Widespread Flaw Could Allow Hackers To Hijack Your Wireless Mouse Or Keyboard

mousejackIt can surely be convenient to plug a dongle into your computer’s USB port and use a mouse or keyboard without the hassle of wires everywhere, but according to a new report from an Internet of Things security company, many wireless keyboards and mice are vulnerable to hackers. And once an attacker has access to those peripherals, they could easily download malware or steal information from your devices.

Security firm Bastille released an advisory today listing products from seven different companies that are open to a kind of attack they’ve called a “MouseJack.”

Bastille says that a broad collection of devices (listed here) sold by Logitech, Dell, Microsoft, HP, Amazon, Gigabyte, and Lenovo allow attackers to remotely mess with mouse movements or keystrokes at a rate of a thousand words per minute from an nearby antenna, even when the target device is designed to encrypt and authenticate its communications with the computer it’s talking to.

“MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network,” said Bastille’s founder and CTO, Chris Rouland, in a press release.

Because the attack happens at the keyboard level, PCs, Macs, and Linxu machines that use wireless dongles can all be victims, Bastille said. Most non-Bluetooth wireless dongles are vulnerable, as well. The issue lies in a line of transceivers made by Nordic Semiconductor, which support encryption, Marc Newlin, the Bastille engineer who discovered MouseJack notes, but it’s on the keyboard and mouse manufacturers to apply it. Many failed to write their own firmware to encrypt the devices, Bastille says.

“Wireless mice and keyboards are the most common accessories for PCs today, and we have found a way to take over billions of them,” Newlin says. “MouseJack is essentially a door to the host computer. Once infiltrated, which can be done with $15 worth of hardware and a few lines of code, a hacker has the ability to insert malware that could potentially lead to devastating breaches. What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”

Rouland says Bastille informed companies about the devices it found to be vulnerable, and that most have been “very attentive” to the problem. While some products can be made more secure with a software update, many cannot be patched, and will need to be replaced.

A Logitech spokesman told the MIT Technology review that the company has a software update to fix the issue, but that the vulnerability Bastille detected “would be complex to replicate” since it requires being physically close to the victim, which makes it “a difficult and unlikely path of attack.”

“To our knowledge, we have never been contacted by any consumer with such an issue,” the spokesman said.

Dell said that the software on one of its two affected keyboard and mouse products can be patched, while another will require customers to contact the company’s technical support to find a “suitable replacement.”

Lenovo said the issue that affects one of its wireless keyboards will be fixed in new devices, but if you have an existing version, reach out to the company customer support for a replacement.

List of affected devices [Bastille]