Researchers at IoT security company Bastille claim to have found a way to hack computers via a vulnerability present in many wireless mouse and keyboard dongles.
Wireless mice and keyboards communicate with computers over Bluetooth, radio frequency (RF) and infrared via a USB dongle plugged into the device. Over the past years, researchers demonstrated that the lack of strong security mechanisms used by these peripheral devices can be leveraged to log keystrokes and even send arbitrary data to a computer.
Experts have shown that data can be easily captured by a nearby attacker from many wireless keyboards that use Bluetooth and RF. It has also been demonstrated that Bluetooth keyboard attacks in which an attacker transmits data to the device via the USB dongle are possible.
Now, researchers from Bastille reported uncovering a vulnerability that affects wireless mice and keyboards from several top vendors, including Dell, Logitech, Microsoft, HP, Amazon, Gigabyte, and Lenovo. The security firm says non-Bluetooth wireless devices from other vendors could be affected as well.
An attacker who is within 100 meters (328 feet) of the targeted device can exploit the flaw, which Bastille has dubbed “Mousejack,” to remotely type arbitrary commands into a victim’s computer using just a $15 USB dongle connected to the hacker's laptop. A malicious actor can use this method to download malware, steal files, and perform other activities they could normally do if they had access to the computer’s keyboard.
Since the vulnerability affects the USB dongles shipped with wireless keyboards and mice, it can be exploited to attack any PC, Mac or Linux computer. The security hole poses a serious risk because the attacker does not need physical access to the targeted machine before carrying out malicious operations.
Keyboards and mice communicate with their dongles by sending RF packets. After researchers demonstrated that keystrokes from wireless keyboards can be intercepted, vendors started encrypting communications. However, the mouse doesn’t use any encryption and the lack of an authentication mechanism allows attackers to mimic such a device and send their own packets to the dongle.
Since some dongles don’t require the use of encryption, an attacker can send specially crafted packets that appear to come from a mouse, but instead of cursor movement and clicks, they generate keypresses.
For a Mousejack attack to work, the attacker must somehow pair their malicious device with the targeted dongle.
“To prevent unauthorized devices from pairing with a dongle, it will only accept new devices when it has been placed into a special ‘pairing mode’ by the user, which lasts for 30-60 seconds,” Bastille researchers explained. “It is possible to bypass pairing mode on some dongles and pair a new device without any user interaction.”
In a theoretical attack scenario described by Bastille, the attacker first identifies a target device by listening to RF packets transmitted when the user is typing on the keyboard or moving the mouse. The hacker can then force-pair their fake keyboard with the victim’s dongle and start transmitting key press packets to the targeted computer.
“An attacker is only able to issue commands that would normally be issued by a keyboard. A use case would be installing a rootkit to provide full access to a computer, but this still needs to be accomplished by typing commands as if the attacker were physically in front of the computer,” Bastille researchers said via email.
Bastille told SecurityWeek that affected companies have been notified of the Mousejack vulnerability. However, since a majority of the tested products use one-time programmable chips, vendors cannot push out an update to address the issue.
SecurityWeek has reached out to all the affected vendors named by Bastille and will update this article if they reply.
Microsoft has provided the following statement:
“Microsoft has a customer commitment to investigate reported security issues, and will provide resolution as soon as possible.”
Asif Ahsan, Senior Director of Engineering at Logitech, stated:
“Bastille Security recently approached us regarding our Unifying technology. We have been in regular communication with them since and together have discussed their findings.
Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack.
Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue.
We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated, they can download the firmware here. They should also ensure their Logitech Options software is up to date.”
Lenovo has provided the following statement:
"Lenovo has been notified by an independent security researcher who discovered a security vulnerability in older versions of the Lenovo 500 Wireless keyboard. Lenovo has updated this device's firmware to eliminate the vulnerability. The vulnerability can be accessed when an attacker with specialized equipment comes within close physical proximity -- approximately 10 meters, or 33 feet – and enters keyboard inputs into a user’s system. The researcher also identified a similar vulnerability in devices from six other manufacturers.
Customers wanting the updated firmware for their keyboards can exchange their products by contacting the Lenovo Support Center and the exchange will be processed free of charge. Additional technical details are available in an official security advisory on the Lenovo PSIRT (Product Security Incident Response Team) site."
Dell provided the following statement:
"Dell has been working with Bastille Research on their latest findings regarding the vulnerabilities identified in Wireless Keyboard Mouse bundle KM632 & KM714. Customer security is a top concern and priority for Dell and we will work with our customers directly to resolve potential vulnerabilities like this. If you are using the affected models, or question whether you are using an affected model, Dell recommends that you reach out to our Technical support contacts specific to your country as listed here.
Dell Technical Support will assist the customer in addressing the vulnerability, including identifying a suitable Dell replacement if appropriate. In the meantime, customers can largely contain this vulnerability by activating the Operating System’s lock screen when not using the system. Dell would like to thank Bastille Research and those in the security community whose efforts help us protect customers through coordinated vulnerability disclosure."
Additional details, including a video showing how the attack works, are available on Bastille’s Mousejack website.
*Updated with statement from Microsoft, Logitech, Dell and Lenovo