Wireless keyboards and mice are the latest peripherals to put enterprise networks and user data at risk.
Researchers at Bastille Networks today said that non-Bluetooth devices from seven manufacturers including Logitech, Dell and Lenovo are vulnerable to so-called Mousejack attacks that would allow a hacker within 100 meters to abuse this attack vector and install malware or use that machine as pivot point onto the network.
Logitech said that it has developed a firmware update, which is available for download. It is the only one among the affected vendors to respond so for with a patch.
“Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue,” Asif Ahsan, Senior Director, Engineering, Logitech. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated. … They should also ensure their Logitech Options software is up to date.”
The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.
The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.
“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.
Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.
“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”
Attackers can inject keystrokes by spoofing either a mouse or keyboard; vulnerable dongles, for example, will not verify that the packet received matches the device that transmitted it. An attacker can impersonate the mouse but transmit keypress-packets, Bastille said, that will be accepted by the dongle. Most of the keyboards, meanwhile, encrypt data before sending it to the dongle over RF, but Bastille said that not all of the dongles it tested require encryption. The attacker can spoof the keyboard and send unencrypted packets to the dongle that allow the attacker to type commands on the host computer.
Bastille said that an attacker could also force a new device to pair with an old dongle for the same type of access.
“An attacker doesn’t need to know any information about the target victim outside of the OS running,” Newlin said. “It’s straightforward to use the dongle and python code to discover devices and learn whether they’re vulnerable.”
Rouland said that nation-state attackers, for example, could use this attack vector to get on a network and pivot.
“This could have a huge impact at scale,” Rouland said. “You could get into any corporation this way, no matter which machine. And there’s no way to detect these attacks.”
Two weeks ago at the Kaspersky Lab Security Analyst Summit, Rouland gave a presentation about vulnerabilities in the wireless spectrum and how the Internet of Things provides attackers with a spectrum of attack vectors three times as large as traditional attacks.