Published on February 24th, 2016 📆 | 5315 Views ⚑
0How Criminals Could Hijack Wireless Mice to Hack Computers from Afar
iSpeech
Wireless computer mice give users the convenience of not having to deal with cumbersome wires and cables. But they might also open up the door for malicious hackers to get a way into their computers, researchers warn.
A flaw in the way several popular models of wireless mice and their corresponding receivers, the sticks or âdonglesâ that plug into a USB port and transmit data between the mouse and the computer, handle encryption could leave âbillionsâ of computers vulnerable to hackers, security firm Bastille warned on Tuesday.
In short, a hacker standing within 100 yards of the victimâs computer and using a $30 long-range radio dongle and a few lines of code could intercept the radio signal between the victimâs mouse and the dongle plugged into the victimâs computer. Then this hacker could replace the signal with her own, and use her own keyboard to control victimâs computer.
âAll computers trust their keyboards because humans use keyboards, so taking over a keyboard is kind of like the ultimate hack.â
[adsense size='1']
At that point the hacker could use the victimâs computer just like she was in front of it, with âfull control of the keyboard,â Chris Rouland, the founder of Bastille, told us.
âAll computers trust their keyboards because humans use keyboards, so taking over a keyboard is kind of like the ultimate hack,â Rouland said.
For Rouland, these vulnerabilities, which affect non-Bluetooth mice produced by Logitech, Dell, Lenovo and other brands, are a harbinger of the near future of the Internet of Things when both companies and regular consumers will have hackable radio-enabled devices in their offices or homes. Itâs worth noting that Bastille specializes in Internet of Things (IoT) security, and sells a product for corporations that promises to âdetect and mitigateâ threats from IoT devices across all the radio spectrum. That obviously means the firm has a vested interest in highlighting ways companies could get hacked.
This attack in particular, which Bastille has branded with the hashtag-friendly word âMouseJack,â builds on previous research done on hacking wireless keyboards. But in this case, the issue is that manufacturers donât properly encrypt data transmitted between the mouse and the dongle, according to Bastilleâs white paper.
But despite Bastilleâs claims that is a âmassiveâ vulnerability, this is not an easy attack to pull off, and it needs to be done on one target at a time, as the hacker needs to be close to the target. The main issue is that the hacker likely needs to be able to see the victimâs screen to be able to successfully hack the victim, according to security researchers who reviewed the research .
âIt's a blind attack,â said Tod Beardsley, the security research manager at Rapid7. That is, he added, unless the attacker is close enough to see the screen.
[adsense size='4']
Thatâs why, according to Adrian Sanabria, a security analyst at at 451 Research, MouseJack actually âisnât a huge risk.â
It could be âa lot of fun for pranks, maybe, but it would be difficult to practically use this vulnerability,â Sanabria told me. âIn specific scenarios, sure, you could mess with someone's computer, but without the ability to use the keyboard, it would be slow going to get a virtual keyboard up and start to hack the system.â
Moreover, itâs going to be very hard to pull this off while the victim is using the computer, Sanabria added. But Beardsley said thatâs possible if the attacker can guess the screen âgeometryâ and navigate to well-known controls.
Bastille published a list of affected devices, and said it reached out to the manufacturers to alert them of the vulnerabilities last year.
It could be âa lot of fun for pranks, maybe, but it would be difficult to practically use this vulnerability.â
A Logitech spokesperson told us that the company has released new firmware that fixes the vulnerability on its Unifying dongle, which works with several mice. Users who want the fix have to download the firmware and install it themselves.
A Dell spokesperson said that consumers who own the KM714 keyboard and mouse combo can get the Logitech firmware patch through Dell Tech Support. But for users who own the KM632 combo, the company suggests a replacement.
Microsoft simply sent a statement saying the company âhas a customer commitment to investigate reported security issues, and will proactively update impacted devices as soon as possible,â but declined to offer any more details.
[adsense size='3']
Lenovo, Amazon, Gigabyte and HP did not respond to a request for comment.
If youâre using a wireless dongles that uses radio frequency, and you are worried hackers could target you, the easiest solution is to physically disconnect the dongle when youâre not using the computer, or get a Bluetooth keyboard and mouse. While those can be hacked too, the exploits against them are much harder to pull off.
Gloss