Endpoint
2/23/2016
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'MouseJack' Attack Bites Non-Bluetooth Wireless Mice

PCs, Macs, and Linux machines at risk of attack that exploits unencrypted communications between wireless mice and dongles.

Billions of PC users are at risk of a newly discovered attack on non-Bluetooth wireless mice and keyboards that spans seven different wireless dongle vendors.

Researchers at Bastille discovered a total of nine vulnerabilities across these devices that allow an attacker to wrest control of the input devices, and ultimately infiltrate the machines and their networks, using a $15 USB dongle within 100 meters of the victim. Dubbed “MouseJack” by Bastille, the attack basically exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle.

Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics, are the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws. According to Bastille, Apple Macintosh and Linux desktop users with wireless dongles also could be vulnerable to the attack.

“You can buy a $15 dongle off Amazon and with 15 lines of Python code, take over the [non-Bluetooth] dongle. And you can take full control of the system and the user is logged in,” says Chris Rouland, founder, chairman & CTO of Bastille, an Internet of Things security vendor.

Photo Credit: Bastille  
The USB dongle used to wage a MouseJack attack.
Photo Credit: Bastille
The USB dongle used to wage a MouseJack attack.

Bastille has been coordinating with the US-CERT and vendors for the past three months. But not all vendors will have patches or updates to their wireless dongles, Rouland says. “Some can’t be fixed, so the devices will need to be replaced,” he says.

Logitech, whose so-called Unifying technology was found vulnerable to MouseJack, maintains that the attack would be difficult to pull off, however. “Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target,” said Asif Ahsan, senior director of engineering for Logitech, in a statement. “It is therefore a difficult and unlikely path of attack.”

Even so, Logitech has issued a firmware update to fix the flaw. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated, they can download the firmware here. They should also ensure their Logitech Options software is up to date.”

Wireless keyboards and mice communicate via radio frequency with a USB dongle inserted into the computer, and the dongle then sends those packets to the computer, so it follows the mouse clicks or keyboard types. While most wireless keyboard makers encrypt traffic between the keyboard and the dongle to prevent spoofing or hijacking the device, the mice Bastille tested did not encrypt their communications to the wireless dongle that connects them to the machine. So an attacker could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer, and install malware, for example, according to Bastille’s findings.

“If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank,” says Marc Newlin, the Bastille engineer who found the flaws that lead to MouseJack. An attacker could install rootkit, for instance, he says.

The underlying issue is that some wireless dongles today accept unencrypted traffic. “The vendors aren’t utilizing the security features in the hardware,” Newlin says.

Bastille has compiled a full list of vendors affected by MouseJack, and a white paper.

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:55:32 AM
Thought experiment
I'm curious to see when/if there will be a response by states with strong privacy system/data protection laws like Massachusetts amending their regulations to govern behavior not just of companies that actively store resident PII but also vendors that substantially participate in their respective jurisdictions.

Such regulation could have huge ramifications.  The problem, however, is that it would be difficult to enforce without the guidance in crafting the regulations by top InfoSec and data-protection experts.

And, unfortunately, few InfoSec people are also lawyers -- and lawyers are usually the ones drafting these things.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:24:19 PM
Encryption is not optional
As article mentioned main issue is unscripted communication, solution is easy encrypt it. There should not be any unscripted communication between two devices in this word.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:23:47 PM
Re: Unencrypted
Additional cost and performance is my guess. There is always cost of decryption when you do encryption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:22:04 PM
Re: Unencrypted
One thing I could guess, old legacy devices would not be talk to the new devices if they utilize a new encryption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:19:26 PM
Vulnerability vs. attacks
 

We may be taking things too far from time to time. Not all vulnerabilities will be exploited easily. It would be perfect if do not have a vulnerability but not all vulnerabilities will be resulting into attacks.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/23/2016 | 3:10:18 PM
Re: Unencrypted
No one knows for sure why they didn't encrypt here--maybe a shortcut, maybe cost, etc.--but it just goes to show that even the benign things like a wireless mouse can be exploited. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/23/2016 | 3:05:53 PM
Unencrypted
Is there any justifiable reason as to why any communication/data transmission should be unecrypted nowadays?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/23/2016 | 10:10:06 AM
Re: Broken Link
Thanks for letting us know. Link is working now!
dritchie
50%
50%
dritchie,
User Rank: Strategist
2/23/2016 | 9:46:15 AM
Broken Link
Link to "list of Vendors" is broken (https://www.darkreading.com/admin http://www.mousejack.com).

Trying to use just the www.mousejack.com sends to a Login Page with no ability to register or anything.

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Oh George look. Isn't that cute, They just love animal planet!
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.