Microsoft, Logitech And Other Wireless Keyboards And Mice Reportedly Susceptible To Hijacking

Logitech K830

The greatest benefit wireless peripherals offer is what they help cut down on: wires. Fewer wires means that our desktops are easier to keep clean, and we're not kicking wires as often under our desk. It's a win-win overall. Or is it? As with most things convenient, wireless peripherals can suffer exploits just like anything else that's open to a wireless connection. While your keyboard is designed to handshake with an adapter that's plugged into your PC, there's usually nothing stopping the data stream from being intercepted. Though remote, no question, it could be a legitimate attack vector.

Researchers at US-based Bastille help prove that supposedly with the announcement of "MouseJack," a new vulnerability that affects a large number of wireless mice and keyboards from a variety of companies, including Microsoft, Logitech, and Lenovo. A full list of affected devices can be found at the via URL at the bottom of this post.

Macbook Pro USB ID Screenshot

Based on its 'About' page, Bastille is a newer research firm, with MouseJack being its first major find. The firm isn't taking it for granted either, as it pulled a page from Heartbleed's playbook and decided to market the heck out of it. Cue cute mouse criminal logo and a video with Deus Ex-inspired music that manages to almost drown out the voiceover.

Does any of this really matter though? It depends on whether or not you consider "MouseJack" to be as severe as it's being made out to be here. In order to exploit someone's machine, they need to be nearby, ideally in the same room (within a 30 ft. Bluetooth range in most cases). While "hackers" could exploit these wireless peripherals from up to 100 meters away, not having line-of-sight access to the display will dramatically reduce the usefulness of their attack.

The real threat here is when someone gains access to your machine while you're away from it, and they happen to have good enough line-of-sight to the screen to see what's going on. If there's confidential information on a laptop and someone has access, it would take little effort for them to load up an email client within a Web browser and email all of the data they want to themselves. Of course, someone would need to leave their computer unsecured and be "AFK" for quite some time for this to be a real issue.

This could be a perfect example of making a mountain out of a molehill. The risk is minor in the grand scheme, but if Bastille has their way, a big fuss will be made about it. Should enterprises be concerned? In tighter quarters with a heavy, target-rich environment, perhaps but if proper protections are put in place (especially locking a PC when someone walks away), the real risk likely isn't as dramatic as this campaign makes it appear.

Want to avoid possible issues surrounding wireless peripherals? Don't use wireless peripherals in a work environment, either that or just make sure any users sessions in question are logged off or in a locked state. It's not that this can't happen, it definitely has and likely will. However marketing around the threat seems thin, that much we know. 


Via:  Bastille
Show comments blog comments powered by Disqus