MouseJack exploit affects ‘billions’ of wireless keyboards, mice

You can add your wireless keyboard or mouse to the list of hacked things, thanks to a newly discovered vulnerability called MouseJack. While the hack requires the attacker to be physically near you, the fix isn’t an easy one for most brands of affected devices.

Many radio frequency wireless keyboards and mice are sending keystrokes and clicks back to the computer they’re tied to over an unprotected frequency, according to the research, published on Tuesday by Internet of Things security company Bastille Networks. A hacker within range of the wireless dongle can exploit the vulnerability to connect to, spy on, and control a computer using its proprietary radio frequency.

Marc Newlin, the security researcher at Bastille who found the flaw, describes MouseJack as “a door to the host computer.” All that it takes to open it is a $15 radio frequency USB dongle bought online and 15 lines of computer code. Newlin says he successfully tested the range of the attack at up to 100 meters, longer than the Statue of Liberty is tall.

Once an attacker kicks that door open, the data stored on the computer is up for grabs. An attacker could sit in the lobby of a bank, for example, and spy on and control a computer a bank teller has connected to a vulnerable wireless keyboard or mouse. The attacker could install malicious software on the computer to spy on its owner, connect a “fake” keyboard or mouse, and observe and record all input from the owner’s wireless dongles.

“Billions” of keyboards and mice are affected, including the Dell KM714 Wireless Keyboard and Mouse Combo, Logitech’s Unifying dongle, Lenovo’s 500 wireless mouse and USB dongle, and Microsoft’s Sculpt Ergonomic mouse, says Chris Rouland, Bastille’s chief technology officer and founder. “Many of these devices can’t be fixed. They can only be replaced, and they’re in hotels, airports, and banks around the world.”

Makers of keyboards and mice affected by the vulnerability include Lenovo, Dell, Logitech, Microsoft, Amazon.com, Hewlett-Packard, and Gigabyte. Following security industry practices of responsible disclosure, Bastille approached them 90 days ago to give them an opportunity to fix the flaw before it became public.

Logitech has released a software update (download the Windows install file) and advisory for its affected USB dongle, while Lenovo has offered to fix for free dongles that customers send to them. Microsoft and Dell representatives say their respective companies are working on MouseJack solutions. Amazon, Hewlett-Packard, and Gigabyte, meanwhile, did not respond to requests for comment.

It’s not easy at this time to tell when your wireless keyboard or mouse has been hacked. An exploit may show up on-screen as the hack is taking place, or it may not—it depends on how the specific exploit has been programmed. While the manufacturer can fix the flaw by updating the firmware of the USB dongle, many of wireless dongles are designed to never have their firmware updated—which is why Lenovo is offering to replace dongles at no cost to its customers.

“Many of these devices can’t be fixed. They can only be replaced, and they’re in hotels, airports, and banks around the world.” — Chris Rouland, chief technology officer and founder, Bastille Networks

Although any computer using a vulnerable device is potentially affected by the exploit, not all wireless keyboards and mice are affected, Newlin says. Devices that connect over Bluetooth are safe from this hack for two main reasons: They use different frequencies to connect the device to the computer, and Bluetooth verifies that the connecting device is what it says it is during an authentication process. The vulnerabilities that Newlin exposed are specific to radio frequency chips made by Nordic Semiconductor, and how those chips were designed to work by the keyboard and mouse manufacturer.

“You don’t know that Bluetooth has been done right 100 percent, but you can investigate the communication more easily,” says Samy Kamkar, an independent security researcher best known for writing the fast-spreading MySpace worm Samy. “There’s been more public research done in that area.”

Kamkar says freestanding keyboards and mice have three levels of safety. Those that connect over a USB cable are the safest, followed by Bluetooth, followed last by encrypted radio frequency, which he says are risky to use because you have “no idea” if their encryption was properly implemented.

“Most people have no idea that these keyboards are vulnerable,” Kamkar says. “To be in the room next door and be able to pick that up is really alarming.”

Updated on February 24 to clarify why Bluetooth devices aren’t affected by MouseJack.