A security firm has found that PC accessories from manufacturers including Dell, Logitech and Lenovo are vulnerable to being hacked using a cheap USB device.
Cybersecurity expert Bastille says non-Bluetooth wireless mice and keyboards could be hacked by an attacker using a £11 ($15) USB dongle.
The vulnerabilities that affect the devices have been dubbed ‘MouseJacks’.
A vulnerability in the USB dongle means a MouseJacker up to 100m away using a dongle can impersonate the keyboard or mouse, inserting keystrokes or malicious code as if they had the privileges of the PC’s owner.
They could potentially access sensitive data, delete files and install malware onto the PC.
Wireless keyboard and mice communicate using the 2.4GHz ISM band, sending signals to a USB dongle plugged into a computer. Each time a key is pressed, information describing this is sent to the dongle, which listens for wireless frequency packets.
In the majority of devices the communication is encrypted, but none of the mice Bastille tested encrypted their wireless communications.
Marc Newlin, an engineer at Bastille who discovered who discovered the vulnerability, said MouseJack is essentially a door to the host computer. “Once infiltrated, which can be done with $15 worth of hardware and a few lines of code, a hacker has the ability to insert malware that could potentially lead to devastating breaches,” he said.
“What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”
The vulnerabilities fall into three categories. Spoofing a mouse and duplicating key strokes, spoofing a keyboard and duplicating key strokes, and forced pairing, for instance if someone is using a vulnerable dongle with a mouse, then a fake keyboard could be paired.
The threat does not apply to Bluetooth devices, which uses an industry standard for wireless transfer.
Bastille found that a range of wireless keyboards, mice and dongles made by AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft, were vulnerable. The affected devices are listed here.
Logitech and Lenovo have responded to the claims.
Logitech said it was working closely with the company, stressing the hack would be complex to undertake:
“Bastille Security identified the vulnerability in a controlled, experimental environment. The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack
“We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If you have concerns, and would like to ensure this vulnerability is eliminated, you can follow these steps.”
On its support pages, Lenovo released an advisory described the severity as ‘Low’ and also reassuring customers.
“A vulnerability was identified where an attacker with specialized equipment who is within close physical proximity to a system with the dongle for the Lenovo 500 Wireless keyboard or mouse installed could enter keyboard inputs (e.g., keystrokes) into the user’s system,” it read.
“Legitimate user keyboard input through the Lenovo 500 wireless keyboard remains encrypted and plain text keystrokes entered through the Lenovo 500 wireless keyboard cannot be read wirelessly as a result of this vulnerability.”
A firmware update is available, but needs to be installed at the time of manufacture, so customers can exchange the mouse for a new one. Find out more.
Bastille says any PC, Mac or Linux computer that used a non-Bluetooth dongle is vulnerable and the flaw could affect millions of mice and dongles.
If you are worried the company recommends you stop using your device and visit www.MouseJack.com. If your device is not listed, contact the manufacturer.
Find out more advice in our article: What to do if your PC is affected by malware.