A bogus wireless computer mice and keyboards can be used by threat actors to compromise laptops from up to 100 metres away. The experts demonstrated that the attack, called mousejack attack, is possible using the portable peripherals manufactured by at least seven big vendors including Amazon, HP, Lenovo, Logitech, and Microsoft.
“MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.” states the website managed by Bastille on the mousejack attack.
The researchers discovered that communications between a non-Bluetooth port and mouse are often insecure, data are in fact transmitted in clear text.
“Conversely, none of the mice that were tested encrypt their wireless communications. This means that there is no authentication mechanism, and the dongle is unable to distinguish between packets transmitted by a mouse, and those transmitted by an attacker. As a result, an attacker is able to pretend to be a mouse and transmit their own movement/click packets to a dongle.” wrote Marc Newlin.
An attacker can exploit vulnerable devices to deploy the exploit code and tricks that researchers have developed and published on the GitHub repository. It is important to highlight that attackers need to be in the nearby of the victims in order to launch the mousejack attack.
Less than US$15 of hardware are enough to mount the attack against 13 mice and keyboards, the experts at Bastille company already reported the security issued to respective vendors, and in same cases they have already released a security patch. The vulnerabilities include mouse and keyboard spoofing, keystroke injection, and forced pairing.
“Problems in the way the dongles process received packets make it possible for an attacker to transmit specially crafted packets which generate keypresses instead of mouse movement/clicks.” continues the post.
The experts at Bastille discovered that the vulnerability affects the popular nRF24L series of transceivers produced by the Nordic Semiconductor which is used by vulnerable devices. The experts used the nRF24L transceiver for their proof-of-concept, they started with an existing homebrew project that housed the nRF24L transceiver within an old-school Nintendo game controller.
“The nRF24L chips do not officially support packet sniffing, but Travis Goodspeed documented a pseudo-promiscuous mode in 2011 which makes it possible to sniff a subset of packets being transmitted by other devices. This enables the NES controller to passively identify wireless mice and keyboards without the need for an SDR.The NES controller proved to be an excellent platform for learning about the behavior of mouse communication protocols. As opposed to passively collecting data, the NES controller translates d-pad arrows into mouse movement packets, and A/B buttons into left and right clicks. In order to achieve a smooth user experience, it was necessary to create a model of the packet timing and specific behavior expected by the dongle.”
The researchers also demonstrated the hack by using another tool that relies on a few lines of Python code for packet sniffing and injection woven into an amplified USB CrazyRadio dongle ($15-$30) which included fuzzing capabilities.
“The Crazyflie is an open source drone which is controlled with an amplified nRF24L-based USB dongle called the Crazyradio PA. This is equivalent to an amplified version of the USB dongles commonly used with wireless mice and keyboards. Modifying the Crazyradio PA firmware to include support for pseudo-promiscuous mode made it possible to distill the packet sniffing and injection functionality down to a minimal amount of Python code.”
The attack could allow an attacker within 100 meters range to intercept the radio signal between the dongle plugged into the targeted computer and the mouse. The attacker can send packets that generate keystrokes instead of mouse clicks or force the victim PC to visit a malicious server.
During the tests, experts from Bastille were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in about 10 seconds.
Let me suggest to give a look at the interesting white paper published by the researchers.
(Security Affairs – mousejack attack, hacking)