27 February 2016

Mousejacking – Is it Time to Ditch That Wireless Mouse & Keyboard?

Derek Athy

In a report released earlier this week, researchers from the IoT-specializing security firm, Bastille, warned of vulnerabilities in wireless mice and keyboards sold by leading companies such as Amazon, Dell, Microsoft, HP, Gigabyte, and Lenovo. The researchers coined the exploit “‘mousejacking’, which allows an attacker to inject mouse movements or keystrokes at a rate of a thousand words per minute from a nearby antenna, even when the target device is designed to encrypt and authenticate its communications with a paired computer”. The researchers argue that injecting keystrokes onto a machine could then be escalated by an attacker to download malicious software and/or “take full remote control of a PC”. There are varying levels of skepticism regarding the feasibility of the attack and its true threat potential, but there’s no denying that this vulnerability affects millions of wireless mouses and keyboards – majority of which cannot be patched to resolve the issue.

Tony Gambacorta, Synack VP of Operations, weighed in on the reality of the situation:

This is a nasty bug that the affected manufacturers need to address, but the media has overblown this one.  There’s a wide gap between what’s been demonstrated and actually taking over a victim’s computer.  Looking at this from an adversarial perspective:  What would need to happen for me to exploit this?

My victim must be running a keyboard that is vulnerable to this attack.

Exploitation requires the keyboard to contain a specific (albeit very common) chipset, and that the manufacturer has not implemented strong authentication.  If I’m opportunistically going after any affected keyboard, then the math is on my side. If I’m targeting an individual, the odds flip against me.

My victim must be using the keyboard in a hospitable environment.

Most people don’t use wireless keyboards in a café, they use them at work or at home.  They may use a wireless mouse at a café, but the timing would be a nightmare. The mouse is slow and if someone sees their mouse moving around and opening files they’ll slam the lid so fast it’ll crack the screen.

The keyboard presents its own challenges. This vulnerability doesn’t allow me to snoop keystrokes, so I can’t passively capture the victim’s password.  I need to inject my keystrokes- but figuring out which keyboard belongs to my victim could be tricky.  In a crowded office it’d be a challenge even if I can point a directional antenna at the victim.  It would be easier in a place that’s less signal-dense like someone’s home.

My attack window is narrow

Whether this is a targeted or opportunistic attack it will require vigilance.  I need the computer to be on and unlocked without the victim watching the screen.  The window needed to run the attack with a keyboard is small- maybe a few seconds.  But that means watching the victim and waiting for that perfect opportunity.  You’d have to be a dedicated attacker.


Those are some tight needles to thread.  Realistically I doubt I could pull this off in a café, especially against a specific target.  If I had enough time and practice I might be able to do it in an office, but I wouldn’t bet my mission on it.  My best bet would probably be to run this while the victim is at home working next to a window.