Do you own a Lenovo or Logitech mouse? Is it wireless? If you answered “Yes” to both questions, then your wireless mouse or keyboard may be putting your personal data at risk of an attack.
A fake wireless mouse and keyboard can be taken advantage of to compromise laptops from up to 100 metres away using the portable peripherals manufactured by at least seven big vendors including Logitech, Microsoft, Lenovo, HP and Amazon. The researchers at the Internet of things cybersecurity firm Bastille demonstrated that the attack, called MouseJack attack, leaves a major vulnerability in most non-Bluetooth devices (those connected to a PC via a USB dongle) whereby attackers could carry out possible computer hacks through the devices’ flaws to install Malware or Rootkit onto your device.
Security researcher Marc Newlin from Bastille, with the collection of wireless mice & keyboards found vulnerable to MouseJack attacks. (Source: Wired)
The MouseJack website operated by Bastille describes this new form of attacks;
“MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.”
To understand how MouseJack attacks work, we must firstly understand how these wireless mice and keyboards work. Wireless mice and keyboards communicate through radio frequencies with a USB dongle inserted into the PC. The dongle then sends packets to the PC, so it follows the mouse clicks or keyboard types.
MouseJack attacks are actually made possible through the flaws in the way the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer and the way the radio receivers handle encryption. The underlying issue is that some wireless dongles today accept unencrypted traffic, and because the connection between the tiny dongle and the mouse is not encrypted, the dongle would accept any seemingly valid command. While many wireless keyboard manufacturers encrypt communication between the keyboard and the dongle to prevent hijacking of the device, Bastille confirmed that none of the mice they tested had encrypted their wireless communication, thus leaving the dongle to accept any commands from an attacker in close physical proximity the same way it would from the user.
“You can buy a $15 dongle off Amazon and with 15 lines of Python code, take over the dongle. And you can take full control of the system and the user is logged in,” says Chris Rouland, founder and chairman of Bastille.
The attacks target the typically cleartext and insecure communications between a non-Bluetooth port and mouse, and through the magic of radio waves, the attacker can insert keystrokes or malicious code and access sensitive information. Once paired with a bogus off-the-shelf USB wireless dongle, the dongle can be programmed to send out attack keystrokes that let the hacker pretend to be the owner of the victim’s computer. The hacker could even send packets that generate keypresses which allows them to direct your computer to a malicious server or website in mere seconds.
According to Bastille engineer responsible for the MouseJack discovery, Marc Newlin, he states that unfortunately “there is no authentication mechanism, and the dongle is unable to distinguish between packets transmitted by a mouse, and those transmitted by an attacker”.
In the tests investigated by the Bastille team of experts, Rouland and Newlin had only used a $12 Geeetech Crazyradio USB radio dongle attached to a laptop running their exploit code to pair with the victim devices. They tested as far as that hundred-yard range, though they found that the attack was more reliable with a more powerful Yagi antenna and believe it could likely be extended even further.
The $12 Crazyradio USB radio dongle Bastille used to hack the wireless keyboards & mice. (Source: Wired)
Source: The Register
During the tests, the Bastille researchers were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in a mere 10 seconds, or eight milliseconds-per-keystroke.
“MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network,” Rouland emphasized in a statement.
Bastille’s key researcher, Newlin, also voiced his concerns about this new method of attack, stressing that:
“Wireless mice and keyboards are the most common accessories for PCs today, and we have found a way to take over billions of them… What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”
As the official MouseJack website ran by Bastille outlined, there are two plausible scenarios why an attacker may care about attacking your laptop:
The issue was considered a matter of concern by the Computer Emergency Response Coordination Center (CERT-CC) of Carnegie Mellon University (which receives funding from US Homeland Security), so much so that they had issued an advisory on the vulnerability.
Bastille has worked with the various vendors, and while some vendors could patch the flaw with a firmware update, many dongles were designed to not be updated. The company told ThreatPost, that “more than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere”.
The list below are the vendors whose wireless keyboard and mouse have been tested to fall under the flaws MouseJack exploits:
While billions of users of the wireless dongles above could be at risk of the MouseJack attacks, they are not alone, as Bastille expressed that the attacks are carried out at keyboard level, meaning that even Apple Macintosh and Linux machine users are all vulnerable to the attack. The researchers say it is also likely that even more brands could be affected by the bug too, however they have not yet gotten around to testing them.
Network World and Forbes have both reached out to Logitech, Microsoft, Lenovo and Dell about the issue. In response, Lenovo has issued a security advisory and developed a firmware update for its Lenovo 500 Wireless Combo Keyboard and Mouse, yet this will only fix the problem in new products, however customers will have to replace their current sets with a new one as the firmware can only be updated at the time of manufacture.
On the other hand, Logitech, whose Unifying Technology was found to be vulnerable to MouseJack, still maintains that attacks are difficult and unlikely due to the need for close physical proximity needed between the attacker and target. However, Logitech still released a patch and firmware updates to fix the flaws. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated, they can download the firmware here. They should also ensure their Logitech Options software is up to date” said Asif Ahsan, senior director of engineering for Logitech.
Meanwhile, Dell has identified their Wireless Keyboard Mouse bundle products (KM632 and KM714) to be vulnerable, and urged customers to contact Dell Tech Support so that customer service representatives can help them install the patch issued by Logitech. (Here’s the list for international contact numbers for Dell Technical Support) Where as Microsoft says that it is currently looking into the problem and hopes to provide a resolution as soon as possible.
Bastille suggests to customers to check with their manufacturers to find out if a fix is available. Here’s the list of affected devices tested so far, so if you are using one of them, it might be time to check for updates, and if they are still not available, to replace your existing peripheral.
 International Business Times
 PC Magazine
 The Register
 Computer World