Mousejacking may not sound like a very potent security threat, but an open doorway into your computer via your wireless USB mouse or keyboard is no joke. Researchers at security startup Bastille Networks have found more than a billion wireless mice and keyboards leave your computer and data vulnerable to hacking.
The weak spot is not in the mouse or keyboard itself but in the wireless USB transceiver dongle, that little plug-in thingie you put into the USB port of your computer. Most wireless keyboards and mice implement encryption but do not properly verify the incoming signals, which allows a nearby user with an unauthorized device to forcibly insert keystrokes through the same wireless connection.
If you're using a mouse, hackers send a wireless signal masquerading as a legitimate wireless mouse signal to the USB dongle. Most wireless USB dongles readily accept any invitation from wireless mice. Then hackers can make the wireless signal (now mimicking that of the wireless mouse) feign a wireless keyboard. And then the havoc begins.
Once your PC allows the incoming wireless signal, the hacker can pretty much do anything on your PC, including launching a Web browser, opening a web page or downloading malware and installing it on the PC. With just a fey keystrokes, the hacker can even reformat your hard drives.
According to Bastille, mousejacking can be performed from as far as 200 meters from the target computer with the help of a wireless USB antenna and a laptop. Millions of mice and keyboards are at risk, including those from Logitech, Gigabyte, Dell, Microsoft, HP, Amazon and Lenovo. Bastille researchers have published a list of devices they found to be affected by the vulnerability.
After Bastille notified wireless mice and keyboard manufacturers about the issue, several of them acted quickly to mitigate the issue. Logitech’s widely used Unifying Receiver (the one with a logo of a sun shape against an orange round square) can be updated with a software patch from Logitech. Lenovo has determined that the vulnerability affects only its Lenovo 500 wireless products, and the company is prepared to swap out new and updated dongles for old ones affected by the issue.
Dell’s KM632 and KM714 mouse and keyboard combos are also affected. The company told Forbes that a patch for the KM714 is being readied, but some devices may need to be replaced. Other companies are in various stages of addressing the vulnerability and have yet to issue statements about it.
Thankfully, this security hole does not affect Bluetooth mice and keyboards. Mousejacking also won’t work on USB wireless dongles that are not in active use.