Wireless mice and keyboards are the perfect accessories for a world in which devices increasingly are shuffling off their connection coils, but those accessories — especially untethered rodents — also can create new threats for those who use them.
One such threat is Mousejack. The attack exploits a vulnerability found in 80 percent of wireless mice. With US$15 worth of off-the-shelf hardware and a few lines of simple code, a wireless mouse can be turned into a hacker’s portal for all kinds of mischief.
Mousejack — the name Bastille, which discovered the flaw last year, gave to the vulnerability — impacts more than a billion wireless mice worldwide, the company’s chief revenue officer, Ivan O’Sullivan, said.
One of Bastille’s engineers, Marc Newlin, discovered the vulnerability in non-Bluetooth wireless mice. The flaw in the mice is related to how the devices handle encryption.
“When evaluating these devices, it became apparent that they do not implement encryption in a correct way and make it possible to bypass encryption in certain situations,” he told TechNewsWorld.
That allows an attacker to forge and transmit wireless packets to the USB dongle of a target’s mouse and use that to inject keystrokes into that target’s computer.
“Taking advantage of that, an attacker from 225 meters away [246 yards] can type on a target’s computer,” Newlin said.
Typing is a relative term here. The keystrokes sent to the dongle could be automated, which means a hacker could type as fast as 1,000 words a minute.
“You could very quickly execute an attack,” Newlin said. “You could bring up a command window, type some commands, download some malware, and close the window all in a matter of seconds.”
“If a victim’s attention is elsewhere for a short period of time, an attack can be executed without their knowledge,” he added.