MouseJacking

Mousejacking is a security vulnerability in the firmware of many wireless keyboards and mice. It is specific to keyboards and mice using a proprietary protocol in the 2.4 Ghz band implemented on a chip by Nordic Semiconductor.^[1] Many wireless keyboard and mouse vendors protect the keyboard keystrokes from eavesdropping by using encryption. This also prevents an attacker from injecting keystrokes. However, the mouse clicks and movement is not encrypted and thus open to injection by an attacker. In addition, some wireless dongles have weaknesses in the way it processes received packets which makes it possible to send specifically formatted packets which generates keystrokes through the mouse communication channel. This allows an attacker to inject keystrokes into a computer using a wireless keyboard and mouse without having to know the encryption key of the keyboard communication channel.

A NRF24 radio similar to the CrazyRadio PA dongle

Discovery

This vulnerability was discovered by Bastille Research and documented in a whitepaper.^[2] A similar vulnerability include Samy Kamkar's Key Sweeper which sniffs keystroke data of unencrypted wireless keyboards.

Exploitation

To exploit this vulnerability an attacker has to be relatively close to its target. Even though the range between a standard keyboard or mouse and the dongle is in the order of 10m, it was experimentally tested that this vulnerability may be exploitable at a range of 180m using the CrazyRadio PA dongle.^[1]^[3] This range assumes line of sight, so if there were walls or other obstacles in the way the attack may not work.^[4] A likely attack scenario would be an attacker standing close by an office with a laptop and wireless dongle. In many attack scenarios, the attacker may not be able to see the target's monitor, so the attack would have to be executed blind.

Remediation

Many vendors either released firmware patches for their dongles or offered to replace affected devices.^[3] In addition, Microsoft released a wireless mouse driver patch that would filter any keystroke input coming in through a mouse.^[5]^[6] In cases where security is of critical importance, it may be better to not use a wireless keyboards or mouse.

References

External links

Category:Hacking (computer security) Category:Computer security exploits

[defcon-1] MouseJack and Beyond: Keystroke Sniffing and Injection Vulnerabilities in 2.4GHz Wireless Mice and Keyboards

[2] MouseJack Whitepaper

[wired-3] Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC

[4] 'MouseJack' Attacks Hack Wireless Keyboards And Mice From 100 Meters

[5] Microsoft Patches "Mousejack" Vulnerability

[6] Microsoft Security Advisory 3152550

[1]

[2]

[3]

[4]

[5]

[6]