UPDATE: Wireless mice and keyboards vulnerable to MouseJack takeover
Bastille founder and CTO Chris Rouland
Researchers have uncovered a wide-ranging vulnerability in the way non-Bluetooth dongle devices interact with wireless mice and keypads, which could enable a nearby hacker to take over a victim's computer using radio frequency signals.
According to a white paper from Internet of Things security company Bastille, hackers looking to exploit this flaw, dubbed MouseJack, need only their own inexpensive dongle, a few lines of malicious code, and to be within a 100-meter range of the machine they intend to compromise. The vulnerability can be exploited by ostensibly tricking the targeted computer's dongle into thinking it is receiving transmissions from its corresponding wireless device, when it's actually receiving packets from the hacker's dongle.
“It's a new class of attack that affects potentially billions of devices, said Chris Rouland, founder and CTO of Bastille, in an interview with SCMagazine.com. Bastille uncovered the flaw using software-defined radio, a technology that sniffs out vulnerabilities in RF airwaves, an attack surface that “has been largely unexplored,” Rouland added.
An attack of this nature can happen so fast that even if the victim realizes someone has accessed their machine, it's probably too late. The implications are grave, as hackers could leverage this flaw to steal credentials and sensitive data, or infect a machine with malware that can quickly spread across a connected enterprise. “They can even bypass an air-gapped network by turning a PC into a WiFi hotspot,” said Rouland. Potential applications run the gamut from financial cybercrime to corporate spying to nation-state cyberespionage. Bastille discovered the vulnerability in products manufactured by all seven of the wireless vendors it tested — AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft.
MouseJack actually consists of a series of related vulnerabilities. All involve finding a way to circumvent the encryption process that is supposed to occur when authorized users press keys on their computer keyboards. This encryption normally prevents an attacker from spoofing the keyboard and then typing in malicious codes and commands.
Unfortunately, Bastille found several exploitable workarounds. For starters, some dongles don't require wireless keyboards to transmit packets using encryption. In those instances, the hacker can easily spoof the keyboard and then inject unencrypted keystrokes and commands.
If the dongle does require encryption protocols when communicating with a keyboard, attackers can instead focus on the wireless mouse, because mouse click packets are unencrypted. Moreover, dongles often do not have a mechanism to verify if a packet it receives matches the type of device that transmitted it. This means hackers can use a malicious dongle to spoof the wireless mouse, but trick the computer into thinking its receiving keyboard commands—again allowing the attacker to execute code.
Users with only a wireless mouse but no wireless keyboard installed are not necessarily safe either, because in some instances attackers can force the victim's dongle to pair with their own wireless keyboards. If the victim's dongle doesn't require keyboards to use encryption, then the computer is susceptible to attack.
Which prompts the question: do wireless technology vendors need to build a better dongle, or a better wireless keyboard and mouse? “It's a combination of the two,” said Marc Newlin, the security researcher at Bastille credited with discovering the vulnerability, in an interview with SCMagazine.com. To prevent potential attacks in the future, “you have to properly enable encryption on keyboards and mice so all communications between any device and dongle are encrypted.”
Rouland said this vulnerability is a microcosm of the many dangers created by the rapid influx of RF-based Internet of Things devices hitting the shelves. “I expect we're going to see hundreds of attacks like this,” he said, due to vendors overlooking proper encryption in favor of speed to market and cost savings.
Of the seven vendors Bastille researched, Logitech is the only one to issue a firmware patch. The others require new hardware altogether because their transceiver chips are one-time programmable. Alternatively, users can simply unplug the dongles from their computers.
UPDATE: Bastille researchers recently disclosed that the range of the attack has been increased from 100 meters to 225 meters.