I'm not familiar with the specific mouse dongle implementations mentioned, but let me tell you attacking a NRF24L without prior knowledge is no walk in the park. First off, you have to know the exact frequency used or you'll receive nothing. That may sound trivial to sniff with a spectrum analyzer but it's actually anything but - these days often some sort of frequency hopping is in play which will need WAY more than $15 worth of (and some pretty badass) equipment to identify appropriately. To illustrate, the utterly Byzantine hopping schemes used in some quadcopter remotes using that same RF chip were characterized NOT by listening to the spectrum, but by directly sniffing the frequency change commands on the SPI bus between the RF chip and the host MCU. And that's just the first step...
Second, you have to configure your NRF24L with the exact same address your "victim" uses or you'll receive nothing. Worst case that is a 5-byte long address brute-forcing of which is, erm, not really feasible. Best case it's still a 3-byte address to be guessed. That's still sixteen million addresses! The mentioned attack gets somewhat around this by setting an illegal (but apparently working) value that reduces the address length to 2 bytes, then further reducing that by setting the address equal to the RF preamble bit pattern, hoping to trick the chip into accepting the preamble as a valid address and delivering you the actual address as the "data" following it. Not a guaranteed result by any means, especially considering you now have no actual preamble to rely on to get your chip locked into transmissions.
So yeah - is it a vulnerability? Yup. Should it be encrypted? Absolutely. What the NRF24L does is NOT security on its own. But the attack itself requires either a lot more hardware than mentioned or a lot of specific know-how and patience - if the packet transmission rate is quite modest, you might be sitting there "sniffing" for quite a while...
Biting the hand that feeds IT
