Slashdot Mirror

← Back to Stories (view on slashdot.org)

Optional Windows Update Aims To Halt Wireless Mouse Hijacking

Posted by msmash on from the improved-security dept.

Reader itwbennett writes: An optional Windows patch released Tuesday protects against an attack, dubbed MouseJack that affects wireless mice and keyboards from many manufacturers, including Microsoft and allows attackers to spoof a wireless mouse from up to 100 meters away and send rogue keystrokes instead of clicks to a computer. According to a Microsoft security advisory, the devices affected by this attack are: Sculpt Ergonomic mouse, Sculpt Mobile Mouse, Wireless Mobile Mouse 3000 v2.0, Wireless Mobile Mouse 3500, Wireless Mobile Mouse 4000, Wireless Mouse 1000, Wireless Mouse 2000, Wireless Mouse 5000 and Arc Touch Mouse. But Marc Newlin, one of the researchers who developed the attack said on Twitter that the patch doesn't go far enough and 'injection still works against MS Sculpt Ergonomic Mouse and non-MS mice.'

25 comments

  1. Cool by Anonymous Coward · · Score: 0

    Now can we get an update that prevents anything from ever stealing keyboard focus and stops popups from preventing me from moving their parent window around?

  2. What about stealing keys and mouse motions? by rs1n · · Score: 1

    If it is possible to negotiate rogue key/mouse input (which presumably requires proper communication between the rogue keyboard/mouse and the target device), then would it not also be possible to capture the data from the real keyboard/mouse? And in that case, it would seem quite possible, then, to steal keystrokes/mouse movements -- say during someone's login.

    1. Re:What about stealing keys and mouse motions? by Anon-Admin · · Score: 1

      Yes, this has been possible for years.

      Many agencies use it to capture password before an arrest. It is also one reason I never understood the need for keyloggers. If you know where the system is you can simple be in the same area and pick up the keystrokes. So a small receiver that logs them could be placed in the bushes, outside the window of your office, or in a close flower bed disguised as a rock. Quietly sitting there collecting all your key strokes.

      It can be done with the simple wireless keyboard or with the bluetooth ones, that is one reason I still use a wired keyboard!

    2. Re:What about stealing keys and mouse motions? by Anonymous Coward · · Score: 0

      The wireless packets which transmit keystrokes are encrypted, and this attack doesn't break that encryption. The affected protocols apparently don't encrypt mouse movements however (WTF?), so those could be captured and injected. What's worse though is that it is possible to send unencrypted packets that appear to come from a mouse but actually contain key presses. So while an attacker can not read keystrokes that the user's keyboard transmits, the attacker can inject keystrokes to control the targeted computer remotely.

  3. TFA devoid of detail by AmiMoJo · · Score: 2

    From what I can gather without any real detail in the rather useless article Microsoft are looking for timing discrepancies to try to detect this attack. Normally packets come in at regular intervals, so if one comes outside the regularly expected window it is considered malicious. There must be some clever filtering because the clock on the keyboard/mouse will drift in relation to the computer etc.

    This could be overcome by simply replicating the timing of the keyboard/mouse. They don't transmit constantly to save battery power, only when a key is pressed or the mouse is moved.

    Anyone know if Bluetooth keyboards are vulnerable?

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:TFA devoid of detail by Anonymous Coward · · Score: 0

      Anyone know if Bluetooth keyboards are vulnerable?

      Not to this attack. It's a branded bug, so there's a web page, but since it's an IT-World Bennet article, you were led to the useless Networkworld clicktrap instead.

    2. Re:TFA devoid of detail by CityZen · · Score: 1

      The security advisory says that the update filters out QWERTY packets received from the mouse. My take is that it just prevents keystrokes from being input through the mouse interface.

      It still doesn't mean that the interface is secure; it just has one fewer holes than it had before. If you want security, don't use wireless devices.

    3. Re:TFA devoid of detail by tlhIngan · · Score: 3, Informative

      From what I can gather without any real detail in the rather useless article Microsoft are looking for timing discrepancies to try to detect this attack. Normally packets come in at regular intervals, so if one comes outside the regularly expected window it is considered malicious. There must be some clever filtering because the clock on the keyboard/mouse will drift in relation to the computer etc.

      This could be overcome by simply replicating the timing of the keyboard/mouse. They don't transmit constantly to save battery power, only when a key is pressed or the mouse is moved.

      Anyone know if Bluetooth keyboards are vulnerable?

      It's based on a hack to get additional keyboards and mice paired with your computer. It's because there are flaws in the way Logitech, Microsoft and many other wireless products add devices to their receivers and synchronize them. So Microsoft's patch, which is only for their products because they don't know how Logitech's or others work, is to basically examining the timing of the packets to make sure the vulnerability isn't being exploited.

      It's a device-add attack - the attacker is trying to add their keyboard and mouse to your computer remotely so they can control it. That's what the driver is looking for.

      Bluetooth keyboards may be vulnerable too, depending on how they do their pairing. But in general it's a lot less problematic because a Bluetooth keyboard requires OS support to pair and OS drivers to handle the input. The non-Bluetooth wireless devices use the dongle to emulate a standard HID device and do all their pairing internally.

      This is why you can use those keyboards during boot or with multiple OSes, whereas Bluetooth ones can't be used during boot (except for say, Macs) and if you dual/triple/etc boot, you have to re-pair the keyboard all the itme.

      If it is possible to negotiate rogue key/mouse input (which presumably requires proper communication between the rogue keyboard/mouse and the target device), then would it not also be possible to capture the data from the real keyboard/mouse? And in that case, it would seem quite possible, then, to steal keystrokes/mouse movements -- say during someone's login.

      No, the hack is to add keyboards and mice to your PC. Wireless communications for keyboard sand mice are generally encrypted (including Bluetooth) to prevent capturing of keystrokes and mouse movements

      Once the attacker has added their keyboard and mouse to your PC, they can then do anything - install malware, etc to then get your passwords and information, or to get access to your PC remotely.

    4. Re:TFA devoid of detail by AmiMoJo · · Score: 1

      Thanks, that's informative.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. However... by Anonymous Coward · · Score: 1

    ...In the other news, the update might be riddled with the umpteenth GWX :-)

    1. Re:However... by FatdogHaiku · · Score: 1

      ...In the other news, the update might be riddled with the umpteenth GWX :-)

      Run GWX Control Panel in monitor mode...
      http://ultimateoutsider.com/downloads/

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  5. Just what I needed... by __aaclcg7560 · · Score: 1

    I had my wireless mouse hijacked last night. Battery committed suicide.

  6. Let me get this straight... by Okian+Warrior · · Score: 1

    Do I have this right?

    The update that downloads and installs Windows 10 over your existing Windows system is turned on by default.

    The update that protects your system from a vulnerability is optional.

    Microsoft never was a very "customer centric" company.

    1. Re:Let me get this straight... by AF_Cheddar_Head · · Score: 1

      Optional because you only need it if you are running one of the affected wireless products. or do you routinely install updates for devices you don't have connected to your computer.

      Yeah, the automatically install Windows 10 thing has been debunked numerous times. The update has to approved by the user. Granted the download will occur if you have automatic updates installed and that can be an issue for users on metered connections.

    2. Re:Let me get this straight... by StormReaver · · Score: 1

      Yeah, the automatically install Windows 10 thing has been debunked numerous times.

      Refuted is not the same as debunked.

      The update has to approved by the user.

      No, it doesn't. One of my customers got bitten by this just two weeks ago. Automatic updates were off, and Windows 10 installed itself over Windows 7 automatically. The update completely destroyed his Windows 7 installation, and Windows 10 wouldn't even boot, so he had me install Kubuntu on his machine.

    3. Re:Let me get this straight... by AF_Cheddar_Head · · Score: 1

      Can't prove it but I would be willing to bet that your use inadvertently approved the Win10 install.

      Agree that Microsoft makes this too easy and shouldn't download and install anything like an O/S upgrade/downgrade unless an administrative user specifically requests and authorizes it, your user wasn't running with admin rights and UAC off, RIGHT?

    4. Re:Let me get this straight... by karnal · · Score: 1

      I'm running with UAC off admin rights.. the pop up keeps telling me how great the upgrade is, but I keep declining.

      I have loaded it up in a VM since it was bugging me there too, but I had to specifically say "sure, let's rock."

      --
      Karnal
  7. Other problems by Anonymous Coward · · Score: 0

    I always look at MS updates as 'no telling what else MS is installing at the same time'. I stopped the so called security updates long ago. I also managed to stop MS from continuously trying to update my W7 to 10 and don't want to open myself to that intrusion again. When I can't get W7 anymore, it is off to Linux for me.

  8. Nope, not encrypted by AF_Cheddar_Head · · Score: 1

    Encryption breaks this attack. Evidently many of the wireless peripheral manufacturers use the same chipset (RTFA). The chipset will support encryption but the device manufacturers have to write their own drivers to implement the encryption. Most have chosen not to.

    Bluetooth peripherals encrypt by default but unless you are using a tablet it is damn near impossible to buy a Bluetooth keyboard and mouse. Logitech made the excellent MX 5500 Revolution set (I have two) but discontinued them a few years ago. Someone on Amazon is asking $650 for unopened examples. Not sure he has sold any at that price.

    1. Re:Nope, not encrypted by mlts · · Score: 1

      Generally, you can buy a Bluetooth keyboard, but it generally meant for Macs.

      I just don't get why vendors just standardize on Bluetooth. Even the cheap PCs now have it built in, it has time tested facilities for pairing and encryption, and is able to work better for saving battery.

      As for finding them, they do exist, but are not cheap. I bought a "MS Sculpt Comfort" mouse which uses Bluetooth, and it works without issue, using encryption by default. It may not be a gaming set, but it is better than nothing.

    2. Re:Nope, not encrypted by AF_Cheddar_Head · · Score: 1

      Thanks for the tip on the mouse. Now if I could find a full-size Bluetooth keyboard. all I can find seem to be chicklet style meant for a tablet or Mac.

  9. Another update problem on dual-boot systems... by Anonymous Coward · · Score: 0

    There's chatter on the Ubuntu boards that a recent Winblows update is removing grub on dual boot systems.

  10. Mine didn't update by ITRambo · · Score: 1

    I have Windows 10 Pro on my laptop using a Microsoft Wireless Mouse 1000. Updates were installed Tuesday afternoon. I have updates set to install updates for other Microsoft product. I presume that their Wireless mouse 1000 is an "other" product. Device manager shows that my mouse driver is dated 2006. When checking for new drivers I get a message "the best driver for your device is already installed". Sure it is at ten years old. Assholes. Windows 10 is fucked up.

  11. use Windows' boot process by dltaylor · · Score: 1

    If you're going to leave Windows on the box, use ITS boot menu to dual boot.

    I have a test laptop with 4 boot targets for the Windows boot process: Recovery, Windows 7, OpenBSD, and GRUB (which can, of course, also boot Windows). OpenBSD put its boot loader at the start of its partition, as did GRUB. With Cygwin installed on Windows (or booting from a "Live" of some sort, copy those boot blocks to files in Windows' C:\, and reference them in the Boot Configuration Data. OpenBSD's FAQ has a very nice tutorial section 4.15. GRUB is used to boot between several flavors of Linux for testing (yes, I could use VMs, but OpenBSD, at least, likes bare metal best, and it's no harder to copy back a specific partition than VM image).

    http://www.openbsd.org/faq/faq4.html#Multibooting

  12. So can we trust this patch? by Anonymous Coward · · Score: 0

    It's sad, but nowadays we have to ask that of every patch Microsoft releases. Especially the optional ones.