Monday, September 2, 2013

Making a PC mouse HW Trojan

Preface

After making the USB flash drive HW Trojan, I decided to move forward, and replicate Netragard’s Hacker Interface Device [1]. It was easier than I first thought and since I didn't find a detailed article on how to make one (the best ones [2] [3] were in French, but I think the vast majority of people prefer English), I decided to create this blog post, so everyone can easily make it for a nice prank or for a cool social engineering attack during a penetration test.

Again, I am going to assume that you have at least some basic experience with soldering. If you don't have, take a look at Limor Fried's (a.k.a. ladyada) page about the basics of soldering or Sparkfun's Soldering Basics (takes about 40-30 minutes practicing to learn how to solder through hole components).

Parts needed

  • Teensy 2.0 or Teensy 3.0 (I  used the Teensy 2.0, because the time I made this Trojan mouse, Teensy 3.0 was not released.)
  • USB HUB (The smaller the better. Also, you don't want to have one of those long ones - the ones having the ports lined up next to each other - because they most probably won't fit into the PC mouse. I used the HUB-UFO 4 for example because of the PCB size.)
  • USB A - USB MINI-B cable (Actually, we will only need the USB MINI-B part to connect the Teensy, so you can also use a USB MINI-B type plug (male) Cable connector and solder the wires to that.)
  • A small piece of wire (You can even scavenge this from the USB cable, but it might be better to have a different color form red, white, green or black - since these are usually the colors of the USB cables and it is a good idea to distinguish this specific wire from them.)
  • USB PC mouse (The fancier the better. Or, the one that matches the mouse type used by your target.)

Here is a picture of the most important parts together, except the USB cable (the USB HUB was already "stripped-down"):

Tools needed

  • Hot air solder station (for desoldering the USB ports from the USB HUB)
  • Solder (for soldering, of course)
  • Soldering iron (yep, this one is also for soldering)
  • Desoldering tool or (de)solder braid (if you are clumsy and make a soldering error, like an unwanted short circuit)
  • Flush/diagonal cutters (for cutting the wires)
  • Third hand with Magnifying Glass (you're gonna need it, otherwise you would have to grow a third hand :) )
  • Good light (without this, you won't be able to solder those tiny little wires...)

STEP 1: Preparing the USB HUB

So the basic idea is to:
  1. detach the USB cable from the PC mouse, than
  2. disassemble the USB HUB by de-soldering its USB cable and replace it with the PC mouse USB cable and finally,
  3. desolder the USB host connector ports from the HUB and solder the PC mouse to one USB port and also solder a USB MINI-B connector to another USB port so you could connect the Teensy to the USB HUB.
Here is a picture for the wiring of the USB HUB:

I cannot give more details on how to disassemble and desolder the USB HUB, since it is specific to the model you will use. For the HUB UFO 4 I used, the PC mouse USB cable was soldered to the upper rigth corner of the picture, and on the left and rigth side, you can see the PC Mouse and the USB MINI-B connector soldered to the removed USB host connector ports (on the bottom, you can see the holes of the USB connector I removed from the HUB).

STEP 2: Connecting a Teensy pin to the left mouse button

This step is optional, but I strongly recommend doing it since by soldering a wire to the left mouse button's micro switch, you will be able to detect if someone is using the computer by checking if the mouse button was pushed or not.

A micro switch can have different number of leads, but in a PC mouse they usually have 2 or 3 legs. Again, this is something you need to figure out on your own, because it depends on the PC mouse you use, but I have made a few pictures to give you an example.

The first one is showing the PC mouse PCB, with the wire soldered to the left mouse button's micro switch:
Next, the Teensy form its bottom, with the wire soldered to the D3 pin:
Same as the above, just from the top:
And the two parts together:

STEP 3: Putting everything together

Once you have everything soldered together, all you have to do is connect the Teensy to the USB MINI-B cable and stuff everything into the PC mouse :) This last momentum can be tricky and you might want to use some (insulation) tape to keep things from moving away while you close the mouse.

Here you can see everything assembled together, before putting them into the PC mouse:
And the "stuffed" mouse should look something like this:

Final product

And again, that's all! :) As I promised in my previous post, I will make a detailed blog post on how can you program such a device and what evil payloads you can use. Check out the pictures I have made from the final product as well as the additional resources on malicious HIDs and Trojan PC mice!

The Teensy and the USB HUB fits perfectly into a PC mouse, even in a tiny one like this (the Teensy board is there to give you and idea of the size of the mouse):

Resources

[1] Netragard’s Hacker Interface Device (HID)
http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid

[2] Une souris USB malicieuse dopée au Teensy (in French)
http://www.nes.fr/securitylab/?p=374

[3] La souris malicieuse v2 (on remet ça !) (in French)
http://www.nes.fr/securitylab/?p=532

[4] Trojan mouse
http://sathya.de/blog/projects/trojan-mouse

[5] Create your own malicious keyboard or mouse!
http://0x80.org/blog/create-your-own-malicious-keyboard-or-mouse