The Mousejack vulnerability raised awareness of the potential risks introduced by a wireless mouse or keyboard to the enterprise. From a relatively short distance, a hacker could send packets to the device that generate keystrokes on the host computer rather than mouse clicks. In short order, attackers could install malware, including dangerous rootkits in a matter of seconds.
Researchers at Bastille who disclosed the original flaw in February today revealed that attacks can now be carried out from as far as 225 meters away—up from 100 meters.
“We did further range testing using the same commodity USB dongles we had done the original testing with. We applied better antennas and were able to increase the range,” said Marc Newlin, an engineer at Bastille who found the Mousejack vulnerability. “We’re at 225 meters now, still using about $50 of equipment you can get on Amazon. We can demonstrate that an attacker with ease can inject keystrokes onto a machine from a considerable distance and not raise suspicion that they would be in the immediate vicinity.”
Bastille founder Chris Rouland, a security industry veteran, told Threatpost the attacks consist of a mere 15 lines of Python code and work against Windows, Linux or Mac OS X.
The issue, as with other connected, embedded devices, is that it’s likely many of these devices cannot or will not be updated. Logitech was the first vendor to provide an update of its USB dongles, but some users reported difficulties with the original update. Microsoft, last week, also pushed out a voluntary update that it says filters out QWERTY key packets in keystroke communication between the USB dongle and wireless mice.
“Most of these devices are not able to update the firmware,” Newlin said, adding that Dell and Lenovo have also updated their firmware, and are selling new devices with updated firmware. “The Microsoft update is a band-aid for those on Windows using these devices. There’s no real mechanism to deal with those devices already on the market.”
Bastille also conducted a survey on its website about Mousejack awareness and remediation. Of the 900 respondents, 75 percent were at least somewhat concerned about Mousejack. Half the respondents said they would either patch or buy a new and safer device, while 30 percent said they would go old school and buy a wired mouse.
The survey also revealed that despite increasing worry over Internet of Things security and vulnerabilities, and enterprises locking down what personal devices can be added to the network, 82 percent of respondents said wireless mice were allowed. One-fifth of the respondents, meanwhile, weren’t concerned about their wireless mice being hacked, and another 16 percent said they’d continue to use a vulnerable wireless mouse.
“My concern is this one-in-seven who said they would just keep using their vulnerable wireless mouse with no intention of doing anything,” said Ivan O’Sullivan, Bastille chief research officer. “We have to move those intentions to action and patch the vulnerability.”
Mousejack has not been publicly exploited, Bastille said, but it does open the door to trouble if hackers are in proximity of a vulnerable device. Attackers can inject keystrokes by spoofing either a mouse or keyboard; vulnerable dongles, for example, will not verify that the packet received matches the device that transmitted it. An attacker can impersonate the mouse but transmit keypress-packets, Bastille said, that will be accepted by the dongle. Most of the keyboards, meanwhile, encrypt data before sending it to the dongle over RF, but Bastille said that not all of the dongles it tested require encryption. The attacker can spoof the keyboard and send unencrypted packets to the dongle that allow the attacker to type commands on the host computer.
“We were intrigued and wanted to quantify potential impact for the vulnerability, and get a sense of whether people were paying attention to their airspace and whether they were thinking about hits area,” O’Sullivan said.