“Mousejacking” Vuln Impacts Ubiquitous Logitech Devices
I've been reading into a bit of novel (and frankly overdue) research by Bastille Networks Internet Security into the security around non-Bluetooth wireless mice and keyboards. In February, they released the results of their research. It's good material and I don't want to steal their thunder, so I'll only summarize in brief here.
In many cases, Bastille found that the signals passing between a legitimately paired keyboard/mouse and receiver are often encrypted (protecting information about what an actual user is typing), but that the protocol lacked authentication considerations. That means it's possible for an attacker with an unauthentic radio transmitter to send a spoofed packet representing a left-click event and the receiver will process it as though it came from the legitimately paired device - an injection attack.
Where pointing devices are concerned, this doesn't raise a lot of alarm. The propspect of issuing blind click events to a PC to construct an effective attack is daunting to start. I imagine the worst one could do with this specific vulnerability is be a nuisance to the user. However, injection of keystrokes on a wireless keyboard is another matter entirely.
People in the field of information security will likely already be familiar with the USB Rubber Ducky. This is a hacking device commonly used in security assessments to test or demonstrate the effectiveness of USB drop attacks. The penetration tester writes a script, saves it to a micro SD card, and inserts it into the USB Rubber Ducky which is then closed up and made to look like a basic USB storage device. This would then be dropped in he parking lot of the company being tested where some employee might pick it up and plug it into their PC inside. But the device only looks like USB storage -- in actuality, it's a keyboard device. As soon as it's connected to a computer, it would start issuing keystrokes to execute a script that would cause the logged in user of the computer to, for instance, create a remote backdoor for the penetration tester.
This exercise demonstrates the risk inherent in connecting USB devices of unknown provenance to a trusted computer. This manner of exploit is, of course, but one of many dangers in that category. Often it's used to provide a teachable moment to the users of an organization, because ultimately they're the first line of defense against that attack. But what if this same attack could be conducted by attackers without needing to first dupe an employee into introducing the vector into the target environment?
Among the devices Bastille found to be vulnerable to these attacks you'll find Logitech's now-ubiquitous Unifying receiver, marked with the red star logo. Bastille noted that Logitech's equipment is vulnerable to keystroke injection and forced pairing device attacks. This means that a variant of the Rubber Ducky can be created to discover and (optionally) connect to a Logitech receiver to execute a reverse-proxy attack. The only major precondition would be that the user's machine be unlocked, but anyone with line-of-sight to the computer could watch for a few seconds where the user left the machine unattended.
In my opinion, it's actually a really big deal for one simple reason: unlike a flaw in the Windows operating system where installation of the fix is rather well automated, there's no automation for the fix for Logitech Unifying receivers. The flaw isn't software-based but firmware-based (meaning the program code embedded on the little receiver itself). Installing the fix is a two-step process and, to the best of my knowledge, requires the user of the computer to perform the action.
This is a security hole that is going to be slow to close. Two years from now, there will still be lots of vulnerable Unifying receivers still in circulation. That gives attackers plenty of time to develop the capabilities I've described from theoretical to something tangible. That could be disasterous for any company or government entity being targeted by highly motivated attackers after intellectual property or classified information.
This is something I mean to follow up on; I haven't seen many people engaged in this niche yet, so I've some projects in mind to further awareness of and the correction of this issue. In the meantime, take precautions to patch your own receivers.
Fixing Your Keyboard/Mouse Receivers
Logitech users, visit their forum post here to upgrade your Unifying receiver firmware.
None of the other manufacturers whom Bastille found to be vulnerable to this attack have published firmware updates that the user can install. Lenovo notes explicitly that the firmware of their devices can only be installed at time of manufacture. Unfortunately it seems the only fix for these devices is to discard the affected unit and purchse something that is not vulnerable. Everyone else should peruse Bastille's list of affected devices to determine if theirs is impacted.
Image by Flickr user: MiNe (sfmine79) - https://www.flickr.com/photos/sfmine79/5692436058/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=38803546








