[HACK] Should You Worry About Getting Mousejacked?
More than 80 media outlets have echoed a security alert issued by startup security firm Bastille Networks. “Hackers can exploit your wireless mouse to take control of your cursor and keyboard... or even inject malware into your computer!” Should you ditch your wireless mouse, or is this story a bit overhyped? Let's take a look at the facts…
What is Mousejacking?
First, let me note that Bastille Networks, founded in March 2014, claims to be “the first and only company to completely secure the Enterprise by identifying airborne threats,” but does not have any products or defined services that I can find. Its website mainly consists of press releases and blog posts about “airborne threats.”
The “Mousejack” tab prominently featured on Bastille’s main page leads to an "affected devices" page that contains just a few links to vendor websites. At present, only Logitech is offering patches for the problem. Lenovo, Gigabyte, HP, Microsoft and other vendors listed there do not. (Be wary of third-party websites offering security patches. I always advise visiting device manufacturers’ sites for the latest, malware-free driver software.)
Now let’s look at the Mousejack vulnerability and see how bad it really is. Bastille modified a USB dongle used to control a drone called CrazyFlie so that the dongle could explore the communications protocols used by other USB dongles. Here are the significant findings:
First, the Mousejack vulnerability can affect Windows, OS X and Linux computers. But it exists only in certain USB mice, not Bluetooth devices. If your wireless mouse uses a Bluetooth connection to your computer, you are NOT affected.
Next, mouse data is usually unencrypted and unauthenticated. One can sniff out what a wireless mouse is doing, and even inject bogus mouse-clicks and movements into the data stream a mouse sends to its host computer. Bastille claims these things can be done from a distance of up to 100 meters (328 feet, or roughly the length of a football field), but that would require the hacker to have a clear line of sight to the target mouse dongle and no RF interference, conditions that rarely exist. (Take your wireless mouse into another room and see if it can move the cursor on your computer display.)
It turns out that keyboard input is usually encrypted, but some mouse dongles will accept unencrypted keystroke data anyway. So Mousejack won’t let a hacker record keystrokes but it will let him inject fake keystrokes via the mouse. Some dongles will automatically “pair” with any nearby device without user interaction. So if your mouse dongle is plugged in and a properly equipped hacker is nearby, the hacker’s keyboard may secretly link to your dongle, obtaining its encryption key and allowing injection of bogus keystroke data. This scenario is most likely in public WiFi hotspots.
How Can You Tell if You're Being Mousejacked?
The symptoms of a Mousejacking would include erratic, unexpected cursor movements and seemingly random keystrokes that the user did not enter. A user might well assume there’s a corrupted driver or bad hardware device. It’s also likely that a hacker would use a “virtual keyboard,” software that spews keystroke and mouse data so rapidly that it’s over before a user notices anything amiss.
As for injecting malware into a computer via a Mousejacked USB port, I don’t see any evidence that Bastille actually did so. I can envision a scenario in which a Mousejacked system opens a browser, navigates to a malware site, and downloads a malware package. But if you are sitting at the keyboard you are going to notice all of that unexpected activity.
In short, Bastille and the tech press are making a big fuss over a flaw that is quite difficult to exploit. The reaction of wireless mouse makers has been mild. Logitech has published a patched version of its Unifying Software driver.
My Logitech mouse was not listed as vulnerable, but I downloaded and applied the updated Logitech firmware just to run through the process before recommending it here. There was a minor glitch. On the first attempt, I was informed that the update process failed, and was told to retry. Upon clicking the Retry button, my computer froze and required a reboot. After rebooting, I ran the updater again and it worked without incident.
Dell’s mice use the same software and Dell machines will receive the patch automatically if Dell update software is running. Lenovo has offered to replace its model 500 series mice and keyboards that can’t be upgraded by software. Microsoft has essentially said, “We’ll patch it when we get around to it.”
Is There a Plan B, or Should I Panic?
If your mouse is affected and there's no patch available (or if you're not sure whether or not your mouse is affected) you can and should take one simple step to minimize the small possibility of being Mousejacked. Set your screensaver to lock your computer after X minutes of inactivity, and require the user’s password to unlock it. Here's how on Windows: Click the Start button, then click on "Change Screen Saver" to see the Screen Saver settings. Adjust wait times as desired. Set up a screen saver and check the box for "On resume, display logon screen." You’re done.
Bottom line, there's no need to panic about the possibility that hackers in dark glasses and trenchcoats will inject malware into your dongle. (Just typing that sentence made me giggle.) Apply the Logitech fix if you have an affected Logitech device. Update your screen saver settings. If you're still concerned about mousejackers, switch to a wired mouse.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 9 Mar 2016
|For Fun: Buy Bob a Snickers.|
[SHARK] Are Tablets Dead?
The Top Twenty
[MONEY] Still Paying Bills With Paper Checks?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [HACK] Should You Worry About Getting Mousejacked? (Posted: 9 Mar 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved