With $15 of equipment and 15 lines of code, hackers could remotely hijack wireless mice and keyboards from a distance up to 328 feet away. Dubbed MouseJack, researchers warn there is no way to detect the attack which could ultimately lead to full PC and network compromise.
What is MouseJack?
IoT firm Bastille researchers call it a “massive vulnerability in wireless mice and keyboards that leaves billions of PCs and millions of networks vulnerable to remote exploitation via radio frequencies.” It is “essentially a door to the host computer,” the MouseJack FAQ explained. The PR release warned that it could “potentially lead to devastating breaches.”
The problem is in the protocols, or how the devices and USB wireless dongles talk to each other; it’s unencrypted. The vulnerabilities, Bastille explained, tend to fall into one of three categories: keystroke injection to spoof a mouse, to spoof a keyboard and forced pairing.
A hacker equipped with a $15 dongle and 15 lines of Python code could pair with and take over the dongle as it if were the user’s wireless mouse, which could then act like it were the wireless keyboard to allow an attacker to take full control of the machine and the system where the user is logged in. Even if vulnerable keyboards encrypted their communication, they don’t properly authenticate devices which can talk them. Rouland told Wired, “It’s like having an expensive deadbolt and leaving it unlocked.”
If you are thinking, it’s a dongle, leading to a wireless mouse and keyboard…how bad can it possibly be? Do you ever look away or leave your computer unattended for 10 seconds? “A MouseJack compromise can take place in seconds,” warned Bastille. “Don't think of an attacker needing to use your keyboard/mouse for minutes looking through your interesting emails. In around ten seconds, your computer can be altered to allow an attacker to remotely download documents, all your emails, and add or delete programs.”
Although MouseJack has “an effective range of at least 100 meters,” or can be remotely pulled off from about 328 feet away, and “attack scenarios are limitless,” a video put out by Bastille included a few examples of how MouseJack could be used from varying distances between attacker and victim.
One showed how evil Eve could waltz into a business or bank and, within a matter of seconds, remotely take over a computer as if she were “sitting in front of the target’s PC and executing commands from the victim’s mouse and keyboard.” While businessman Bob is distracted and busy on the phone, she could then steal sensitive documents and files.
Another example showed a network admin leaving his PC to refill his coffee cup; unfortunately, he didn’t lock his computer so an attacker didn’t need the password to get in. A hacker on the other side of the building could quickly install a rootkit and would need only “30 seconds to result in a full network compromise.”
Even if a person was using a least-privileged user account, as opposed to an administrator account, Bastille researchers told Wired that an attacker could quickly download malware to take full remote control of the PC. Before you bash Windows, you should know the researchers warned, “The attack is at the keyboard level, therefore PC’s, Macs, and Linux machines using wireless dongles can all be victims.”
Since this is wireless, don’t think walls will stop the attack. Heck, don’t think an airgapped PC is safe either if someone plugged in a wireless keyboard dongle. The researchers told Wired, “We can compromise an airgapped network, going in through a different frequency protocol, directly to the USB port.”
The researchers provided a list of affected devices for Windows, OS X and Linux USB dongles which are vulnerable to MouseJack; it includes wireless mice and keyboards from the vendors AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft. Those devices use chips made by Nordic Semiconductor. Although Bastille tested a variety of devices, it was impossible to check every model, so you can grab Bastille’s free, open source tools on GitHub to “discover wireless mice and keyboards that may be vulnerable to MouseJack.” In other words, the list will likely grow.
Bastille worked with vendors, but the company told ThreatPost, that “more than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”
Although reportedly believing such an attack would be “unlikely,” Logitech released a patch. Dell will help customers determine if they have affected products, but suggested not walking away from the PC without locking it so an attacker would need the password. “Low” is what Lenovo called the severity of the attack, adding that it would only work from about 10 meters away. So Bastille tested its long-range attack on Lenovo and told Wired the researchers could “inject keystrokes from 180 meters away;” for the metrically-challenged, that's roughly 590 feet away.
“It’s concerning that the mouse interface can be trivially hijacked by attackers and mischief makers,” Tod Beardsley, Principal Security Research Manager at Rapid7, said via email, “but the findings here also indicate that some brands enable backdooring the mouse system to send keystrokes, which is even more troubling. Even in the case where the keyboard controls are sufficiently protected, it is usually fairly easy to pop up an on-screen keyboard. At that point, attackers can type whatever they like on compromised computers.”
What can you do?
The researchers advise unplugging your wireless mouse and dongle until you know it’s safe – or to go old-school with a wired connection, or to use a Bluetooth keyboard and mouse. Otherwise, it has the potential for real pwnage. Bastille told Threatpost that nation-state hackers could use the “attack vector to get on a network and pivot.”
Chris Rouland, CTO of Bastille, suggested, “This vulnerability will be out for 10 years. When was the last time people updated their router’s firmware? I don’t think people even understand that there’s firmware in the dongle connected to their mouse.”
“This could have a huge impact at scale,” Rouland added to Threatpost. “You could get into any corporation this way, no matter which machine. And there’s no way to detect these attacks.”
Bastille has a really nice write-up of the technical details, which delves into the use of Crazyradio and a Nintendo controller that can run their attack software. Expect to hear more after they attend the RSA conference next week.