For a paltry sum, attackers can build a device that enables them to take control of a computer by exploiting vulnerabilities found in numerous wireless mice and keyboards.
“MouseJack is a collection of security vulnerabilities affecting non-Bluetooth wireless mice and keyboards. Spanning seven vendors, these vulnerabilities enable an attacker to type arbitrary commands into a victim’s computer from up to 100 meters away using a $15 USB dongle.”
The MouseJack issues point to a flaw in the way several vendors have configured their non-Bluetooth wireless mice and keyboards, which communicate with a USB dongle connected to a computer that listens for radio frequency packets sent by the devices. Those devices communicate via an embedded nRF24L transceiver, which is made by Nordic Semiconductor but whose exact functionality can vary with each vendor.
You see, most vendors have put measures in place that encrypt the data that is transmitted from the wireless mice and keyboards to the dongle, thereby helping to prevent eavesdropping of this communication channel.
But with no industry standard for radio frequency packets in place, some companies haven’t been as proactive.
“None of the mice that were tested encrypt their wireless communications. This means that there is no authentication mechanism, and the dongle is unable to distinguish between packets transmitted by a mouse, and those transmitted by an attacker. As a result, an attacker is able to pretend to be a mouse and transmit their own movement/click packets to a dongle.”
That is exactly what the researcher did.
Using an implemented fuzzer that leverages a Crazyradio PA USB dongle, Newlin demonstrated that an attacker could force-pair a fake keyboard to the victim’s dongle and send keypress packets conveying a series of commands to the victim’s computer. Those commands could enable the attacker to install a rootkit or virus from a malicious website or transfer files off of the affected computer as “if they were physically typing on the computer’s keyboard.”
The dongles are currently available on Amazon for $60.00, and appear to have risen in price since the engineer first published his research.
With just fifteen lines of code, Newlin and his fellow researchers found that they could compromise a computer, including one that is air-gapped, from more than a hundred feet away.
The researcher intends to present on one of the tools he built to carry out a MouseJack attack at next week’s RSA conference.
In the meantime, here is a complete list of affected products.
These vulnerabilities have not been available to the public for very long, but it’s already clear that some products will need to be swapped out to address these vulnerabilities:
“There are two basic types of nRF24L chips used by keyboards, mice, and dongles: one-time-programmable, and flash memory. One-time-programmable devices cannot be updated once they leave the factory, but flash memory devices can.”
If you have one of the affected products that can be updated, you should implement the available patches as soon as they become available. For all other affected users, it’s time to disconnect those wireless products and go back to their wired, more secure counterparts… at least for the time being.