If you use a wireless mouse or keyboard, you could be leaving yourself open to attacks from hackers. Researchers at Bastille had discovered in January 2016 that attackers could make use of a cheap $15 antenna to sneak into your computer through a wireless mouse or keyboard dongle (receiver).
As an example, an attacker could use an inexpensive antenna to masquerade as a wireless mouse to enter your computer. From there, the intruder can switch the signal to emulate a wireless keyboard and gain control of your machine. The trick was found to have worked from up to 200 meters (and sometimes even 225 meters) away, so even if an attacker can't see your screen, he or she could use keyboard commands to do anything from opening websites to downloading malware onto your computer — or even wiping your hard drive altogether.
So far, Bastille has found multiple "MouseJack" vulnerabilities in non-Bluetooth wireless mouse and keyboard radio receivers made by AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft.
Fortunately, there are some ways that you can take action. Firstly, if you're not using your wireless device, switch it off. The antenna relies on the dongle being active, and the dongle won't be hunting for signals if your device is switched off. (You could also just unplug it.) Of course, this doesn't help much if you're using your mouse or keyboard. And unless you're using a Logitech or Microsoft product, there's not really anything you can do at the moment.
AmazonBasics' wireless mice affected won't receive any updates and it's not known whether Amazon fixed the issue in newer models. Bastille notes that it's Wireless Mouse MG-0975, USB dongle RG-0976, that is affected.
Dell issued a statement that it was looking into the issue, but has not since mentioned any updates for mice and keyboards already sold. Bastille notes that the Dell KM714 Wireless Keyboard and Mouse Combo; KM714 USB dongle; and KM632 Wireless Mouse USB dongle are affected.
Gigabyte never disclosed updates or even acknowledged an issue with its keyboards. Bastille notes the K7600 wireless keyboard USB dongle is affected.
Hewlett-Packard also never disclosed updates or even acknowledged an issue with its keyboards. Bastille notes the Wireless Elite v2 keyboard Elite USB dongle is affected.
Lenovo is offering replacement devices for affected 500-series keyboards and mice models. Bastille notes the 500 Wireless Mouse (MS-436) 500 USB Dongle is affected.
If you have a Logitech G900 gaming mouse, you can update its firmware on a Windows PC with G900Update_1.5.23.exe. Bastille notes the K360, K400r, K750, and K830 Unifying dongle are affected, as well as Unifying Dongles C-U0007 and C-U0008, the Logitech G900, and Logitech G900 dongle C-U0008.
Logitech has issued a fix for its Unifying receiver, so let's take a look at how you can update the firmware and stop worrying about this issue. This patch will only work on Logitech wireless keyboards and mice that bear the Unifying logo on it. A patch is available for Windows and macOS, but nothing has been stated for Linux.
If you're a Mac user, just download the ZIP file, unzip it, then open up the SecureDFU application and follow the on-screen instructions. The instructions are similar for Windows PC, just download and run the SecureDFU.exe file.
Microsoft offered a firmware update that may or may not work, and mice that are part of a combo set are still vulnerable, Bastille claims. Affected products include Sculpt Ergonomic mouse, Wireless Mobile Mouse 4000, Microsoft Wireless Mouse 5000, 2.4GHz Transceiver v7.0, USB dongle model 1496, and USB dongle model 1461,
Keep your eyes peeled to see if the manufacturer of your wireless mouse or keyboard announces a fix. We'll do the same and let you know as soon as we find out. And just because you have a wireless mouse made by someone not on this list does not guarantee your safety — Bastille might not have tested it out yet.
If you're an aspiring hacker here on Null Byte, now's the time to break out that extra mouse you have and learn a thing or two. More information is available at MouseJack.com, and you can view details on the keystroke injections and forced pairing techniques in its white paper.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: