Flaw Puts a Billion Wireless Mice at Risk

2016.05.23 02

Wireless mice and keyboards are the perfect accessories for a world in which devices increasingly are shuffling off their connection coils, but those accessories — especially untethered rodents — also can create new threats for those who use them.

One such threat is Mousejack. The attack exploits a vulnerability found in 80 percent of wireless mice. With US$15 worth of off-the-shelf hardware and a few lines of simple code, a wireless mouse can be turned into a hacker’s portal for all kinds of mischief.

Mousejack — the name Bastille, which discovered the flaw last year, gave to the vulnerability — impacts more than a billion wireless mice worldwide, the company’s chief revenue officer, Ivan O’Sullivan, said.

One of Bastille’s engineers, Marc Newlin, discovered the vulnerability in non-Bluetooth wireless mice. The flaw in the mice is related to how the devices handle encryption.

“When evaluating these devices, it became apparent that they do not implement encryption in a correct way and make it possible to bypass encryption in certain situations,” he told TechNewsWorld.

Speed Typing

That allows an attacker to forge and transmit wireless packets to the USB dongle of a target’s mouse and use that to inject keystrokes into that target’s computer.

“Taking advantage of that, an attacker from 225 meters away [246 yards] can type on a target’s computer,” Newlin said.

Typing is a relative term here. The keystrokes sent to the dongle could be automated, which means a hacker could type as fast as 1,000 words a minute.

“You could very quickly execute an attack,” Newlin said. “You could bring up a command window, type some commands, download some malware, and close the window all in a matter of seconds.”

“If a victim’s attention is elsewhere for a short period of time, an attack can be executed without their knowledge,” he added.

Flaw Puts a Billion Wireless Mice at Risk