02-25-2016 , 02:47 AM
Dell, Microsoft, Lenovo, Logitech devices affected
Vulnerabilities in USB dongles used for wireless mouse and keyboard peripherals can allow an attacker to take control over a victim's computer and carry out malicious actions.
This attack currently affects mice and keyboards sold by companies like AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft.
Only Logitech has issued a firmware update to protect their dongles against this type of attack. The other companies have been made aware of the problem and are working on a fix.
MouseJack attack relies on faulty USB dongles
The attack, codenamed MouseJack, was discovered by IoT security firm Bastille, who found a flaw in how a wireless mouse/keyboard talks to its dongle.
By default, vendors foresaw issues with wireless input equipment and protected communications between the computer and the wireless device using encryption.
Bastille researchers discovered that the USB dongle does not create unique pairings between the computer and its device. This means that an attacker could also use another similar device with the victim's dongle.
In theory, this should have been impossible because of the encryption that made sure that a mouse/keyboard without the proper key could not have connected to a dongle.
MouseJack attack can install malware in seconds from up to 100 meters away
Bastille found out that particular devices did not enforce this policy and accepted unencrypted commands from other mice/keyboards. Attackers could take control over the mouse's movements or the keyboard's input, manually or with automated attacks.
Researchers put together a Python script that could automate their attack in a matter of seconds, more than enough in many enterprise scenarios where an employee goes to get a cup of coffee or glass of water from the office kitchen.
During this time, attackers can install malware on the victim's computer, from a distance of up to 100 meters (330 feet) away.
Technical details regarding the attack, along with a list of affected devices can be found on Bastille's MouseJack website.
Source
Vulnerabilities in USB dongles used for wireless mouse and keyboard peripherals can allow an attacker to take control over a victim's computer and carry out malicious actions.
This attack currently affects mice and keyboards sold by companies like AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft.
Only Logitech has issued a firmware update to protect their dongles against this type of attack. The other companies have been made aware of the problem and are working on a fix.
MouseJack attack relies on faulty USB dongles
The attack, codenamed MouseJack, was discovered by IoT security firm Bastille, who found a flaw in how a wireless mouse/keyboard talks to its dongle.
By default, vendors foresaw issues with wireless input equipment and protected communications between the computer and the wireless device using encryption.
Bastille researchers discovered that the USB dongle does not create unique pairings between the computer and its device. This means that an attacker could also use another similar device with the victim's dongle.
In theory, this should have been impossible because of the encryption that made sure that a mouse/keyboard without the proper key could not have connected to a dongle.
MouseJack attack can install malware in seconds from up to 100 meters away
Bastille found out that particular devices did not enforce this policy and accepted unencrypted commands from other mice/keyboards. Attackers could take control over the mouse's movements or the keyboard's input, manually or with automated attacks.
Researchers put together a Python script that could automate their attack in a matter of seconds, more than enough in many enterprise scenarios where an employee goes to get a cup of coffee or glass of water from the office kitchen.
During this time, attackers can install malware on the victim's computer, from a distance of up to 100 meters (330 feet) away.
Technical details regarding the attack, along with a list of affected devices can be found on Bastille's MouseJack website.
Source