybe with timers, maybe you draw a shape on the table. Time really isn't an issue for the hacker, you can prepare something and use it ten years later, technically speaking. ESL CERTAINLY does not hack into the hardware of the equipment to manually download the firmware and check it for malicious code. You're simply delusional if you think any of the current measures could reliably prevent an attack like this.
Now you, as the hacker, can get way more elaborate than these guys. Imagine you find an actual vulnerability in the OS, the game, the network, etc. through which you can, with a tiny backdoor created by your manipulated peripherals, download and execute way bigger malicious programs.
The fact that you have to provide your own drivers is not actually a measure against fraud, but a whole attack vector in itself. What if there is a security issue in a 2015 driver that got patched in the current driver? Simply use the 2015 one then. Depending on how exactly those drivers are provided (as a copy instead of as a version number) you can even have them be a literal cheat.
For all it's worth you could execute code that's already on the computer in an unintended way and get away with even smaller sized hacks. Use your imagination a little.
what Felix Merz said. also, they have internet connection on the practise computers there, so it's irrelevant that they check.
No way?? You just need a covert way to trigger it, rather than having it automatic on plug-in every time. Mouse comes up and works normally. But, do some combination of control movement within the first ten seconds, and it does the cheat.
kid that checks the gear gets $500 and he is happy for a month
The pros use there sponsor device. So you guys are saying they 100% cheats on LAN meaning there sponsor help them in this too? That is crazy, they train hard as fuck and there skills cant download. If they cheat on LAN like wall hack or aimbot we will know it's first because behind them is a referee. About the aimbot they are saying, why pros need to srpay ??? and you clearly see
some of there's bullet miss??? that doesn't make a sense. And that 2000s game can be crack ez af
They can cheat at online but in on Lan they cant and this 128kb memory cant contain cheat in such a big and complicate game like CS:GO and that game in the video is 2000s game. They are right that can cheat but in morden day it's cant be now
Mạnh Huy Đào They are not using the entire 128kb because the mouse code is also stored there, even then, there is plenty of space for a basic aim assist cheat.
It depend on what game more than how much that chip can contain. That game that they cheat not even have a real anti cheat. Ofcourse i know that anticheat not some thing too big but still a thing tho, you can go and see how big that CS:GO cheat. I dont think this can't happen right now but still a warn to esport organization and they have time to do something with it.
Mạnh Huy Đào
I don't think you really understand the amount of work that goes into these type of cheats, watch the entire video...
Also, there have been pros caught doing this exact thing, flusha for one...
Edit: also, anticheats like vac or battleye look for known cheats. They cannot identify a cheat which has not previously been identified. Those anti cheats look for known code, or irregular scripts running.
Private cheats can go their entire lives without being caught.
I think memory can be bigger than 128 kb :) and for this script you dont need much memory bro ;)
Group 1 (absolute elite): The pro players select their gear. Costs are around 290k.
Group 2 (elite): Close to pro leagues players have their own gear, too. Costs around 20k.
Group 3 A huge crowd of wannabees usually wastes money on common gear. Costs around 2k.
Group 4 Kids and not so kids any longer invest around 0.1 to 0.5k.
You know the cheats or gears used by the last three groups. From intelligent mouse pads to mice, from clothing with microchips to pimped glasses (LAN), from skins to software (online/client).
You still have no clue about group 1.
Start to research two clinics in Austria, one in Poland, three in Russia,one in Canada, one in Brazil, two in Germany, four in the UK, and a stunning 19 in California. China and Cuba are in the business as well, but much more cautious or better protected from research. East European countries are building up another ring.
I give you all one more hint: if we would pass players of group 1 through a scanner, they would shine like their incredible (s)kills do, blinding you completely.
And here a shortcut for the more advanced: SH9MIM_3 on behalf of neurological implants in one of the famous clients.
Have fun.
Do you have literally any evidence for this mess of words you've cobbled together?
I Googled for SH9MIM_3 and found thirty copies of this same text, across many sites.
Intelligent mousepads?
@@antonhelsgaun The waifu ones