Optional Windows Update Aims To Halt Wireless Mouse Hijacking 25
Reader itwbennett writes: An optional Windows patch released Tuesday protects against an attack, dubbed MouseJack that affects wireless mice and keyboards from many manufacturers, including Microsoft and allows attackers to spoof a wireless mouse from up to 100 meters away and send rogue keystrokes instead of clicks to a computer. According to a Microsoft security advisory, the devices affected by this attack are: Sculpt Ergonomic mouse, Sculpt Mobile Mouse, Wireless Mobile Mouse 3000 v2.0, Wireless Mobile Mouse 3500, Wireless Mobile Mouse 4000, Wireless Mouse 1000, Wireless Mouse 2000, Wireless Mouse 5000 and Arc Touch Mouse. But Marc Newlin, one of the researchers who developed the attack said on Twitter that the patch doesn't go far enough and 'injection still works against MS Sculpt Ergonomic Mouse and non-MS mice.'
What about stealing keys and mouse motions? (Score:2)
Re: (Score:2)
Yes, this has been possible for years.
Many agencies use it to capture password before an arrest. It is also one reason I never understood the need for keyloggers. If you know where the system is you can simple be in the same area and pick up the keystrokes. So a small receiver that logs them could be placed in the bushes, outside the window of your office, or in a close flower bed disguised as a rock. Quietly sitting there collecting all your key strokes.
It can be done with the simple wireless keyboard or w
Nope, not encrypted (Score:2)
Encryption breaks this attack. Evidently many of the wireless peripheral manufacturers use the same chipset (RTFA). The chipset will support encryption but the device manufacturers have to write their own drivers to implement the encryption. Most have chosen not to.
Bluetooth peripherals encrypt by default but unless you are using a tablet it is damn near impossible to buy a Bluetooth keyboard and mouse. Logitech made the excellent MX 5500 Revolution set (I have two) but discontinued them a few years ago.
Re: (Score:2)
Generally, you can buy a Bluetooth keyboard, but it generally meant for Macs.
I just don't get why vendors just standardize on Bluetooth. Even the cheap PCs now have it built in, it has time tested facilities for pairing and encryption, and is able to work better for saving battery.
As for finding them, they do exist, but are not cheap. I bought a "MS Sculpt Comfort" mouse which uses Bluetooth, and it works without issue, using encryption by default. It may not be a gaming set, but it is better than nothin
Re: (Score:2)
Thanks for the tip on the mouse. Now if I could find a full-size Bluetooth keyboard. all I can find seem to be chicklet style meant for a tablet or Mac.
TFA devoid of detail (Score:3)
From what I can gather without any real detail in the rather useless article Microsoft are looking for timing discrepancies to try to detect this attack. Normally packets come in at regular intervals, so if one comes outside the regularly expected window it is considered malicious. There must be some clever filtering because the clock on the keyboard/mouse will drift in relation to the computer etc.
This could be overcome by simply replicating the timing of the keyboard/mouse. They don't transmit constantly to save battery power, only when a key is pressed or the mouse is moved.
Anyone know if Bluetooth keyboards are vulnerable?
Re: (Score:1)
The security advisory says that the update filters out QWERTY packets received from the mouse. My take is that it just prevents keystrokes from being input through the mouse interface.
It still doesn't mean that the interface is secure; it just has one fewer holes than it had before. If you want security, don't use wireless devices.
Re:TFA devoid of detail (Score:4, Informative)
It's based on a hack to get additional keyboards and mice paired with your computer. It's because there are flaws in the way Logitech, Microsoft and many other wireless products add devices to their receivers and synchronize them. So Microsoft's patch, which is only for their products because they don't know how Logitech's or others work, is to basically examining the timing of the packets to make sure the vulnerability isn't being exploited.
It's a device-add attack - the attacker is trying to add their keyboard and mouse to your computer remotely so they can control it. That's what the driver is looking for.
Bluetooth keyboards may be vulnerable too, depending on how they do their pairing. But in general it's a lot less problematic because a Bluetooth keyboard requires OS support to pair and OS drivers to handle the input. The non-Bluetooth wireless devices use the dongle to emulate a standard HID device and do all their pairing internally.
This is why you can use those keyboards during boot or with multiple OSes, whereas Bluetooth ones can't be used during boot (except for say, Macs) and if you dual/triple/etc boot, you have to re-pair the keyboard all the itme.
No, the hack is to add keyboards and mice to your PC. Wireless communications for keyboard sand mice are generally encrypted (including Bluetooth) to prevent capturing of keystrokes and mouse movements
Once the attacker has added their keyboard and mouse to your PC, they can then do anything - install malware, etc to then get your passwords and information, or to get access to your PC remotely.
Re: (Score:2)
Thanks, that's informative.
However... (Score:1)
...In the other news, the update might be riddled with the umpteenth GWX :-)
Re: (Score:2)
...In the other news, the update might be riddled with the umpteenth GWX :-)
Run GWX Control Panel in monitor mode...
http://ultimateoutsider.com/downloads/ [ultimateoutsider.com]
Just what I needed... (Score:2)
Let me get this straight... (Score:2)
Do I have this right?
The update that downloads and installs Windows 10 over your existing Windows system is turned on by default.
The update that protects your system from a vulnerability is optional.
Microsoft never was a very "customer centric" company.
Re: (Score:2)
Optional because you only need it if you are running one of the affected wireless products. or do you routinely install updates for devices you don't have connected to your computer.
Yeah, the automatically install Windows 10 thing has been debunked numerous times. The update has to approved by the user. Granted the download will occur if you have automatic updates installed and that can be an issue for users on metered connections.
Re: (Score:2)
Yeah, the automatically install Windows 10 thing has been debunked numerous times.
Refuted is not the same as debunked.
The update has to approved by the user.
No, it doesn't. One of my customers got bitten by this just two weeks ago. Automatic updates were off, and Windows 10 installed itself over Windows 7 automatically. The update completely destroyed his Windows 7 installation, and Windows 10 wouldn't even boot, so he had me install Kubuntu on his machine.
Re: (Score:2)
Can't prove it but I would be willing to bet that your use inadvertently approved the Win10 install.
Agree that Microsoft makes this too easy and shouldn't download and install anything like an O/S upgrade/downgrade unless an administrative user specifically requests and authorizes it, your user wasn't running with admin rights and UAC off, RIGHT?
Re: (Score:2)
I'm running with UAC off admin rights.. the pop up keeps telling me how great the upgrade is, but I keep declining.
I have loaded it up in a VM since it was bugging me there too, but I had to specifically say "sure, let's rock."
use Windows' boot process (Score:2)
If you're going to leave Windows on the box, use ITS boot menu to dual boot.
I have a test laptop with 4 boot targets for the Windows boot process: Recovery, Windows 7, OpenBSD, and GRUB (which can, of course, also boot Windows). OpenBSD put its boot loader at the start of its partition, as did GRUB. With Cygwin installed on Windows (or booting from a "Live" of some sort, copy those boot blocks to files in Windows' C:\, and reference them in the Boot Configuration Data. OpenBSD's FAQ has a very nice tutor
Mine didn't update (Score:2)