Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2019 Under the Hoodie report.
In one engagement, we were tasked with compromising the internal network of a facility that was used for medical trials and had a laboratory where they worked on the pharmaceuticals used for their testing. The first leg of the engagement was a physical and social engineering test, and while the lab site was intended to be a highly secure physical location, we were able to sneak in by tailgating, quickly diving into open doors, etc. We made short work of the internal network once we had physical access to the datacenter, so, after consulting with our point of contact, we decided to try our hand at getting in remotely without physical access.
There is this tool we like to use called the Crazyradio PA, which is a small software-defined radio (SDR). Combining that with an open source implementation of the MouseJack vulnerability described by Bastille Security, we could perform some pretty cool attacks against wireless keyboards and mice. First disclosed in 2016, the MouseJack vulnerability is still a fairly common issue affecting a wide range of non-Bluetooth wireless keyboards and mice.
Armed with this technique, software, and hardware, we figured if we could get within range of a vulnerable device, we could inject keystrokes, or sometimes even record what a user is typing. After circling the building a few times in a rental car, we indeed found a few vulnerable devices in use on the client's site.
We were able to successfully launch attacks and execute malicious payloads on several systems, which gave us remote access to that organization's computers over the internet—from our rental car in the parking lot. There was no physical entry required; all we needed was to be reasonably close in an unsecured parking lot.
We presented this finding to the client, who used our report to replace their wireless keyboards and mice with cheaper and more secure wired alternatives. It was a great object lesson that even if you have implemented strong physical security and trained your staff to keep an eye out for secure door tailgaters, if your peripherals aren't secure, you might still be vulnerable to targeted, over-the-air radio attacks.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.
- This One Time on a Pen Test: Paging Doctor Hackerman
- This One Time on a Pen Test: How I Compromised a Healthcare Portal Before My Hot Cocoa Went Cold
- This One Time on a Pen Test: Missed a Spot
- This One Time on a Pen Test: Nerds in the NERC
- This One Time on a Pen Test: The Pizza of Doom