While the rampage of ransomware was the attention-grabbing story of last year, the subtitle for 2016 was comprised of just three words: Internet of Things.
Four words if you precede “things” with the almost obligatory “Insecure”.
That connected devices are of interest to hackers — and connectivity is all we’re really talking about when we drop the loT bomb into conversation — should come as no surprise. The devices themselves are usually a conduit to the real target, rather than being the target themselves. And so it’s another set of everyday objects that have, perhaps understandably so, skipped the attention of all but the most security-minded on both sides of the legal fence: mice and keyboards.
As unlikely as it may seem, my favourite bit of technical hacking from 2016 was a class of vulnerabilities dubbed MouseJacking. A MouseJack is, per the Bastille Threat Research Team (BTRT) that discovered it, an exploit that can inject unencrypted keystrokes into a target machine from up to 225m away using cheap, non-Bluetooth radio transceiver USB dongles. Dismiss it as being just another theoretical code-injection exploit if you like, but for me this has a touch of evil genius about it. Sure, it’s a bit low-rent when compared to the state-sponsored style of a Stuxnet attack, with multiple high-value zero-day exploits sacrificed to the gods of espionage; ten quid’s worth of dangle and a total of nine vulnerabilities from brands that really ought to have known better is all it took.
Wireless keyboard manufacturers have pretty much wised up to the eavesdropping threat, and so keystrokes are sent encrypted when no wires are involved these days. A couple of years ago, writing on these very pages, I mentioned how weak wireless keyboard signals tend to be, and thus the risk of remote capture was, well, remote. I also mentioned how signal encryption was a key part of the wireless keyboard spec (every pun intended) and even specialist devices such as the KeySweeper — which captured and decrypted keystrokes — wasn’t a threat to modern kit. Microsoft started using AES encryption after 2011, and KeySweeper couldn’t hack these. So what’s changed with MouseJack?
The clue is in the name. It makes the most of wireless proprietary protocols operating in the 2.4GHz “Industrial, Scientific and Medical” (ISM) band, which don’t bother themselves with all that encryption nonsense. Instead, they happily use unencrypted communications between the mouse and the USB dongle attached to the computer.
Non-Bluetooth wireless mice from Amazon (Basics), Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft were all found to be vulnerable to an attacker spoofing mouse movements and generating keystrokes. All the time, the target dongle thinks it’s communicating with the wireless mouse or keyboard, but is getting the code the malicious actor is sending from a replacement dongle costing around $50 instead.
The attack mode could be used to send malware to the target machine, or extract credentials data from it. That Bastille managed to link a series of vulnerabilities to circumvent the keyboard encryption is impressive; that it even managed to work with dongles that required encrypted comms (by targeting the mouse instead) even more so. The clever bit is that the exploit can spoof a wireless mouse that tricks the target PC into thinking it’s talking to a keyboard.
This spoofing element could become even more interesting overtime, and as loT grows ever bigger. Why is that, I hear you ask? Well, if it can trick a computer into thinking a spoofed mouse is a real keyboard, then what other cross-device treachery can RF-based protocol hacking come up with?
In typical loT fashion, most of the vulnerable devices will need to be binned if security matters to the users. Firmware patches are thin on the ground in loT territory, and that’s also the case with wireless dongles and RF mice; the transceiver chips are designed to be programmable only once and so can’t be updated. A decent list of at-risk devices can be found at tinyurl.com/j512h78, along with vendor responses and links to firmware patches where available.
Back in 2015 when I wrote about KeySweeper, I concluded that there were too many caveats to make it a real-world threat: distance, model of keyboard being used, the Heath-Robinson home-built hacking device requirement, the fact that Bluetooth mitigated the risk — albeit at the cost of introducing some of its own. The best risk mitigation back then was to suggest not using a wireless keyboard unless you had no other choice. Wired keyboards tended to be more reliable and were a lot cheaper.
That’s not true anymore, and MouseJack plugs the real-world gap in terms of distance, cost of the attack dongle, and choice of likely target devices. My advice about not going wireless isn’t going to stick with many folk now, but I’d suggest you stick with Bluetooth if you’re going to snip the wires from your working life.
Many makes of wireless mice are still vulnerable, and it’s all due to the RF dongle.