Flaw Could Let Hackers Hijack Wireless Keyboards and Mice
A major new vulnerability discovered today could put millions of systems using wireless keyboards and mice at risk. The flaw, dubbed "MouseJack," lets a hacker type arbitrary commands into a victim’s computer from up to 100 meters (328 feet) away using only a $15 USB dongle.
First, the good news: the vulnerability does not affect Bluetooth devices, which represent some of the most popular wireless devices. Now the bad: almost every other wireless keyboard and mouse is vulnerable, according to Bastille, the digital security company that discovered MouseJack. That includes wireless devices made by Microsoft, Logitech, Lenovo, HP, and Dell.
Millions of Systems at Risk
MouseJack (pictured, upper left) leaves potentially millions of systems at risk, according to Bastille. An attacker could exploit the vulnerability to take control of the target computer without being in front of it physically and type arbitrary text or send scripted commands.
“Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4 GHz ISM band,” the company said in white paper on the vulnerability. “In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.”
To prevent eavesdropping, most vendors encrypt the data being transmitted by wireless keyboards. The dongle knows the encryption key being used by the keyboard, so it's able to decrypt the data and see what key was pressed. Without knowing the encryption key, an attacker is unable to decrypt the data and can't see what's being typed.
However, none of makers of the devices Bastille tested encrypted their wireless communications with the dongles connected to the computers. That lack of an authentication mechanism means the dongle is unable to distinguish between commands issued by the user and those issued by a malicious hacker.
Easy To Do
And it's pretty easy for a hacker to gain control of a user's computer this way. For example, one cheap tool a hacker could use to hijack a system is an Arduino unit equipped with an nRF24L transceiver. The Crazyradio PA (pictured, lower right) used to control the open source drone Crazyfile can also be used.
Once an attacker identifies a target by using his own USB dongle to sniff for RF packets, he can force the victim's machine to pair itself with the attacker’s keyboard or mouse by generating a forced pairing request.
At that point, the hacker is free to transmit any keypress packets he chooses, including viruses or rootkits. MouseJack also lets the hacker transfer files off the victim’s computer or execute any other actions permitted by a mouse or keyboard.
The vulnerable devices use one of two different nRF24L chips: one-time programmable, and flash memory, according to Bastille. In the case of the flash memory users can protect themselves by updating their devices with patched firmware issued by the device makers. "For non-undateable devices, which represent the majority of those tested, there is no mechanism to secure a vulnerable device short of unplugging the USB dongle from the computer," the company said.
Image Credit: Images of MouseJack NES Controller and Crazyradio PA USB Dongle via Bastille.