Researchers exploit unencrypted radio to hack wireless mice, keyboards

Microsoft, Logitech, and others promise fixes in upcoming products.

Researchers exploit unencrypted radio to hack wireless mice, keyboards

Two researchers have demonstrated that an attacker can hack unencrypted radio communication to seize control of many leading wireless keyboards and mice.

Gerhard Klostermeier and Matthias Deeg of German security firm SySS said at Ruxcon 2016 that their attack worked because of how wireless mice and keyboards are designed.

Those devices work by using radio frequency technology to communicate with a computer. Makes sense...except when you realize most of that communication is neither encrypted nor authenticated.

Without any protective measures in place, an attacker can easily pick up that eavesdrop on a wireless device's communication with a computer. As long as they know the correct keyboard or mouse protocol, they can then spoof commands in an effort to achieve remote code execution and infect a machine with malware.

That's exactly what Klostermeier and Deeg did using what they call a Raspberry Pi "Radio Hack Box."

The attack makes use of a Crazyradio PA USB dongle, the same device Bastille Networks' Marc Newlin employed to exploit the MouseJack vulnerabilities in early 2016.

By virtue of an internal Python tool, the Radio Hack Box picks up on the radio frequencies of the wireless device, injects itself into the communication stream, and spoofs commands using keystrokes typed on a virtual keyboard in Windows on the computer.

Those commands allow for an actor to download malware onto a victim's machine, as the researchers show in the demonstration video provided below.

Klostermeier notes someone can pull off the attack from a large distance away as long as they have the right equipment. As quoted by The Register:

"You can exploit all of these vulnerabilities in real world attack scenarios. The normal distance is 10 to 15 metres but if you use software defined radio and apply some antenna you could extend it to several kilometres."

Using the Radio Hack Box, the duo compromised devices produced by Microsoft, Logitech, Fujitsu, Perixx, and Cherry.

Perixx has not responded to the research, and Cherry said it will remove references that its current products are secure.

Meanwhile, Microsoft, Logitech, and Fujitsu have all promised to make their upcoming products more secure against those types of vulnerabilities.

But take that with a grain of salt.

Microsoft and Logitech both said their new products would be secure against MouseJack, but here we are once again with vulnerable wireless devices from these two companies. It might be worth looking into purchasing products from another vendor.

Alternatively, if you don't trust the tech, you could just play it safe and just stick with a wired mouse and keyboard.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

2 Responses

  1. Michael Ponzani

    October 28, 2016 at 6:18 pm #

    Well, at least I have a wired mouse. These don't poop or pee, spread disease, or carry bubonic plague fleas.

    Emergency Alert. If your readers wish to visualize how viral infections spread on the WWB, just get ahold of some wisteria seeds. Then pitch them in obscure places as you walk around town. Or pitch them in rich people's estates where they can do the most damage! Watch how they come up and grow everywhere.

    Viral infections of the plant life every where!

  2. sammi

    November 11, 2016 at 4:13 am #

    it does all this too the list is endless its now using p2p to keep me tracked and connected. im atmy wits end
    i got stagefright in may 2016 from a security app. it effects any device not just android its ruined my desktop, laptops, xbox1,ipad and iphones windows lumia phone as well as countless android devices. it takes over your local ip and can use pretty much any cable or usb port to connect or generate its own power whether device bluetooth or wireless is on or off. it uses multicast with debugging and developer tools to access your device and control what you can and cant do. there is so much more i could say not enough room. ifanyone can help me pls

Leave a Reply