Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/23/2016
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'MouseJack' Attack Bites Non-Bluetooth Wireless Mice

PCs, Macs, and Linux machines at risk of attack that exploits unencrypted communications between wireless mice and dongles.

Billions of PC users are at risk of a newly discovered attack on non-Bluetooth wireless mice and keyboards that spans seven different wireless dongle vendors.

Researchers at Bastille discovered a total of nine vulnerabilities across these devices that allow an attacker to wrest control of the input devices, and ultimately infiltrate the machines and their networks, using a $15 USB dongle within 100 meters of the victim. Dubbed “MouseJack” by Bastille, the attack basically exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle.

Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics, are the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws. According to Bastille, Apple Macintosh and Linux desktop users with wireless dongles also could be vulnerable to the attack.

“You can buy a $15 dongle off Amazon and with 15 lines of Python code, take over the [non-Bluetooth] dongle. And you can take full control of the system and the user is logged in,” says Chris Rouland, founder, chairman & CTO of Bastille, an Internet of Things security vendor.

Bastille has been coordinating with the US-CERT and vendors for the past three months. But not all vendors will have patches or updates to their wireless dongles, Rouland says. “Some can’t be fixed, so the devices will need to be replaced,” he says.

Logitech, whose so-called Unifying technology was found vulnerable to MouseJack, maintains that the attack would be difficult to pull off, however. “Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target,” said Asif Ahsan, senior director of engineering for Logitech, in a statement. “It is therefore a difficult and unlikely path of attack.”

Even so, Logitech has issued a firmware update to fix the flaw. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated, they can download the firmware here. They should also ensure their Logitech Options software is up to date.”

Wireless keyboards and mice communicate via radio frequency with a USB dongle inserted into the computer, and the dongle then sends those packets to the computer, so it follows the mouse clicks or keyboard types. While most wireless keyboard makers encrypt traffic between the keyboard and the dongle to prevent spoofing or hijacking the device, the mice Bastille tested did not encrypt their communications to the wireless dongle that connects them to the machine. So an attacker could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer, and install malware, for example, according to Bastille’s findings.

“If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank,” says Marc Newlin, the Bastille engineer who found the flaws that lead to MouseJack. An attacker could install rootkit, for instance, he says.

The underlying issue is that some wireless dongles today accept unencrypted traffic. “The vendors aren’t utilizing the security features in the hardware,” Newlin says.

Bastille has compiled a full list of vendors affected by MouseJack, and a white paper.

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:55:32 AM
Thought experiment
I'm curious to see when/if there will be a response by states with strong privacy system/data protection laws like Massachusetts amending their regulations to govern behavior not just of companies that actively store resident PII but also vendors that substantially participate in their respective jurisdictions.

Such regulation could have huge ramifications.  The problem, however, is that it would be difficult to enforce without the guidance in crafting the regulations by top InfoSec and data-protection experts.

And, unfortunately, few InfoSec people are also lawyers -- and lawyers are usually the ones drafting these things.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:24:19 PM
Encryption is not optional
As article mentioned main issue is unscripted communication, solution is easy encrypt it. There should not be any unscripted communication between two devices in this word.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:23:47 PM
Re: Unencrypted
Additional cost and performance is my guess. There is always cost of decryption when you do encryption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:22:04 PM
Re: Unencrypted
One thing I could guess, old legacy devices would not be talk to the new devices if they utilize a new encryption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/24/2016 | 2:19:26 PM
Vulnerability vs. attacks
 

We may be taking things too far from time to time. Not all vulnerabilities will be exploited easily. It would be perfect if do not have a vulnerability but not all vulnerabilities will be resulting into attacks.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/23/2016 | 3:10:18 PM
Re: Unencrypted
No one knows for sure why they didn't encrypt here--maybe a shortcut, maybe cost, etc.--but it just goes to show that even the benign things like a wireless mouse can be exploited. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/23/2016 | 3:05:53 PM
Unencrypted
Is there any justifiable reason as to why any communication/data transmission should be unecrypted nowadays?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/23/2016 | 10:10:06 AM
Re: Broken Link
Thanks for letting us know. Link is working now!
dritchie
50%
50%
dritchie,
User Rank: Strategist
2/23/2016 | 9:46:15 AM
Broken Link
Link to "list of Vendors" is broken (https://www.darkreading.com/admin http://www.mousejack.com).

Trying to use just the www.mousejack.com sends to a Login Page with no ability to register or anything.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...