MouseJack Flaw Affects Billions of Devices

A massive security risk in wireless mice and keyboard dongles is leaving billions of PCs, Macs and millions of enterprise networks at risk.

Using an attack which Bastille researchers have named “MouseJack,” hackers can remotely hack the mice from within 100 meters away. Once paired, the MouseJack operator can insert keystrokes or malicious code with the full privileges of the PC owner and infiltrate networks to access sensitive data. The attack is at the keyboard level; therefore, PC’s, Macs and Linux machines using wireless dongles can all be victims.

Affected vendors include: Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, AmazonBasics, but most non-Bluetooth wireless dongles are vulnerable.

“MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network,” said Chris Rouland, founder, CTO, Bastille. “The MouseJack discovery validates our thesis that wireless internet of things (IoT) technology is already being rolled out in enterprises that don’t realize they are using these protocols.”

As protocols are being developed so quickly, they have not been through sufficient security vetting, he added: “The top 10 wearables on the market have already been hacked and we expect millions more commercial and industrial devices are vulnerable to attack as well. MouseJack underscores the need for security across the entire RF spectrum as exploitation of IoT devices via radio frequencies is becoming increasingly popular among the hacker community.”

The MouseJack vulnerability affects a large percentage of wireless mice and keyboards, as these devices are ubiquitous and often found in sensitive environments. While some vendors will be able to offer patches for the MouseJack flaw with a firmware update, many dongles were designed to not be updatable. Consumers will need to check with their vendor to determine if a fix is available or consider replacing their existing mouse with a secure one.

“Wireless mice and keyboards are the most common accessories for PC’s today, and we have found a way to take over billions of them,” said Marc Newlin, Bastille’s engineer responsible for the MouseJack discovery. “MouseJack is essentially a door to the host computer. Once infiltrated, which can be done with $15 worth of hardware and a few lines of code, a hacker has the ability to insert malware that could potentially lead to devastating breaches. What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”

Photo © anaken2012

What’s Hot on Infosecurity Magazine?