Last week, Microsoft patched multiple vulnerabilities in its products, including the “MouseJack” flaw that could allow attackers to execute malicious commands on a computer by hijacking wireless mice and keyboards, yet the issue still affects the majority of organizations.
The security bug was discovered in February by researchers at Internet of Things (IoT) security company Bastille, who demonstrated that attacks could be performed from up to 100 meters (328 feet) away, using a $15 USB dongle. By exploiting the vulnerability, attackers could download malware on the affected machine, steal files, and perform other activities that would normally require access to the computer’s keyboard.
The researchers announced that wireless mice and keyboards from Dell, Logitech, Microsoft, HP, Amazon, Gigabyte, and Lenovo were found vulnerable, and also said that devices from other vendors could be affected as well. Attacks can be carried against Windows, Mac, and Linux computers, they also said.
Bluetooth-based wireless mice and keyboards at not vulnerable to MouseJack.
Microsoft’s newly released patch, an optional update, resolves the issue for some of the company’s wireless mice, and for specific Windows releases only, namely Windows 7, 8.1, and 10. Thus, devices from other vendors and computers running under other operating systems remain vulnerable.
A recent survey conducted by Bastille confirms this, while also revealing that more than 80 percent of organizations are indeed vulnerable to the MouseJack flaw. The research has received over 900 responses from professionals around the world and shows that 82 percent of organizations allow employees to use wireless mice and keyboards at the office.
This means that all these organizations are potentially at risk, because the security flaw doesn’t affect individual computers alone, but also allows hackers to access any connected networks, all without having physical access to a single device connected to the network.
The survey shows that 75 percent of respondents are concerned about the whether their wireless mice can be hacked, and 80 percent of employees plan on patching or replacing their wireless mice with new or wired devices. However, 16 percent of respondents (or 1 in 7) said they would continue using the current wireless devices, thus ignoring the associated risks.
According to the researchers, MouseJack affects more than one billion wireless computer mice, and hackers need only a single weak link to compromise enterprise networks. They also explain that, even if most employees patch their vulnerable devices in due time, there would still be 160 million weak links and organizations need to create and enforce policies to ensure the vulnerability is patched in a timely manner.
“Our research shows that an attacker can launch the attack from up to 500 feet away. The attacker is able to take control of the target computer without physically being in front of it. The attacker can then type arbitrary text or send scripted commands at 1000 words per minute, making it possible to rapidly perform malicious activities without being detected,” the security researchers say.