Mousejack Attack: Critical Vulnerability Found in Wireless Mice and Keyboards

Security experts from Bastille Networks have published the results of a study of wireless mice and keyboards that communicate with a computer via a USB dongle. They claim that the attacker can intercept computer control and send arbitrary commands, while being at a distance of up to 100 meters from the computer. Wireless devices using the Bluetooth protocol are not affected by this vulnerability.

Manufacturers who do not use Bluetooth usually use the 2.4 GHz ISM frequency to operate their devices. Since there is no single protocol for the operation of wireless devices, each of the manufacturers creates their own versions of their work, including protection. The study examined controllers from Logitech, Dell and Lenovo.

It turned out that while most keyboards communicate with an USB dongle using an encrypted protocol, none of the tested mice bother with this. As a result, there is no authentication of the mouse - the dongle simply does not distinguish the control packet transmitted by radio from the mouse from the packet transmitted by the attacker.

A popular receiver among manufacturers is the nRF24L from Nordic Semiconductor, so after studying its work, the researchers were able to summarize the data into many devices. And for the implementation of the hacking itself, no special equipment is needed - just a similar USB dongle for $ 15 and a Python program with 15 lines of code are needed.
')
The problems found in the handling of the received signals by the dongles allowed the researchers to create a method by which the transmitted packets would be recognized not as clicks and mouse movements, but as keystrokes. These problems vary from manufacturer to manufacturer, but they can be divided into three categories.

1. Injection of presses with a substitute mouse

Some dongles do not compare the type of command received with the type of transmitter. As a result, they calmly accept commands for pressing keys from the mouse device. The attacking dongle that pretends to be a mouse sends unencrypted packets to the victim's dongle, and he calmly treats them as if they were clicking.

2. Injection presses by substitution keyboard

Although most keyboards work with encrypted channel dongles, not all dongles require mandatory encryption. As a result, an attacker can transmit unencrypted commands that the victim's dongle processes as commands from his own keyboard.

3. Forced pairing

Usually in production, dongles are interfaced with a keyboard or mouse, but some manufacturers allow adding new devices for which the dongle translates into a special mode of operation - for example, when a keyboard is added to one mouse, or when the dongle is lost and the user installs a new one. In the case of using the victim only one mouse, the attacker can pretend to be a keyboard, forcibly connect it to the victim's dongle and send control commands.

The researchers claim that the attack can occur in a compressed period of time - the dongle is able to simulate the printing of 1000 characters per minute, and as a result, install the trojan in 10 seconds.

Some manufacturers have reprogrammable dongles - those whose firmware can be changed. Logitech has already reported that it took this vulnerability seriously and released an updated firmware for wireless products. Unfortunately, a lot of dongles have read-only memory; as a result, their vulnerability cannot be fixed.