What would you do if your keyboard and mouse were typing and moving, without you even touching them? As disconcerting as this sounds, 'mousejacking' a real phenomenon, recently discovered by US startup Bastille Security, caused by a number of security problems the company says it’s found in several wireless mouse and keyboard products.
The researchers were able to hack the firmware of a USB dongle that is used to control a drone product, and using this, they were able to investigate the communication protocols used by the sort of wireless mouse and keyboard that relies on a USB dongle to connect.
They found a number of security problems in the way many devices handle the data going between your mouse and/or keyboard. The most notable of these findings include that mouse data is usually unencrypted and unauthenticated, and that some dongles can be tricked into pairing with new devices, without the user actively telling the device to do so, so if your dongle is plugged in, a nearby imposter keyboard could secretly pair with it, get the dongle’s encryption key, and start injecting keystrokes.
So how can we thwart any potential attempts? In a blog post, Paul Ducklin, senior technologist at Sophos, advises simple measures sucha as always locking your screen when stepping away from the computer, checking with vendors of USB mice and keyboards if your device is vulnerable, and consider some kind of device control solution to block unauthorised device types and restrict vulnerable ones until firmware updates are available.
Luckily, says Ducklin, this type of attack is by its nature very easy to spot – but not so easy to stop once the attack is underway.
'You’d probably back yourself to notice if someone else started typing additional keystrokes while you were working, or moving your mouse where you didn’t expect it to go,' says Ducklin. 'You might suspect a hardware malfunction, a software bug or even a malware infection at first, but you’d nevertheless hope to spot any jiggery-pokery pretty quickly and take action against it.'
> See also: How to stay secure on public Wi-Fi
'Of course, as Bastille points out, it might already be too late, because a software-controlled 'attack keyboard' can type much faster and more consistently than the average human typist, and damage is easy to do with even a few maliciously-planned keystrokes or mouse clicks.'
This type of attack requires a rogue device that is physically near to yours, though it could be next door or across the street. Walking away from your screen for two minutes in a public place without manually locking your screen could easily give your attacker the time it needs to take over the computer from a nearby table in a coffee shop.
As Ducklin reminds us, we should be doing this anyway.
One very popular USB dongle that is affected is Logitech’s so-called 'Unifying receiver' (they’re marked with a stylised orange logo that looks like an icon of the sun) that works with a whole raft of different Logitech mouse and keyboard models. Logitech has published a firmware update that claims to patch the Unified receiver product. (You need Windows to run the updater.)