Mousejacking – what you need to know

US startup Bastille Networks boldly claims to be “the first and only company to completely secure the Enterprise,” even though it doesn’t have any products on its website yet.

But it is nevertheless making waves with a vulnerability it’s calling Mousejacking, caused by a raft of security problems the company says it’s found in numerous wireless mouse and keyboard products.

The researchers took a USB dongle used to control a drone product called CrazyFlie, and hacked the firmware to turn it into a mouse-and-keyboard sniffer.

Using the hacked dongle, known as the Crazyradio PA (PA stands for power amplifier), they were able to investigate the communications protocols used by the sort of wireless mouse and keyboard that itself relies on a USB dongle to operate.

NB. Mousejacking only applies to USB-based mice and keyboards. Bastille’s research doesn’t cover Bluetooth devices.

They found a number of security problems in the way many devices handle the data that flows from your mouse or keyboard to your computer.

The most notable findings include:

  • Mouse data is usually unencrypted and unauthenticated, so you can sniff out what the mouse is doing, and even inject fake mouse-moves and clicks from a distance. (Bastille claims “up to 100m,” though we imagine that sort of distance is unlikely in the average work environment.)
  • Keyboard data is usually encrypted, but some dongles will accept unencrypted data anyway. So you can’t eavesdrop what the user is typing, but you can inject fake keystrokes from afar, even though you don’t know the encryption key.
  • Some dongles accept keyboard data from mice. So if the dongle requires encrypted keyboards but allows unencrypted mice, you can send it unencrypted keystrokes by pretending to be a mouse. Again, this means you don’t need the encryption key to inject fake keystrokes.
  • Some dongles can be tricked into pairing with new devices without any action by the user. So if your dongle is pluuged in, a nearby imposter keyboard could secretly pair with it, get the dongle’s encryption key, and start injecting keystrokes.

You’d probably back yourself to notice if someone else started typing additional keystrokes while you were working, or moving your mouse where you didn’t expect it to go.

You might suspect a hardware malfunction, a software bug or even a malware infection at first, but you’d nevertheless hope to spot any jiggery-pokery pretty quickly and take action against it.

Of course, as Bastille points out, it might already be too late, because a software-controlled “attack keyboard” can type much faster and more consistently than the average human typist, and damage is easy to do with even a few maliciously-planned keystrokes or mouse clicks.

Or you might have wandered away from your computer just for a moment without manually locking your screen, giving an attacker as much as two minutes (you do have an automatic screen lock of two minutes or less, don’t you?) to take over your computer from a nearby table in the coffee shop.

What to do?

  • Always lock your screen when you step away from your computer. You should do this regardless of mousejacking: don’t walk away and rely on your screen saver; instead, learn the keyboard shortcut for your chosen operating system and use it.
  • If you have a USB mouse or keyboard, check with your vendor if your product is affected, and if or when an update will be available. Bastille has a list of vulnerable devices that it knows about.
  • Consider using a device control solution if you are a business that’s worried about this threat. Device control can block access to unauthorised USB device types (e.g. “all mice” or “this specific product”), allowing you to restrict vulnerable mice and keyboards until firmware updates are available.

One very popular USB dongle that is affected is Logitech’s so-called “Unifying receiver” (they’re marked with a stylised orange logo that looks like an icon of the sun) that works with a whole raft of different Logitech mouse and keyboard models.

Logitech has published a firmware update that claims to patch the Unified receiver product. (You need Windows to run the updater.)

How to lock your screen immediately

That’s easy.

On Macs, a brief press of the Power key will do it. (On older Macs, use Shift+Control+Eject.)

On Windows, use Windows+L.

A cool hack (in the good sense of the word) on the Mac is to add the ScreenSaverEngine application to your Dock, so you’re just one click away from your screen saver at any time. In Finder, choose Go | Go to Folder... and enter the directory name /System/​Library/​Frameworks/​ScreenSaver.framework/​Versions/​A/​Resources/. Find the file and drag a copy the Dock. Now you have an icon that will engage the screensaver immediately.