[HACK] Should You Worry About Getting Mousejacked?

Category: Security

More than 80 media outlets have echoed a security alert issued by startup security firm Bastille Networks. “Hackers can exploit your wireless mouse to take control of your cursor and keyboard... or even inject malware into your computer!” Should you ditch your wireless mouse, or is this story a bit overhyped? Let's take a look at the facts…

What is Mousejacking?

First, let me note that Bastille Networks, founded in March 2014, claims to be “the first and only company to completely secure the Enterprise by identifying airborne threats,” but does not have any products or defined services that I can find. Its website mainly consists of press releases and blog posts about “airborne threats.”

The “Mousejack” tab prominently featured on Bastille’s main page leads to an "affected devices" page that contains just a few links to vendor websites. At present, only Logitech is offering patches for the problem. Lenovo, Gigabyte, HP, Microsoft and other vendors listed there do not. (Be wary of third-party websites offering security patches. I always advise visiting device manufacturers’ sites for the latest, malware-free driver software.)

Now let’s look at the Mousejack vulnerability and see how bad it really is. Bastille modified a USB dongle used to control a drone called CrazyFlie so that the dongle could explore the communications protocols used by other USB dongles. Here are the significant findings:

What is Mousejacking?

First, the Mousejack vulnerability can affect Windows, OS X and Linux computers. But it exists only in certain USB mice, not Bluetooth devices. If your wireless mouse uses a Bluetooth connection to your computer, you are NOT affected.

Next, mouse data is usually unencrypted and unauthenticated. One can sniff out what a wireless mouse is doing, and even inject bogus mouse-clicks and movements into the data stream a mouse sends to its host computer. Bastille claims these things can be done from a distance of up to 100 meters (328 feet, or roughly the length of a football field), but that would require the hacker to have a clear line of sight to the target mouse dongle and no RF interference, conditions that rarely exist. (Take your wireless mouse into another room and see if it can move the cursor on your computer display.)

It turns out that keyboard input is usually encrypted, but some mouse dongles will accept unencrypted keystroke data anyway. So Mousejack won’t let a hacker record keystrokes but it will let him inject fake keystrokes via the mouse. Some dongles will automatically “pair” with any nearby device without user interaction. So if your mouse dongle is plugged in and a properly equipped hacker is nearby, the hacker’s keyboard may secretly link to your dongle, obtaining its encryption key and allowing injection of bogus keystroke data. This scenario is most likely in public WiFi hotspots.

How Can You Tell if You're Being Mousejacked?

The symptoms of a Mousejacking would include erratic, unexpected cursor movements and seemingly random keystrokes that the user did not enter. A user might well assume there’s a corrupted driver or bad hardware device. It’s also likely that a hacker would use a “virtual keyboard,” software that spews keystroke and mouse data so rapidly that it’s over before a user notices anything amiss.

As for injecting malware into a computer via a Mousejacked USB port, I don’t see any evidence that Bastille actually did so. I can envision a scenario in which a Mousejacked system opens a browser, navigates to a malware site, and downloads a malware package. But if you are sitting at the keyboard you are going to notice all of that unexpected activity.

In short, Bastille and the tech press are making a big fuss over a flaw that is quite difficult to exploit. The reaction of wireless mouse makers has been mild. Logitech has published a patched version of its Unifying Software driver.

My Logitech mouse was not listed as vulnerable, but I downloaded and applied the updated Logitech firmware just to run through the process before recommending it here. There was a minor glitch. On the first attempt, I was informed that the update process failed, and was told to retry. Upon clicking the Retry button, my computer froze and required a reboot. After rebooting, I ran the updater again and it worked without incident.

Dell’s mice use the same software and Dell machines will receive the patch automatically if Dell update software is running. Lenovo has offered to replace its model 500 series mice and keyboards that can’t be upgraded by software. Microsoft has essentially said, “We’ll patch it when we get around to it.”

Is There a Plan B, or Should I Panic?

If your mouse is affected and there's no patch available (or if you're not sure whether or not your mouse is affected) you can and should take one simple step to minimize the small possibility of being Mousejacked. Set your screensaver to lock your computer after X minutes of inactivity, and require the user’s password to unlock it. Here's how on Windows: Click the Start button, then click on "Change Screen Saver" to see the Screen Saver settings. Adjust wait times as desired. Set up a screen saver and check the box for "On resume, display logon screen." You’re done.

Bottom line, there's no need to panic about the possibility that hackers in dark glasses and trenchcoats will inject malware into your dongle. (Just typing that sentence made me giggle.) Apply the Logitech fix if you have an affected Logitech device. Update your screen saver settings. If you're still concerned about mousejackers, switch to a wired mouse.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 9 Mar 2016


For Fun: Buy Bob a Snickers.

Prev Article:
[SHARK] Are Tablets Dead?

The Top Twenty
Next Article:
[MONEY] Still Paying Bills With Paper Checks?

Most recent comments on "[HACK] Should You Worry About Getting Mousejacked?"

Posted by:

Mike Brose
09 Mar 2016

Looks like I'm safe, I use a wired mouse. Their batteries don't run down.


Posted by:

Konrad Poth
09 Mar 2016

...and I may get hit by a Sherman Tank while crossing Main St. in Podunk.


Posted by:

Michael S.
09 Mar 2016

Please Mousejack me and could you clean the mouse ball while you have it.


Posted by:

Monte Crooks
09 Mar 2016

I can remember an article titled "Making Mischief with your Mouse." The closest I can remember to when I read it was early '90s, even before wireless "mice." It had something to do with programming (via DOS) various random keystrokes to occur when a mouse click happened on a certain part of the screen. Funny, huh? I have a Logitech wireless mouse, but absolutely no "line-o'-sight" outside of my upstairs office. Therefore, for those of you in my "little older" category," a timely MAD comment of "What! Me Worry?" As always, Bob....THANK YOU!!


Posted by:

Pete B
09 Mar 2016

Funnily enough, the reported 'mousejacked' mouse behavior mirrors what I see when my mouse batteries are running down. So firstly try changing the batteries and see if it goes away!!!


Posted by:

mark smith
09 Mar 2016

My Logitech update went just like yours. (I was wondering if giggling while typing was a possible symptom of mousejacking :-) )


Posted by:

Ray Bobo
09 Mar 2016

I still want to know what makes my wired/usb mouse go bonkers when I wake the PC from hibernation. If a word processing doc is open, the cursor just keeps marching across the page until I hit a key. If another program is open, it will do something else; if a music program/player, it makes a continuous nerving racking tone until a key is hit. All this began when I upgraded to Windows 10. I have a Microsoft mouse. Maybe it was in love with Win8 and now takes its revenge.


Posted by:

Lloyd Collins
09 Mar 2016

I'm sure it was caused by tainted cheese.

I don't do wireless, any kind, so that is one less threat to bother me.

I sure do miss my safe Commodore 64.


Posted by:

Samg
12 Mar 2016

Microsoft has essentially said, “We’ll patch it when we get around to it.” After owning a comfort sculpt mouse more than a year, that's a better than the nothing excuse I received. Read the MS mouse forums. Replaced it on warranty and have yet to receive a good driver. Software solution, even. 2 Windows laptops, a Mint (Linux)laptop, and an Android tablet. Once in a while the tablet recognizes the mouse.
Then there's the mouse twitching. Uncontrollable freezes and non-scrolling issues from time to time. The re-installation of firefox and pale moon browsers. The inaccessibility of my dsl router password after reset. Piggy-backing of my internet service. Luckily Awdcleaner fixes the mouse and scrolling problem. Dish remotes work poorly. Someone in the neighborhood is a hacker.
Purchased a Logitech mouse during the worst of the browser problem and it worked fine for about 10 days. Then, O@*!(#. Searched the Net. Installed the patched software and had a working wireless mouse again.
So heed Bob's warning. Install the patch. YOU may not have a hacker living next door now, but tomorrow? Then again, if no one reads this post and no one believes what I've posted, does any of what I experienced REALLY happen?
THEY'RE COMING TO TAKE ME AWAY, HAHAHAHA.


Posted by:

LadyLiberTEA
20 Mar 2016

LOL comments but some commenters not grasping Bob's gist, if I'm summarizing correctly:

1) it's the PLUGGED-IN mice with the suggestively dangling USB dongles that are vulnerable, NOT the WIRELESS mice sporting the charming blue teeth;
-&-
2) the PLUGGED-IN mice are vulnerable ONLY in public locations with beeline accessibility.

If that's your rodentia, Bob's quick EZ fixes:

1) keep mouse driver updated, lest he drop the tiny reins;
-&-
2) keep screensaver set to doze as quickly as a centenarian in a rocker demanding your password on waking "and no one will get hurt" ;)-


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- [HACK] Should You Worry About Getting Mousejacked? (Posted: 9 Mar 2016)
Source: https://askbobrankin.com/hack_should_you_worry_about_getting_mousejacked.html
Copyright © 2005 - Bob Rankin - All Rights Reserved