MouseJack: A wireless mouse or keyboard can leave you vulnerable

mousejack vulnerabilityBy Ben Goodman

You are sitting in your favorite coffee shop with your laptop. You’ve never been a fan of the laptop’s touch pad so you plug in the USB dongle for your favorite wireless mouse and begin browsing the internet, checking emails, etc.

You stop using your laptop briefly to check your written notes. You notice a sudden flash of a window popping up, but it’s gone now. “No big deal,” you think as you continue your work.

Meanwhile about 10 feet away, a malicious hacker has compromised your laptop using a $30 tool anyone can buy online. You have become a victim of the MouseJack attack.

You’ve just become a victim of a keyboard injection attack via a MouseJack vulnerability.

What is MouseJack?

MouseJack is a set of vulnerabilities that affects wireless, non-Bluetooth keyboards and mice that connect to a computer using a radio transceiver. The transceiver is usually a USB dongle.

When a user presses a key on their keyboard or moves their mouse, Radio Frequency (RF) packets are transmitted to the USB dongle. The dongle continually listens for RF packets to be sent by the mouse or keyboard, and notifies the computer whenever the user engages the keyboard or mouse.

Keyboard keystroke communications are often encrypted (to prevent sniffing). However, mouse movements are usually unencrypted when communicating with the USB dongle. Therefore, an attacker can take advantage of affected USB dongles to carry out a number attacks.

Eavesdropping and Keystroke Injection

Two common attacks include eavesdropping on the wireless communications and keystroke injection. Eavesdropping allows an attacker to intercept a victim’s keystrokes transmitted to a USB dongle. This is very similar to the way a keylogger program works.

Keystroke injection allows an attacker to transmit unencrypted keystrokes to a computer’s operating system as if the target had legitimately typed them.

These attacks can be performed from up to 300 feet away, without ever being physically in front of the target using a radio transceiver that costs approximately $30.

Crazyradio PA Radio Transceiver

Exploiting Keystroke Injection

Keystroke Injection can be used to quickly execute remote commands against a target host. This can be used to quickly gain a foothold in an organization’s internal network. No network access is required since the attacker is hijacking RF signals of Human Interface Devices, not network traffic.

Software tools can be used to automate the keystroke injection attack. Jackit , for example, is a tool that utilizes Duckyscript (a scripting language developed by Hak5 for the USB Rubber Ducky) to quickly perform malicious activities without being detected to automate this attack. An attacker specifies a Duckyscript file to execute on the target host, and then the tool scans for vulnerable devices.

Once the targets are identified, Jackit carries out the attack, specified in the Duckyscript file, against the selected targets.


Jackit detected devices


How can you protect yourself?

The most obvious answer is simply to not use a wireless keyboard and mouse. However, using wireless keyboards and mice is sometimes necessary.  In consideration of this, make sure all applicable updates for the devices are installed on your computer or opt to use Bluetooth in place of USB wireless devices

Another important note is these vulnerabilities are only known to apply to the devices listed below. Other USB wireless devices are not affected by these vulnerabilities as of the date of this post’s release.

Ben Goodman is a Security Analyst at Sword & Shield Enterprise Security where he provides security consulting services to our clients. His duties include performing security assessments to include network vulnerability, penetration testing, web application, wireless testing, physical security, and social engineering for a diverse group of commercial and government clients.

Ben has more than eight years of diversified experience as a security consultant, systems administrator, and IT support technician working with companies in the retail, energy, and health care sectors.

Comments are closed.