Mousejack Attacks Abuse Vulnerable Wireless Keyboard, Mouse Dongles

Bastille Networks today disclosed the Mousejack attacks, vulnerabilities in wireless keyboards and mice that can be abused to inject keystrokes or mouseclicks onto computers.

Wireless keyboards and mice are the latest peripherals to put enterprise networks and user data at risk.

Researchers at Bastille Networks today said that non-Bluetooth devices from seven manufacturers including Logitech, Dell and Lenovo are vulnerable to so-called Mousejack attacks that would allow a hacker within 100 meters to abuse this attack vector and install malware or use that machine as pivot point onto the network.

Logitech said that it has developed a firmware update, which is available for download. It is the only one among the affected vendors to respond so for with a patch.

“Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue,” Asif Ahsan, Senior Director, Engineering, Logitech. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated. … They should also ensure their Logitech Options software is up to date.”

The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.

The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.

“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.

Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.

“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”

Attackers can inject keystrokes by spoofing either a mouse or keyboard; vulnerable dongles, for example, will not verify that the packet received matches the device that transmitted it. An attacker can impersonate the mouse but transmit keypress-packets, Bastille said, that will be accepted by the dongle. Most of the keyboards, meanwhile, encrypt data before sending it to the dongle over RF, but Bastille said that not all of the dongles it tested require encryption. The attacker can spoof the keyboard and send unencrypted packets to the dongle that allow the attacker to type commands on the host computer.

Bastille said that an attacker could also force a new device to pair with an old dongle for the same type of access.

“An attacker doesn’t need to know any information about the target victim outside of the OS running,” Newlin said. “It’s straightforward to use the dongle and python code to discover devices and learn whether they’re vulnerable.”

Rouland said that nation-state attackers, for example, could use this attack vector to get on a network and pivot.

“This could have a huge impact at scale,” Rouland said. “You could get into any corporation this way, no matter which machine. And there’s no way to detect these attacks.”

Two weeks ago at the Kaspersky Lab Security Analyst Summit, Rouland gave a presentation about vulnerabilities in the wireless spectrum and how the Internet of Things provides attackers with a spectrum of attack vectors three times as large as traditional attacks.

Suggested articles

IoT’s Day of Reckoning on the Horizon

Chris Rouland, an expert when it comes to the security of the internet of things, stressed the modern-day equivalent of the Melissa worm could be imminent.

Discussion

  • Stefan Holmes on

    Firmware updating my Logitech wireless trackball M570 doesn't actually work. Downloaded latest Unifying software, yet it completely fails to show the firmware version. I would have thought such a relatively 'modern' device would have been included in the mentioned firmware update.
  • Brad on

    Unfortunately, while logitech says they've developed an update, it doesn't seem to be actually downloadable. Both my Mac and PC's Unify software says I have the vulnerable version and that they are up to date.
  • TheX on

    To admins: it is not possible to post from Safari, Firefox, Chrome or Opera on Mac (latest versions). The captcha hides the reply and other information. When selecting text in this reply form, Command C to copy unselects it. Frustrating! In relation to the article... Nothing like physical wired connections, whenever possible.
  • Martin on

    The updated firmware, and instructions for installing it, are at https://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878 Also, admins, I couldn't post from IE or Chrome on Windows for same reason TheX mentioned. I had to make the captcha box invisible using a web debugger in order to expose the POST COMMENT button.
  • Jeff on

    wow, thanks logitech for writing your unifying software for both mac and pc but only write your firmware updates for pc/windows...
    • Anonymous on

      and how do I update my firmware as a linux user ...
      • John on

        Have Youtried Virtualbox ?
  • CP on

    How does one contact Logitech? Looking at their website, there is no way to send them an email. It's hypocritical to then say that they didn't get reports from consumers.
  • Anonymous on

    A likely very large percentage of consumers would have no idea this is how they were attacked so why would they contact Logitech?
  • Scott on

    The Logitech email support page. https://support.logitech.com/en_us/contact-support
  • Scott on

    All traces of the supposed update on the Logitech website have vanished. The link above now takes you to the Logitech Forum splash page.
    • Spargel on

      You can still access the post through wayback machine: https://web.archive.org/web/20160305225833/https://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878?nobounce
07/18/18 5:55
LabCorp investigates a potential #databreach that could affect millions: https://t.co/SiurmhxV71

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.