In a worrying development for those who use a wireless mouse or keyboard (or indeed both), these peripherals can be hacked from a distance, and then used by an attacker to carry out malicious actions, such as installing malware, on the connected laptop or PC.
This issue was discovered by Mark Newlin, a researcher for security firm Bastille, with the exploit being christened MouseJack. The vulnerability is in the way the cordless peripheral communicates with the wireless dongle plugged into a USB port on the PC – because this connection isn’t encrypted, an attacker can hack in and inject keystrokes onto the machine.
The attacker needs a computer equipped with its own wireless dongle to send the keystrokes, although implementing the attack was hardly a trivial process – PC World reports that it took Newlin “between days and weeks” to reverse engineer the wireless protocols to be able to inject said keystrokes.
From a distance
This can happen from a distance of up to a hundred yards away, apparently – as long as the attacker has line of sight on the victim’s machine – and it affects a large range of peripherals from the likes of Dell, HP, Lenovo, Logitech and Microsoft to name some.
As well as line of sight, the other caveat is that the victim has to be away from their machine, or at least not looking temporarily, as otherwise they’ll see the keystrokes and actions happening and could potentially prevent whatever the attacker is trying to do (note that an attack could potentially be carried out quite swiftly, though).
The good news is that Logitech has moved to issue a patch, and other peripheral manufacturers are looking into the flaw, and will hopefully be taking action of their own soon enough. Meanwhile, be warned…
Note that this is a particularly worrying exploit for businesses, as not only could an attacker gain access to the victim’s machine, but also the entire network beyond that, and who knows how much juicy business data could potentially be exposed.