Researchers have exploited a range of vulnerabilities in wireless keyboards and mice, taking control of them from up to 100 meters away.
The researchers, from Internet of Things security start-up Bastille, focused on a range of dongle-linked devices from Logitech, Dell, Gigabyte, HP, Lenovo, Microsoft and Amazon Basics.
Some patches have been made available for users, including Logitech devices, but where fixes aren’t available, Bastille CTO and founder Chris Rouland recommended customers ditch their mouse or keyboard for a wired or Bluetooth alternative. The problems lie in the way the dongles handle communications. In some cases, the dongles accepted unencrypted packets where they should only have allowed normal encrypted packets.
With one vendor, it was possible to get enough information from the ciphertext (the supposedly-random, garbled data) to inject keystrokes without knowledge of the encryption key, noted Bastille engineer Marc Newlin, who uncovered the weaknesses.
This allows a hacker to scan the local airwaves for the data packets sent after clicks and keystrokes to determine the radio frequency address of the target. With dongle-connected peripherals, communications typically take place over the 2.4GHz band. Once that’s been acquired, the hacker can start injecting clicks or keystrokes by transmitting forged packets to that address, said Newlin.
Just $15 worth of hardware, including a software-defined radio, and a few lines of code are required to carry out the attack, Bastille said. The firm claimed most non-Bluetooth wireless dongles are vulnerable, leaving “billions of PCs and millions of networks at risk”. The video below details the attack and the company plans to open up mousejack.com to the general public so they can learn more about what devices are affected.
Using such techniques an attacker could force a user to download malware, said Rouland. Newlin hypothesized that a hacker might also set up an ad hoc wireless hotspot on the machine so that even if it was not connected to a network, data could still be removed from the victim’s PC and transferred to the crook’s own server. “Computers trust humans. The fact that you’re able to remotely inject at 100m away to a target means this is pretty high severity,” said Rouland. “Most of these devices are unmonitored in the enterprise.
“This is totally new. The only attacks on keyboard have been decoding the encryption passively and that’s when vendors turn on encryption… No one has remotely injected keystrokes into one of these devices.”
Logitech: Not an easy attack
Logitech said it planned to issue a firmware update to its affected devices. But it claimed the attacks would not be simple to pull off. “Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack,” said Asif Ahsan, senior director for engineering at Logitech.
“Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue.” A spokesperson from Microsoft said: “Microsoft has a customer commitment to investigate reported security issues, and will provide resolution as soon as possible.”
Lenovo, meanwhile, has issued a security advisory and a firmware update. But, significantly, the patch can only be applied “at the time of manufacture”. That means there won’t be any downloadable fixes. Dell said customers with the KM714 keyboard and mouse products can take advantage of the Logitech patch through Dell Tech Support. “Customers with the KM632 are urged to call Dell Technical Support to identify a suitable Dell Universal Pairing.”
The other affected vendors had not responded to requests for comment at the time of publication. Security expert from the University of Surrey, Professor Alan Woodward, noted similar attacks have been carried out before, pointing to the work of researcher Samy Kamkar. The latter previously created KeySweeper, an Arduino-based device that looked like an innocent USB wall charger but wirelessly and passively sniffed, decrypted and reported back all keystrokes from any Microsoft wireless keyboard using a 2.4GHz radio frequency protocol. Bastille’s tactics were somewhat less passive compared to Kamkar’s.
But Woodward, whilst accepting the findings were concerning, noted the difficulties in carrying out an attack. “Exploiting this vulnerability will mean that whilst it could potentially cause countless leaks, it may prove tricky to undertake as a hacker has to have equipment in relatively close proximity to the devices being compromised,” he told. “Radio emanations can be picked up some distance from the devices if you have the right antenna and amplifiers, but then you tend to find you are operating in a noisy environment where it’s tricky picking out your target from the general radio hubbub.”
Newlin said his tests were carried out with a direct line of sight to the target PC. If obstacles were in the way, or if there was high humidity, radio signals would most likely be disrupted. Rouland believes the most likely scenario would see an attacker standing close by an office with their kit ready to siphon off secrets. Given how easy it is to get into an office building without being noticed, such attacks could easily be carried out just a matter of meters away.
110 Reykjavik, Iceland