Billions of PC users are at risk of a newly discovered attack on non-Bluetooth wireless mice and keyboards that spans seven different wireless dongle vendors.
Researchers at Bastille discovered a total of nine vulnerabilities across these devices that allow an attacker to wrest control of the input devices, and ultimately infiltrate the machines and their networks, using a $15 USB dongle within 100 meters of the victim. Dubbed “MouseJack” by Bastille, the attack basically exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle.
Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics, are the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws. According to Bastille, Apple Macintosh and Linux desktop users with wireless dongles also could be vulnerable to the attack.
“You can buy a $15 dongle off Amazon and with 15 lines of Python code, take over the [non-Bluetooth] dongle. And you can take full control of the system and the user is logged in,” says Chris Rouland, founder, chairman & CTO of Bastille, an Internet of Things security vendor.
Bastille has been coordinating with the US-CERT and vendors for the past three months. But not all vendors will have patches or updates to their wireless dongles, Rouland says. “Some can’t be fixed, so the devices will need to be replaced,” he says.
Logitech, whose so-called Unifying technology was found vulnerable to MouseJack, maintains that the attack would be difficult to pull off, however. “Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target,” said Asif Ahsan, senior director of engineering for Logitech, in a statement. “It is therefore a difficult and unlikely path of attack.”
Even so, Logitech has issued a firmware update to fix the flaw. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated, they can download the firmware here. They should also ensure their Logitech Options software is up to date.”
Wireless keyboards and mice communicate via radio frequency with a USB dongle inserted into the computer, and the dongle then sends those packets to the computer, so it follows the mouse clicks or keyboard types. While most wireless keyboard makers encrypt traffic between the keyboard and the dongle to prevent spoofing or hijacking the device, the mice Bastille tested did not encrypt their communications to the wireless dongle that connects them to the machine. So an attacker could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer, and install malware, for example, according to Bastille’s findings.
“If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank,” says Marc Newlin, the Bastille engineer who found the flaws that lead to MouseJack. An attacker could install rootkit, for instance, he says.
The underlying issue is that some wireless dongles today accept unencrypted traffic. “The vendors aren’t utilizing the security features in the hardware,” Newlin says.