US startup Bastille Networks boldly claims to be “the first and only company to completely secure the Enterprise,” even though it doesn’t have any products on its website yet.
But it is nevertheless making waves with a vulnerability it’s calling Mousejacking, caused by a raft of security problems the company says it’s found in numerous wireless mouse and keyboard products.
The researchers took a USB dongle used to control a drone product called CrazyFlie, and hacked the firmware to turn it into a mouse-and-keyboard sniffer.
Using the hacked dongle, known as the Crazyradio PA (PA stands for power amplifier), they were able to investigate the communications protocols used by the sort of wireless mouse and keyboard that itself relies on a USB dongle to operate.
NB. Mousejacking only applies to USB-based mice and keyboards. Bastille’s research doesn’t cover Bluetooth devices.
They found a number of security problems in the way many devices handle the data that flows from your mouse or keyboard to your computer.
The most notable findings include:
- Mouse data is usually unencrypted and unauthenticated, so you can sniff out what the mouse is doing, and even inject fake mouse-moves and clicks from a distance. (Bastille claims “up to 100m,” though we imagine that sort of distance is unlikely in the average work environment.)
- Keyboard data is usually encrypted, but some dongles will accept unencrypted data anyway. So you can’t eavesdrop what the user is typing, but you can inject fake keystrokes from afar, even though you don’t know the encryption key.
- Some dongles accept keyboard data from mice. So if the dongle requires encrypted keyboards but allows unencrypted mice, you can send it unencrypted keystrokes by pretending to be a mouse. Again, this means you don’t need the encryption key to inject fake keystrokes.
- Some dongles can be tricked into pairing with new devices without any action by the user. So if your dongle is pluuged in, a nearby imposter keyboard could secretly pair with it, get the dongle’s encryption key, and start injecting keystrokes.
You’d probably back yourself to notice if someone else started typing additional keystrokes while you were working, or moving your mouse where you didn’t expect it to go.
You might suspect a hardware malfunction, a software bug or even a malware infection at first, but you’d nevertheless hope to spot any jiggery-pokery pretty quickly and take action against it.
Of course, as Bastille points out, it might already be too late, because a software-controlled “attack keyboard” can type much faster and more consistently than the average human typist, and damage is easy to do with even a few maliciously-planned keystrokes or mouse clicks.
Or you might have wandered away from your computer just for a moment without manually locking your screen, giving an attacker as much as two minutes (you do have an automatic screen lock of two minutes or less, don’t you?) to take over your computer from a nearby table in the coffee shop.
What to do?
- Always lock your screen when you step away from your computer. You should do this regardless of mousejacking: don’t walk away and rely on your screen saver; instead, learn the keyboard shortcut for your chosen operating system and use it.
- If you have a USB mouse or keyboard, check with your vendor if your product is affected, and if or when an update will be available. Bastille has a list of vulnerable devices that it knows about.
- Consider using a device control solution if you are a business that’s worried about this threat. Device control can block access to unauthorised USB device types (e.g. “all mice” or “this specific product”), allowing you to restrict vulnerable mice and keyboards until firmware updates are available.
One very popular USB dongle that is affected is Logitech’s so-called “Unifying receiver” (they’re marked with a stylised orange logo that looks like an icon of the sun) that works with a whole raft of different Logitech mouse and keyboard models.
Logitech has published a firmware update that claims to patch the Unified receiver product. (You need Windows to run the updater.)
How to lock your screen immediately
That’s easy.
On Macs, a brief press of the Power key will do it. (On older Macs, use Shift+Control+Eject.)
On Windows, use Windows+L.
A cool hack (in the good sense of the word) on the Mac is to add the ScreenSaverEngine application to your Dock, so you’re just one click away from your screen saver at any time. In Finder, choose Go | Go to Folder... and enter the directory name /System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/. Find the file ScreenSaverEngine.app and drag a copy the Dock. Now you have an icon that will engage the screensaver immediately.
Just wondering...
Paul,
How does this affect me working on my home computer? I have a mouse and keyboard connected to a logitech unified receiver. I will be updating my software as per your article but how much of an issue is this inside my home? Also is being connected to the internet in some manner part of this?
THX
Paul Ducklin
I think the risk is very low, but not worth ignoring – so the course you’re planning (update the device soon) is fine.
As for “being online,” that’s not relevant to this attack. The attack requires a rogue device that is physically near to yours, though it could be next door or across the street. (The researchers claim “up to 100m”, which sounds speculative to me, as though they’ve never tested it or actually got it to work at that range themselves.)
Long range Wi-Fi?
Is it possible that attackers could use a range extending wireless antenna to perform the exploit? If that would work, do you think the range could extend beyond 100 meters?
Paul Ducklin
IIRC, the dongle they used was chosen precisely because it has “range extending” capabilities. That’s because it’s intended to talk to drones in flight. (Check the CrazyFlie website – the dongle concerned has a power amplifier and an external antenna.) The drone guys claim 1km, even more, but that’s presumably outdoors, in line of sight, and perhaps using a different protocol aimed at handling long, lossy transmission distances better.
Luke
To lock your screen on linux its ctrl+alt+L
Rob
Hi Paul, I was wondering if you could shed more light on whether my wireless mouse is affected?
In your article it says “NB. Mousejacking only applies to USB-based mice and keyboards. Bastille’s research doesn’t cover Bluetooth devices.”
When I do an lsusb on my machine the mouse comes up as:
Bus 001 Device 005: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth
This device’s USB ID is shown as vulnerable in Bastille’s list:
Microsoft 2.4GHz Transceiver v7.0 (USB ID 045e:0745)
Is it using the same radio frequency as Bluetooth devices but not the pairing security?
Grateful for any advice please.
Paul Ducklin
AFAIK, these non-Bluetooth wireless dongles use the 2.4GHz spectrum (presumably because it’s set aside for “unregulated” purposes), and that’s where Bluetooth sits, as well as Wi-Fi and others. But these proprietary dongles have a completely different protocol stack and security.
Nomphra
On Windows, you can create a screen lock shortcut. Right-click an empty spot on your desktop and select “New -> Shortcut” .. On the wizard that appears, enter “rundll32.exe user32.dll, LockWorkStation” (minus the quotes) into the box asking you for the location of the item, click Next, then name your shortcut accordingly, i.e. “Lock Me!”, then click Finish.
You can leave this shortcut on your desktop, or pin it to your taskbar, or start menu, or whatever suits you best!
Sai
Hi, Is there a possibility that my keyboard or system may be keylogged due to this vulnerability? Im using ubuntu. Thank you in advance!