The flaw, dubbed “Mousejack,” was discovered by researchers at Bastille Networks, ThreatPost reports today. The firm looked at wireless mice and keyboards from seven manufacturers, including popular Logitech, Microsoft, Dell, HP and Lenovo models.
The peripherals were all based on radio systems instead of Bluetooth. Bastille found that the radio frequencies can be hijacked and intercepted by an attacker to fake commands from the mouse. Although the connection between the dongle and device was encrypted in most cases, none of the devices encrypted the data they returned to the dongle.
This weakness lets other transmitters send their own packets of data to a user’s computer, faking keystrokes and mouse clicks. This could be used as a prank on an unsuspecting friend or for more sinister purposes.
An attacker could send keystrokes to open a terminal window, download malware or a rootkit onto a computer and then force its installation, all without the user being aware of it happening. The high speed that commands can be executed at could let hackers run commands in the background, using keyboard shortcuts to open terminals and access data.
Chris Rouland, founder of Bastille, created a proof-of-concept attack using a USB dongle bought for $15 and a mere 15 lines of code written in the popular Python programming language. With just these resources, Rouland could compromise a target computer.
The dongles shipped with affected devices fail to verify that the sender of a command is the mouse or keyboard it should be paired with. There are likely to be millions of products in use, many of which are not designed to receive firmware updates and will never be patched.
Bastille reached out to the vendors involved over 90 days ago. Over half of all the mice cannot be updated, leaving computer users across the world open to attack. Rouland said: “More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”
Mousejack is likely to be exploited in the future because the attack can run without the user knowing and requires minimal effort on the part of the hacker. The widespread use of wireless keyboards in businesses could put sensitive data at risk as most dongles have a 100m range, letting attackers connect from outside.
“Wireless mice and keyboards are the most common accessories for PC’s today, and we have found a way to take over billions of them,” said Marc Newlin, the Bastille researcher who discovered Mousejack. “Mousejack is essentially a door to the host computer. Once infiltrated, which can be done with $15 worth of hardware and a few lines of code, a hacker has the ability to insert malware that could lead to potentially devastating breaches. What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”
The risk has been taken seriously by the security industry. The Computer Emergency Response Coordination Center (CERT-CC) of Carnegie Mellon University has issued a formal advisory on the issue. Rouland said: “Mousejack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network.”
Some manufacturers have released patches for the flaw where possible. Lenovo has released an update for its affected products but said it considers Mousejack a “difficult and unlikely path of attack.” Dell intends to contact customers who own its KM632 and KM714 desktop peripheral sets and has already released an update for the latter. A complete list of known affected devices is available on Bastille’s website but the company warns it has yet to investigate many other manufacturers.
