MouseJack - New attack on wireless mouses
Researchers of Bastille Networks talked about a new method of attacks on wireless mouse and keyboard. This technique, as well as a set of vulnerabilities that it uses, called MouseJack. Before such an attack will not stand the device from Dell, Logitech, Microsoft, HP, Amazon, Gigabyte and Lenovo, are not working through Bluetooth. To carry out the attack may be remotely in the distance of 100 meters, and for the attacker need only a simple USB-dongle, which can collect, spending only about $ 15.
By itself, the theme of the attacks to wireless peripherals is not new, for example, intercept data of Bluetooth-keyboard has demonstrated repeatedly by experts. It is believed that the devices do not use Bluetooth, protected slightly better, but the Bastille Networks researchers argue that it is not.
Experts have found that devices operating at 2.4 GHz, also have their drawbacks. Unlike Bluetooth, this technology is not a uniform standard, which would have to follow the manufacturers, which leaves them wide enough room to maneuver.
Such keyboard transmit the RF signal keystrokes USB-dongle inserted in the computer’s USB-port, and similarly communicate with a computer wireless mouse. The producers realize that leaving the exchange of data with no protection, then expose the user at risk. Consequently, most manufacturers use an encryption method, an encryption key known only to the USB-dongle, that is, only he can decipher what keys were pressed on the keyboard or the mouse has moved somewhere; the attacker (even if he can intercept data exchange) can not do this.
But this theory. In practice, it turned out that the encryption is very often neglected. For example, researchers have found that manufacturers do not consider it necessary to encrypt the communication between the wireless mouse and dongle. Also, in many cases, there is no authentication mechanism: dongle and the mouse does not undergo any procedure doubles, ie the dongle will not see the difference between the packets received from the real mouse, and forged packets sent by the attacker. As a result, an attacker can “pretend mouse” and transmit their own signals dongle clicks and movements.
However, the main problem is that the attacker can also send vulnerable dongle created in a certain way the packages that will be regarded as the device keyboard keystrokes, rather than as a mouse movement. That is, an attacker can simulate a full keyboard input, while being within 100 meters of the victim. It does not matter what OS uses the victim, because the attack is not directed to the OS. Bastille Networks Experts believe that in this way you can transfer data at a rate of 1,000 words per minute, which means that the installation of the rootkit on the victim machine only takes about 10 seconds.
The researchers write that the most vulnerable to MouseJack dongles, are based on a series of Nordic Semiconductor transceivers company nRF24L. The researchers themselves were used to create spoofing devaysa same transceiver and old school Nintendo controller from the console. Not that chips nRF24L officially supported sniffing packets, but this function they have been able to realize.
Also, experts write that a couple of lines of code in Python will turn into a tool to attack the USB-dongle CrazyRadio, which was created to control the drone opersornym Crazyflie; it is also based on nRF24L + and is actually enhanced version dongles that are used for keyboards and mice (at the expense of a more powerful antenna).
And now the bad news – Bastille Networks experts have tried to fix the problem, working together with the manufacturers of vulnerable devices, more than three months. It turned out that about half of the mice vulnerable to upgrade is simply impossible, so the patches for them can not wait. You can find a complete list of vulnerable devices here.
Microsoft has announced that is investigating and will release a patch. Logitech has already introduced a new firmware, closing the vulnerability MouseJack. Dell Representatives recommend to owners of wireless sets KM714 install new firmware on the Logitech, contacting the support and holders KM632 – to replace their devices. Lenovo has also agreed to implement a free replacement of vulnerable devices for users that also need to contact the official support.
All details MouseJack published on the official website of vulnerability (it is not only the site, but even your own logo, see. Top illustration). Researchers Bastille Networks also published on GitHub source code of their software and firmware used for attacks.
http://geekupdates.com/mousejack-new-attack-on-wireless-mouses/