Security Alert: Your Wireless Mouse or Keyboard Can Be Hacked
If you use a wireless mouse or keyboard, you could be leaving yourself open to attacks from hackers. Researchers at Bastille had discovered a few months ago that attackers can make use of a cheap $15 antenna to sneak into your computer through a wireless mouse or keyboard dongle (receiver).
As an example, an attacker could use a cheap antenna to masquerade as a wireless mouse to enter your computer. From there, the intruder can switch the signal to emulate a wireless keyboard, and gain control of your machine. The trick was found to have worked from up to 200 meters (and sometimes even 225 meters) away, so even if an attacker can't see your screen, he could use keyboard commands to do anything from opening websites to downloading malware onto your computer—or even wiping your hard drive altogether.
So far, Bastille has found multiple "MouseJack" vulnerabilities in non-Bluetooth wireless mouse and keyboard radio receivers made by AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft.
Fortunately, there are some ways that you can take action. Firstly, if you're not using your wireless device, switch it off. The antenna relies on the dongle being active, and the dongle won't be hunting for signals if your device is switched off. (You could also just unplug it.) Of course, this doesn't help much if you're using your mouse or keyboard. And unless you're using a Logitech product, there's not really anything you can do at the moment.
Logitech has already issued a fix for its Unifying receiver, though, so let's take a look at how you can update the firmware and stop worrying about this issue. This patch will only work on Logitech wireless keyboards and mice that bear the Unifying logo on it, and is not available for Linux or Mac OS X yet.
First, you're going to need to install Logitech's Unifying Software if you haven't done so already. Make sure your receiver is plugged into a USB port, then open the software and click on Advanced. Highlight "Unifying Receiver" on the left side of the window, then make note of the "Firmware Version" on the right side.
Your firmware version should either begin with "012" or "024," so download the appropriate firmware update using the link below. Save the executable file to your desktop, or wherever you'd like. There is no word yet on whether or not a fix will be coming for Mac OS X or Linux users.
Now, run the EXE file from Logitech, with the Unifying Software still running. The "Update Firmware" button beneath "Firmware Version" will be grayed out until you run the EXE. Once it becomes clickable, do that, and the update will start.
The update should only take a couple seconds, and once it's finished, you're all set.
Your Logitech Unifying receiver should now be protected from these antenna attacks.
Lenovo is offering exchanges on its 500-series keyboards and mice, since they claim current devices can't be patched, so you can take advantage of that. It's not the best solution, but it's certainly better than nothing.
In April 2016, Microsoft released a filter driver patch for all of their wireless mouse products as an optional update, so make sure you grab that if you have a wireless Microsoft mouse. However, mice that are part of a combo set are still vulnerable, Bastille claims.
None of the other manufacturers named in the Bastille report have offered a fix yet (though Dell is working with them to deal with the issue), and Logitech hasn't addressed it with their non-Unifying wireless mouses yet either. This might not even be possible, as not all manufacturers provide dongles with upgradeable firmware.
Keep your eyes peeled to see if the manufacturer of your wireless mouse or keyboard announces a fix. We'll do the same and let you know as soon as we find out. And just because you have a wireless mouse made by someone not on this list does not guarantee your safety—Bastille might not have tested it out yet.
If you're an aspiring hacker here on Null Byte, now's the time to break out that extra mouse you have and learn a thing or two. More information is available at MouseJack.com, and you can view details on the keystroke injections and forced pairing techniques in their white paper.