PCs, Macs, and Linux machines at risk of attack that exploits unencrypted communications between wireless mice and dongles.

Photo Credit: Bastille The USB dongle used to wage a MouseJack attack.

Billions of PC users are at risk of a newly discovered attack on non-Bluetooth wireless mice and keyboards that spans seven different wireless dongle vendors.

Researchers at Bastille discovered a total of nine vulnerabilities across these devices that allow an attacker to wrest control of the input devices, and ultimately infiltrate the machines and their networks, using a $15 USB dongle within 100 meters of the victim. Dubbed “MouseJack” by Bastille, the attack basically exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle.

Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics, are the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws. According to Bastille, Apple Macintosh and Linux desktop users with wireless dongles also could be vulnerable to the attack.

“You can buy a $15 dongle off Amazon and with 15 lines of Python code, take over the [non-Bluetooth] dongle. And you can take full control of the system and the user is logged in,” says Chris Rouland, founder, chairman & CTO of Bastille, an Internet of Things security vendor.

Bastille has been coordinating with the US-CERT and vendors for the past three months. But not all vendors will have patches or updates to their wireless dongles, Rouland says. “Some can’t be fixed, so the devices will need to be replaced,” he says.

Logitech, whose so-called Unifying technology was found vulnerable to MouseJack, maintains that the attack would be difficult to pull off, however. “Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target,” said Asif Ahsan, senior director of engineering for Logitech, in a statement. “It is therefore a difficult and unlikely path of attack.”

Even so, Logitech has issued a firmware update to fix the flaw. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated, they can download the firmware here. They should also ensure their Logitech Options software is up to date.”

Wireless keyboards and mice communicate via radio frequency with a USB dongle inserted into the computer, and the dongle then sends those packets to the computer, so it follows the mouse clicks or keyboard types. While most wireless keyboard makers encrypt traffic between the keyboard and the dongle to prevent spoofing or hijacking the device, the mice Bastille tested did not encrypt their communications to the wireless dongle that connects them to the machine. So an attacker could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer, and install malware, for example, according to Bastille’s findings.

“If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank,” says Marc Newlin, the Bastille engineer who found the flaws that lead to MouseJack. An attacker could install rootkit, for instance, he says.

The underlying issue is that some wireless dongles today accept unencrypted traffic. “The vendors aren’t utilizing the security features in the hardware,” Newlin says.

Bastille has compiled a full list of vendors affected by MouseJack, and a white paper.

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights