The hand that clicks your mouse may not be your own

A warning about how attackers can get to your computer through your mouse & what you can do about it.

Your wireless mouse and keyboard allow you to work more comfortably, without those annoying cables. But it turns out those cables served a purpose beyond just connecting you to your computer.

Now researchers have found out how attackers can type on your computer, right in front of you, using your mouse as the entry gate into your personal garden.

It’s not just writing out a few random words or posting unpleasant comments. The attackers can steal your files or download malware to get unrestrained access to your system, researchers at cybersecurity company Bastille say.

They call it “MouseJacking.

“The MouseJack threat is real and presents a clear and present IoT [Internet of Things] danger,” Marc Newlin with Bastille told Archer News. “If consumers use an affected wireless mouse or keyboard, they do run the risk of potentially being hacked.”

The company recommends you check their list of affected devices, and if your wireless device is on there, you should immediately unplug the dongle and used a wired mouse and keyboard instead.

Researchers said Bluetooth devices did not show the same vulnerability, so using a Bluetooth mouse and keyboard would also solve the problem.

“Security is all about not taking things for granted, and apparently too many of us have been taking our wireless mice and keyboards for granted,” said Patrick Coyle with Chemical Facility Security News.

How it works

When you get your wireless keyboard and mouse, you plug a dongle into your computer. The keyboard and mouse send information to the dongle, so when you type or click, the computer knows how to respond.

Most keyboards send encrypted data or “packets” to the dongle, Bastille researchers said in a white paper, but many mice do not. 

“As a result, an attacker is able to pretend to be a mouse and transmit their own movement/click packets to a dongle,” the paper said.

A mouse can mimic keystrokes, or an attacker can pair a fake keyboard to the dongle, and type away at will, the researchers said.

“It is as if the attacker were sitting in front of the machine and executing commands from the victim’s own mouse and keyboard,” a video on the Bastille site explained.

How far away?

If you see something strange happening on your screen, you may want to look over your shoulder.  The attacker needs to be relatively close to you to make the attack work.

A CERT [computer emergency response team] advisory on this issue says an attacker “within wireless transmission range” can cause trouble, and adds, “Wireless range on these models varies but is typically a few meters within a home.”

But Bastille said the attacker does not have to be in the same room. He or she can use radio signals to control your mouse.

“We have proven that a hacker as far as 100 meters away—that’s just over the length of a football field—could potentially exploit the affected wireless mouse or keyboard and use it as a portal to potentially take over a computer, transfer files, insert malware, delete the contents, and even infiltrate a network,” Newlin told Archer News.

Would you see it?

You might notice someone typing or clicking on your screen. The Bastille video shows sample attacks where the victims are distracted or away from their computers.

In one sample case, a businessman in what appears to be a company lobby talks on his phone and is not looking at his screen, while an intruder steals his files from just a few feet away.

Another sample attack shows an employee stepping away from his desk to get coffee, allowing an attacker on the other side of the building to remotely take over the computer.

Are mouse & keyboard companies fixing it?

Bastille lists seven wireless mouse and keyboard companies affected: AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft, though it says more companies may also be vulnerable.

Three of the companies have responded to Bastille’s alert about the problem.

Lenovo

Lenovo said it has released updated firmware to fix the issue.

“Users who are interested in exchanging their existing Lenovo 500 Wireless Keyboard or mouse for one with the new firmware version can contact the Lenovo support Center (https://support.lenovo.com/contactus) who are aware of this matter and are ready to process exchanges,” the response said.

The Lenovo response explains how you can tell if you have an affected device.

Logitech

Logitech said the attack could be hard to carry out.

“The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack,” the Logitech statement said. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix.”

The response explains how you can update your Logitech firmware.

Dell

Dell, however, lauds Bastille for its work. Dell recommends customers contact technical support for help.

“Dell would like to thank ‘Bastille Research’ and those in the security community whose efforts help us protect customers through coordinated vulnerability disclosure,” the statement said.

Low-hanging fruit

Bastille suggests that you contact the vendor of your wireless mouse and keyboard to see if you might be affected, or to see if they have fixed the problem in future products.

“It is great that this company is researching the vulnerabilities of the wireless USB devices,” said Jim Feely with Archer Security Group.

“It’s a good sign that some of the manufacturers are responding with fixes. Incremental improvements like that help to wipe out some of the low-hanging fruit of cyber vulnerabilities,” Feely said.

But he added, there are more problems with the signals, or “emanations” from your computer and devices.

“I call [MouseJacking] the low-hanging fruit because it can be fixed by changing the way the software that runs the wireless USB communication is programmed,” he said. “Unfortunately, there is some fruit that is way out of reach of anyone on the software or user side.”

Your computer is “leaky”

“Even if you’re not using any wireless technology, your computing hardware is still emanating a lot of information,” Feely explained.

He said your computer gives off noises and signals of different kinds that attackers may be able to use in future attacks.

One study showed that researchers could record the sound of a person typing in English on a keyboard for ten minutes, then figure out up to 96% of what the person wrote. It allowed them to recover passwords as well.

Another study showed researchers could hide a radio receiver or radio USB dongle inside pita bread and and listen to the electromagnetic waves coming from a computer from a little more than a foot away. They said they were able to find the keys that decrypt the computer’s encrypted communications.

“The overall vulnerabilities of various emanations coming from our computer hardware are good to be aware of,” Feely said, “But is prohibitively expensive and inconvenient to mitigate.”

One more thing you can do

You can protect yourself by making sure your screen is locked when you are not on your computer, Dell said.

Coyle said his mouse is not on Bastille’s list of vulnerable devices. He said people with mice like his should still pay attention to this problem.

“Since I don’t know how to tell if my non-listed mouse is actually vulnerable, I’ve decided that when I leave the home office, the mouse—with dongle—will stay home, and I’ll use the dreaded touch pad,” said Coyle.

And there is some good news, cybersecurity experts say.

“The good news is that mousejacking and emanation attacks are limited to a certain distance,” said Feely. “An attacker has to be reasonably close to your equipment. This is in stark contrast to any Internet-based attack that can originate anywhere in the world.