back to article Hijack wireless mice, keyboards, with $15 of kit and 15 lines of code

Fake wireless computer mice and keyboards can be used to compromise laptops from up to 100 metres away using the portable peripherals from at least seven big vendors including Logitech, Microsoft, and Amazon, software engineer Marc Newlin says. The attacks target the typically cleartext and insecure communications between a …

  1. Pascal Monett Silver badge

    Only 15 models ?

    And my Logitech mouse & keyboard is not in the list, as far as I can see.

    Given the variety of mice available on the market, I see this as a rather good thing for security.

    In any case, I highly doubt that mousejacking will allow the installation of software. If I leave my work computer, I lock the screen. At that point, no installation procedure can take place. If I'm in front of my screen and the mouse starts doing weird things, I now know I should unplug the mouse dongle.

    In any case, thanks for the heads-up.

    1. YetAnotherLocksmith

      Re: Only 15 models ?

      Just because they only tested 17 models, and found 15 broken, doesn't mean lots of other ones aren't also similarly flawed.

      It costs a lot to test gear that you have to buy retail yourself - at say £50 a set that's over £800, & lots of keyboard/mice cost more than that!

      1. Pascal Monett Silver badge

        Only tested 17 models - fair point, I missed that.

        In any case, when not at my desk, my PC stays locked, so there's that.

  2. Mike 125

    This is a 'mindset' thing...

    It's hard to see how the guy in that video missed all that activity on his machine. Important guy, important call.

    But it never occurred to me that my 15 quid wireless mouse would be crypto safe. People should shift to assuming danger, rather than assuming safety.

  3. YetAnotherLocksmith

    Hardly new

    This isn't a new threat.

    What's clever here is the way they've used the mouse commands as a way in, & also that manufacturers have aimed for cheaper models' compatability so allowing defeat of the more expensive systems.

    It's like not encrypting your backups because of the overhead!

  4. Anonymous Coward
    Anonymous Coward

    Useful attack vector

    A bit similar to the rubber ducky, but more incognito. All you need to do is launch a browser and straight to a watering hole of your choice. Que exploit and you're off and have a compromised machine :)

  5. Steve Davies 3 Silver badge

    There is a reason for...

    Not using Wireless KB's and Mice.

    Other than the having to replace batteries just when you need to use the thing urgently.

    Besides, I have yet to find a wireless KB that can stand up to the hammering I give them. I've had a couple of old DELL KB's (USB) that are build like the IBM's ones of old. Had them 7+ years and cost me £5 each at a computer fair. Still going strong.

    1. Gene Cash Silver badge

      Re: There is a reason for...

      My problem is that Staples, OfficeMax, and Best Buy sell nothing but wireless mice. I just went through this because my old one died and I had to go shopping.

      As usual, I ended up back at home looking through Amazon because people don't stock shit any more.

      1. Grifter

        Re: There is a reason for...

        Are you only allowed to buy from those three stores? Or is it a self-imposed limitation like a new year's resolution?

      2. Mr Flibble
        Holmes

        Re: There is a reason for...

        “As usual, I ended up back at home looking through Amazon because people don't stock shit any more.”

        I think that you'll find that they do. They just don't stock the better items…

      3. Epobirs

        Re: There is a reason for...

        Not true. The Best Buy house brand, Insignia, sells a USB keyboard for $9.99 and a mouse and keyboard set for $12.99. The mouse sells for $7.99 by itself. I recently bought several of the sets for a client who has a specific need for widely spaced keys due to the impairment from a stroke making his typing moves much less accurate. A wireless Logitech model had previously been of great help but because it was aimed at certain markets was lacking a full cursor and edit key cluster to reduce the width.

        The Insignia keyboard, although of lesser build quality for a shorter lifespan, has the same spacing and a full-size layout. The price is so low that he doesn't have to worry about leaving it behind when he travels.

        Order it online and select store pickup. That will make them figure out where it is on the shelves.

  6. Anonymous Coward
    Anonymous Coward

    Nothing new:

    http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html

    that's about 6 years old...

  7. DropBear Silver badge

    I'm not familiar with the specific mouse dongle implementations mentioned, but let me tell you attacking a NRF24L without prior knowledge is no walk in the park. First off, you have to know the exact frequency used or you'll receive nothing. That may sound trivial to sniff with a spectrum analyzer but it's actually anything but - these days often some sort of frequency hopping is in play which will need WAY more than $15 worth of (and some pretty badass) equipment to identify appropriately. To illustrate, the utterly Byzantine hopping schemes used in some quadcopter remotes using that same RF chip were characterized NOT by listening to the spectrum, but by directly sniffing the frequency change commands on the SPI bus between the RF chip and the host MCU. And that's just the first step...

    Second, you have to configure your NRF24L with the exact same address your "victim" uses or you'll receive nothing. Worst case that is a 5-byte long address brute-forcing of which is, erm, not really feasible. Best case it's still a 3-byte address to be guessed. That's still sixteen million addresses! The mentioned attack gets somewhat around this by setting an illegal (but apparently working) value that reduces the address length to 2 bytes, then further reducing that by setting the address equal to the RF preamble bit pattern, hoping to trick the chip into accepting the preamble as a valid address and delivering you the actual address as the "data" following it. Not a guaranteed result by any means, especially considering you now have no actual preamble to rely on to get your chip locked into transmissions.

    So yeah - is it a vulnerability? Yup. Should it be encrypted? Absolutely. What the NRF24L does is NOT security on its own. But the attack itself requires either a lot more hardware than mentioned or a lot of specific know-how and patience - if the packet transmission rate is quite modest, you might be sitting there "sniffing" for quite a while...

    1. JeffyPoooh Silver badge
      Pint

      @DropBear

      Typically these very complicated steps need to be done once, by someone, and then published.

      Then somebody releases the attack as a 'script'.

      Then the script kiddies just 'Click-Click'.

      It's a mistake to assume that every attacker needs to start from scratch.

      Your post may lead some to make that mistake.

      1. DropBear Silver badge

        Re: @DropBear

        I did say clearly that these are difficulties to overcome, not security features. I did also say clearly I cannot tell how much of it applies directly to these specific mouse dongles. I'm not contesting that the attack as presented is possible. But it may or may not require more that double-clicking on a script and it may or may not take a non-trivial amount of time. I still don't see why saying that would be wrong. Anyone getting the impression that I "refuted" the article clearly has much bigger problems than having to worry about getting attacked this way.

        1. JeffyPoooh Silver badge
          Pint

          Re: @DropBear

          Which is why I closed with: "...Your post may lead some to make that mistake."

          There are plenty of people that make the logical error of confusing difficulty with security.

          Since you were describing difficulties, I thought I'd make the point.

          Cheers.

  8. Knewbie

    also nothing new from here

    I remember the trick of putting the (large at the time) logitech usb receiver on any electric line and getting the keypresses of anyone in the same building (circa 2001) using the same tech...

  9. JeffyPoooh Silver badge
    Pint

    "...Travis Goodspeed documented[1]..."

    Style Guide: no point including the reference ("[1]") unless you include the citation to which it points.

  10. x 7

    If it's wireless, it's not a mouse, it is a HAMSTER

    or in some cases a guinea pig.......

    1. allthecoolshortnamesweretaken

      In this case, isn't it technically a RAT?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019