THAT TINY DONGLE plugged into your USB port and paired with your wireless keyboard or mouse isn’t as monogamous as it pretends to be. For millions of cheap peripherals, those innocent-looking radio receivers may be carrying on a sly, long distance relationship—letting an antenna-wielding intruder silently type malicious commands on your PC.

That’s a new warning from researchers at the Internet of things security firm Bastille, who released an advisory today that seven different companies’ wireless keyboards and mice are vulnerable to an exploit they’ve dubbed “mousejacking.” The attack—which affects a broad collection of devices sold by Logitech, Dell, Microsoft, HP, Amazon, Gigabyte and Lenovo—lets an interloper inject mouse movements or keystrokes at a rate of a thousand words per minute from an nearby antenna, even when the target device is designed to encrypt and authenticate its communications with a paired computer.

“With about fifteen lines of code, you can take over a computer more than a hundred yards away,” says Chris Rouland, Bastille’s CEO, who previously founded the hacking firm Endgame, a US government contractor. In their tests, Rouland and Bastille researcher Marc Newlin used a $12 Geeetech Crazyradio USB radio dongle attached to a laptop running their exploit code to pair with the victim devices. They tested as far as that hundred-yard range, though they found that the attack was more reliable with a more powerful Yagi antenna and believe it could likely be extended further. They also built a radio-enabled Nintendo controller capable of running their attack software, which they plan to show off at the RSA conference in San Francisco next week. Rouland points out that the exploit, which affects devices that use a little-studied proprietary radio protocol rather than Wi-Fi or Bluetooth, leaves even PCs that have been “airgapped”—isolated from the Internet—vulnerable if someone has plugged in a wireless keyboard dongle.

“We can compromise an airgapped network, going in through a different frequency protocol, directly to the USB port,” he says.

How It Works
Bastille’s mousejack attack doesn’t take advantage of one single vulnerability, but instead a collection of distinct problems in the firmware of wireless devices that use chips sold by the Norwegian firm Nordic Semiconductor. Nordic chips are capable of encryption. But unlike standard Bluetooth chips, the Norwegian firm’s cheap, low-power shortrange radio communications chips require that vendors write their own firmware to implement that encryption and secure the connection between computers and peripheral devices. The result, Bastille’s researchers say, is that many of the affected companies failed to take advantage of Nordic’s encryption option, allowing the dongles that receive those communications to accept keystrokes from another device using the same radio protocol. Most of the vulnerable keyboards did encrypt their communications, the researchers say, but didn’t properly authenticate communicating devices; they would still allow another rogue device to inject unencrypted keystrokes over the same connection. “It’s like having an expensive deadbolt and leaving it unlocked,” says Rouland.

I don’t think people even understand that there’s firmware in the dongle connected to their mouse.
CHRIS ROULAND
The Bastille researchers claim that “more than a billion” devices are affected in total. They back up that questionable number by pointing to a 2008 press release from Logitech touting the shipment of its billionth mouse, but couldn’t point to a more recent count or one that distinguishes between wireless and wired devices. Given the number of companies whose products Bastille successfully attacked, however, the count of vulnerable mice and keyboards is likely high, possibly in the millions; Rouland says that in Bastille’s tests, they were able to spot vulnerable wireless device dongles in most office buildings they targeted with their antennae. “Once you start looking for that little dongle, you’ll see it everywhere,” Rouland says.

Injecting keystrokes on a target computer, of course, isn’t in itself a full compromise of the machine. The hacker would only have the same privileges as the person using the computer and wouldn’t necessarily be able to type his or her passwords. Rouland argues that the attack could quickly be used to download malware and take full remote control of a PC. But the computer would have to already be unlocked, a caveat that would likely require the attacker to be able to see his or her target’s screen.

Click HERE for the entire article.