You are sitting in your favorite coffee shop with your laptop. You’ve never been a fan of the laptop’s touch pad so you plug in the USB dongle for your favorite wireless mouse and begin browsing the internet, checking emails, etc.
You stop using your laptop briefly to check your written notes. You notice a sudden flash of a window popping up, but it’s gone now. “No big deal,” you think as you continue your work.
Meanwhile about 10 feet away, a malicious hacker has compromised your laptop using a $30 tool anyone can buy online. You have become a victim of the MouseJack attack.
You’ve just become a victim of a keyboard injection attack via a MouseJack vulnerability.
What is MouseJack?
MouseJack is a set of vulnerabilities that affects wireless, non-Bluetooth keyboards and mice that connect to a computer using a radio transceiver. The transceiver is usually a USB dongle.
When a user presses a key on their keyboard or moves their mouse, Radio Frequency (RF) packets are transmitted to the USB dongle. The dongle continually listens for RF packets to be sent by the mouse or keyboard, and notifies the computer whenever the user engages the keyboard or mouse.
Keyboard keystroke communications are often encrypted (to prevent sniffing). However, mouse movements are usually unencrypted when communicating with the USB dongle. Therefore, an attacker can take advantage of affected USB dongles to carry out a number attacks.
Eavesdropping and Keystroke Injection
Two common attacks include eavesdropping on the wireless communications and keystroke injection. Eavesdropping allows an attacker to intercept a victim’s keystrokes transmitted to a USB dongle. This is very similar to the way a keylogger program works.
Keystroke injection allows an attacker to transmit unencrypted keystrokes to a computer’s operating system as if the target had legitimately typed them.
These attacks can be performed from up to 300 feet away, without ever being physically in front of the target using a radio transceiver that costs approximately $30.
Exploiting Keystroke Injection
Keystroke Injection can be used to quickly execute remote commands against a target host. This can be used to quickly gain a foothold in an organization’s internal network. No network access is required since the attacker is hijacking RF signals of Human Interface Devices, not network traffic.
Software tools can be used to automate the keystroke injection attack. Jackit , for example, is a tool that utilizes Duckyscript (a scripting language developed by Hak5 for the USB Rubber Ducky) to quickly perform malicious activities without being detected to automate this attack. An attacker specifies a Duckyscript file to execute on the target host, and then the tool scans for vulnerable devices.
Once the targets are identified, Jackit carries out the attack, specified in the Duckyscript file, against the selected targets.
How can you protect yourself?
The most obvious answer is simply to not use a wireless keyboard and mouse. However, using wireless keyboards and mice is sometimes necessary. In consideration of this, make sure all applicable updates for the devices are installed on your computer or opt to use Bluetooth in place of USB wireless devices
Another important note is these vulnerabilities are only known to apply to the devices listed below. Other USB wireless devices are not affected by these vulnerabilities as of the date of this post’s release.
- Microsoft Wireless Keyboard 800
- Microsoft Wireless Mouse 1000
- Microsoft All-In-One Media Keyboard
- Microsoft Sculpt Ergonomic Mouse
- Logitech Wireless Touch Keyboard K400r
- Logitech Marathon M705 Mouse
- Logitech Wave M510 Mouse
- Logitech Wireless Gaming Mouse G700s
- Logitech Wireless M325 Mouse
- Logitech K750 Wireless Keyboard
- Logitech K320 Wireless Keyboard
- Dell KM636 Wireless Mouse and Keyboard
- AmazonBasics MG-0975 Wireless Mouse
Ben Goodman is a Security Analyst at Sword & Shield Enterprise Security where he provides security consulting services to our clients. His duties include performing security assessments to include network vulnerability, penetration testing, web application, wireless testing, physical security, and social engineering for a diverse group of commercial and government clients.
Ben has more than eight years of diversified experience as a security consultant, systems administrator, and IT support technician working with companies in the retail, energy, and health care sectors.