Countless wireless mice and keyboards can be hacked from 100 yards away leaving their host machines and the networks they are attached to open to malware, Bastille has discovered.
The problem, which is being called MouseJack, affects Amazon, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft products, the company says, and likely more vendors’ gear that they haven’t tested. Logitech alone shipped its billionth mouse in 2008, so the problem is widespread.
Some of the companies are issuing patches and workarounds or promising to. Others didn’t respond to requests sent last week for comment.
CERT-CC at Carnegie Mellon University issued an advisory about the vulnerability today.
The weakness lies in the protocols used between the devices and the USB wireless receivers attached to host computers, says Mark Newlin, the Bastille researcher who discovered the problem. They are unencrypted, leaving the devices susceptible to keystroke injection attacks.
That can be done from a remote computer equipped with an off-the-shelf USB wireless dongle sending keystrokes, he says. He says it took between days and weeks to reverse-engineer the protocols himself so he could send the keystrokes.
The remote machine can be 100 yards away as long as it has direct line-of-sight with the target. That distance could be increased considerably by adding an auxiliary antenna, he says. Users of the machines would have to be away from them and logged in for the attack to work. If they were there they’d see the attack strokes being entered.
He says he carried out successful MouseJack attacks with the victim machine separated from the attacking machine by walls and windows.
Attackers could write scripts that fire off malware to be uploaded to the target that allows any number of further attacks, Newlin says, or to access resources the user’s login authorizes.
These devices use chips made by Nordic Semiconductor, some that support encryption and some that don’t. Newlin says those that do can be patched to implement the encryption. The others would have to be removed from the host machine when the keyboard and mouse are not in use and the machine is turned on and unattended.
In response to an email about the vulnerability Microsoft sent this statement via its PR firm: “Microsoft has a customer commitment to investigate reported security issues, and will proactively update impacted devices as soon as possible.”
Logitech called the vulnerability “a difficult and unlikely path of attack,” but also issued a patch for it. “To our knowledge, we have never been contacted by any consumer with such an issue,” says Asif Ahsan, senior director of engineering for the company.
A spokesperson for Dell says in an email that Dell Technical Support will work with customers to see whether they own affected products, which are KM632 and KM714 mouse/keyboard packages. There’s a patch for KM714. The other package supports Dell Universal Pairing that can associate the USB wireless receiver with a specific mouse and keyboard.
Dell notes that if customers use a password on their login screens and don’t walk away from their computers while logged in, the attack won’t work unless the attacker can break the password.
The other vendors had not responded by this morning to requests last week for comment.
Bastille makes radio-frequency sensors that scan traffic from 50MHz to 6GHz to identify devices that are within a corporation’s “airspace” so security pros can be on alert for any attacks they might initiate. The company’s founder and CEO Chris Rouland says an employee’s phone, for example, could be infected with malware that could potentially damage the corporate network. For example, it could seek out Bluetooth connections to networked devices and attempt to connect to the network that way to carry out theft or to damage the network itself.