Flaw Could Enable Hackers To Hijack Wireless Keyboards and Mice

A major new vulnerability discovered today could put millions of systems using wireless keyboards and mice at risk. The flaw, dubbed "MouseJack," lets a hacker type arbitrary commands into a victim?EU?s computer from up to 100 meters (328 feet) away using only a $15 USB dongle.

First, the good news: the vulnerability does not affect Bluetooth devices, which represent some of the most popular wireless devices. Now the bad: almost every other wireless keyboard and mouse is vulnerable, according to Bastille, the digital security company that discovered MouseJack. That includes wireless devices made by Microsoft, Logitech, Lenovo, HP, and Dell.

Millions of Systems at Risk

MouseJack (pictured, upper left) leaves potentially millions of systems at risk, according to Bastille. An attacker could exploit the vulnerability to take control of the target computer without being in front of it physically and type arbitrary text or send scripted commands.

?EU?Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4 GHz ISM band,?EU? the company said in white paper on the vulnerability. ?EU?In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.?EU?

To prevent eavesdropping, most vendors encrypt the data being transmitted by wireless keyboards. The dongle knows the encryption key being used by the keyboard, so it's able to decrypt the data and see what key was pressed. Without knowing the encryption key, an attacker is unable to decrypt the data and can't see what's being typed.

However, none of makers of the devices Bastille tested encrypted their wireless communications with the dongles connected to the computers. That lack of an authentication mechanism means the dongle is unable to distinguish between commands issued by the user and those issued by a malicious hacker.

Easy To Do

And it's pretty easy for a hacker to gain...

Comments are closed.