MouseJack: Security experts found a way to hack any computer through its mouse
New type of attack hijacks mice
There’s a new way for hackers to get control over a computer and it’s surprisingly simple.
They can just take control of their target’s mouse.
Security experts found a fault that allows a hacker to hijack a computer through a wireless mouse of their victim with just a cheap USB dongle and few lines of code in Python.
They dubbed the attack MouseJack and consider it a real threat for individuals and companies alike.
The experts from a security company Bastille found problems in the way wireless mice communicate with their USB receivers. When these devices are at work, they wirelessly send data between them. Data about where on the screen the pointer currently is and whether any mouse buttons have been pressed or wheels scrolled.
Now where most wireless keyboards (and mice using Bluetooth) secure this data transmission with encryption, most radio-based wireless mice don’t. They send data to their dongle in a cleartext – without any encryption.
Does this affect me as well?
If your mouse uses Bluetooth, you are safe from MouseJack. Obviously, this is also true if you use a wired mouse. Otherwise you’re probably vulnerable. There is no complete list of devices vulnerable to MouseJack. Experts recommend that you check the manufacturer’s website and look for firmware patches or contact your support. As of now only Logitech came out with a patch – it’s available on their online forums.
This allows potential attackers to intercept these signals with their own wireless device. They can tell to which pair of mouse and a receiver the data belongs. Then they can send their own signals to the victim’s receiver and request a new hardware pairing. This allows them to connect their own mouse or a wireless keyboard to the target computer and obtain sensitive data, spread malware and more.
Hackers can even just send along a sequence of keypresses that will do their desired action for them. They don’t have to move the pointer around the screen like the hacker in the video of the security company. When the experts were testing this method, they managed to generate over a 1000 words per minute in the target computer and install a rootkit under ten seconds.
According to one of the authors of the security study, Marc Newlin, an attack like this can be pulled off with an equipment worth less than 15 dollars. And with just fifteen lines of code.
MouseJack seems to affect a huge amount of mice from many manufacturers – out of seventeen models tested, only two were safe. Even devices from big-name manufacturers like Logitech, Lenovo, Amazon or Microsoft were found vulnerable. The researchers have published a list of affected devices on their website, but they say it’s not in any way complete. It lists only the vulnerable devices they themselves tested – testing every model on the market would be impossible.
As is usual with security experts, the researchers from Bastille have first consulted their findings with manufacturing companies to give them time to fix this vulnerability. They have done so months before they revealed MouseJack to the public. Even so, only some of the companies have put out firmware patches that should prevent these kinds of attacks. And the experts claim that some of the devices can’t be patched at all.
Manufacturing companies are trying to play the discovery down a bit – according to one of the senior engineers from Logitech Asif Ahsan, the researchers have found the flaw in a controlled, experimental environment. “The vulnerability would be difficult to replicate and it would require physical proximity to the device,” Ahsan said.
MouseJack really does have a limited reach.
According to the experts, a computer can be attacked this way only when it’s closer than hundred yards (about 90 meters) away. Newlin thinks that this would still be enough for the attacker to sit in a lobby of a bank, for example, and to attack computers elsewhere in the building. And the method is complex, but MouseJack is now fully accessible and well documented on a code-sharing site GitHub.
Most security experts agree that this is a new and interesting vector of attack that is not yet fully researched. Bastille is now working on an app for Android that could find vulnerable computer peripherals in its vicinity. However, there have already been calls for an automatic tool that could be used to exploit this vulnerability by hackers and criminals. Experts recommend to update the firmware of your device or using Bluetooth or wired devices only.