Wireless keyboards and mice are the latest peripherals to put enterprise networks and user data at risk.

Researchers at Bastille Networks today said that non-Bluetooth devices from seven manufacturers including Logitech, Dell and Lenovo are vulnerable to so-called Mousejack attacks that would allow a hacker within 100 meters to abuse this attack vector and install malware or use that machine as pivot point onto the network.

Logitech said that it has developed a firmware update, which is available for download. It is the only one among the affected vendors to respond so for with a patch.

“Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue,” Asif Ahsan, Senior Director, Engineering, Logitech. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated. … They should also ensure their Logitech Options software is up to date.”

The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.

The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.

“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.

Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.

“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”

Attackers can inject keystrokes by spoofing either a mouse or keyboard; vulnerable dongles, for example, will not verify that the packet received matches the device that transmitted it. An attacker can impersonate the mouse but transmit keypress-packets, Bastille said, that will be accepted by the dongle. Most of the keyboards, meanwhile, encrypt data before sending it to the dongle over RF, but Bastille said that not all of the dongles it tested require encryption. The attacker can spoof the keyboard and send unencrypted packets to the dongle that allow the attacker to type commands on the host computer.

Bastille said that an attacker could also force a new device to pair with an old dongle for the same type of access.

“An attacker doesn’t need to know any information about the target victim outside of the OS running,” Newlin said. “It’s straightforward to use the dongle and python code to discover devices and learn whether they’re vulnerable.”

Rouland said that nation-state attackers, for example, could use this attack vector to get on a network and pivot.

“This could have a huge impact at scale,” Rouland said. “You could get into any corporation this way, no matter which machine. And there’s no way to detect these attacks.”

Two weeks ago at the Kaspersky Lab Security Analyst Summit, Rouland gave a presentation about vulnerabilities in the wireless spectrum and how the Internet of Things provides attackers with a spectrum of attack vectors three times as large as traditional attacks.

Categories: Vulnerabilities

Comments (12)

  1. Stefan Holmes
    1

    Firmware updating my Logitech wireless trackball M570 doesn’t actually work. Downloaded latest Unifying software, yet it completely fails to show the firmware version.

    I would have thought such a relatively ‘modern’ device would have been included in the mentioned firmware update.

  2. Brad
    2

    Unfortunately, while logitech says they’ve developed an update, it doesn’t seem to be actually downloadable. Both my Mac and PC’s Unify software says I have the vulnerable version and that they are up to date.

  3. TheX
    3

    To admins: it is not possible to post from Safari, Firefox, Chrome or Opera on Mac (latest versions). The captcha hides the reply and other information. When selecting text in this reply form, Command C to copy unselects it. Frustrating!

    In relation to the article… Nothing like physical wired connections, whenever possible.

  4. Jeff
    5

    wow, thanks logitech for writing your unifying software for both mac and pc but only write your firmware updates for pc/windows…

  5. CP
    8

    How does one contact Logitech? Looking at their website, there is no way to send them an email. It’s hypocritical to then say that they didn’t get reports from consumers.

  6. Anonymous
    9

    A likely very large percentage of consumers would have no idea this is how they were attacked so why would they contact Logitech?

  7. Scott
    11

    All traces of the supposed update on the Logitech website have vanished. The link above now takes you to the Logitech Forum splash page.

Comments are closed.