Mousejack Attacks Exploit Wireless Keyboards and Mice

msm1267 writes: Researchers have discovered a vulnerability in the USB devices that support wireless keyboards and mice that could put a countless number of devices at risk to attack. Seven manufacturers have been informed of the flaw, but as of today, only Logitech has produced a firmware update. Some have no update mechanism and can never be patched. The issue lies in the fact that some of the commands from the peripheral device to the dongle are not encrypted. Most do not authenticate packets and an attacker within close proximity and using a USB transmitting malicious packets over radio frequency can trick the victim's machine into accepting mouse clicks impersonating keystrokes. It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.

And that, ladies and gentlemen...

[Chris+Mattern]

...is why you should be using bluetooth instead of cheaping out. Saves a USB port, too!

Load malware?

[Cigaes]

“It would take a matter of seconds for the attacker's code to load a rootkit, malware or additional network access.”

Really? With just keystrokes and mouse moves? With no feedback about where the keystrokes and clicks end up?

For a particular target, a way can probably be devised, but it will most likely be slow and visible. And not work with the next target.

Injecting keys is clearly a security flaw with severe consequences, but over-hyping it is unproductive.

Re:Bluetooth range

[mindwhip]

You tried to use 1600 bluetooth keyboards and mice in relatively close proximity (probably open plan/cubicle office) and are surprised they didn't work? you probably had them all networked using wifi at the same time as well...