Wireless peripheral hijacking

MouseJack attacks explained

Clayton Miller
| 1/22/2021
Wireless peripheral hijacking

Many wireless peripherals and computer accessories are vulnerable to attack. Evaluating their unique risks is a proactive step in securing corporate and work-from-home offices.

Wireless peripherals and computer accessories offer mess-free convenience in the workspace, allowing users to move keyboards and mice to a more comfortable or visually pleasing position or to switch between computers at the press of a button. However, unlike other types of USB devices that IT departments vet – such as USB flash drives, card readers, fingerprint sensors, and authentication devices – wireless keyboards and mice might not receive a high level of scrutiny.

Wireless devices typically are not chosen and used with security in mind, and a surprising number of wireless keyboards and mice affected by a class of vulnerabilities called MouseJack can enable attackers to fully compromise the computers these devices connect to. By understanding wireless keyboard- and mouse-related computer peripheral attacks, organizations can better choose the types of accessories they allow to connect to user workstations. 

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Organizations that might already be using vulnerable devices should consider issuing device firmware updates that remediate the MouseJack vulnerabilities. Additionally, organizations can improve processes for educating users and choosing technology by incorporating new (or renewed) perspectives on cybersecurity risks such as these into their information security programs.

Up close and personal

Any attack that involves wireless accessories means that an attacker is close to a target. Before diving into the specifics of the attack pattern, it’s important to first understand factors related to physical security and related attack methodologies in order to classify the attack’s potential risk.

Physical security now incorporates various environments: traditional office or multitenant office buildings, newer shared workspaces, and, more recently, work-from-home offices. Each working environment presents operational challenges in terms of maintaining security, especially now as remote workers are more often directly accessing internal networks using VPN connections.

Attacks relying on physical proximity remain fairly similar across location type, though the ease of restricting physical access and implementing monitoring drops significantly once employees are outside business locations. Physical threats range from theft of documents, property, and computers to spylike malicious USB device drops, wireless network attacks, and deployment of rogue wireless access points.

Fortunately, physical actions were present in only 4% of security breaches in 2019, per Verizon’s 2020 Data Breach Investigations Report. That percentage indicates that threat actors have not been focused on using physical methodologies to carry out their attacks. Furthermore, it would seem the high risk of being caught carrying out physical actions deters their common use.

Over the air

Wireless computer accessories function near the devices they are connected to, unlike other wireless devices such as mobile phones, which use a radio frequency that is functional only for short- to medium-range communications. The frequency of the signal that wireless keyboards and mice use is similar to that of a traditional Wi-Fi access point, meaning that for effective communication, the devices can maintain a reliable connection up to 50 meters away with limited obstructions.

It is important to recognize that the accessories most vulnerable to MouseJack attacks do not use the Bluetooth protocol, which implements standard security schemes not present in the proprietary protocols non-Bluetooth accessories use to communicate. Instead, the keyboard or mouse pairs with a USB adapter, communicating mouse movements or keystrokes to the adapter, which translates them to actions performed on the computer.

In most cases, just as with Bluetooth devices, wireless keyboards establish encrypted connections with adapters to prevent passive devices from capturing transmitted information and determining keystrokes typed. These encrypted connections also provide a means for keyboards or mice to authenticate to adapters, thwarting potential “imposter” keyboards from acting as the user’s accessory and injecting keystrokes.

On the other hand, a majority of wireless mice do not use an encrypted connection. The lack of authentication of the user’s mouse can enable an attacker to spoof the mouse and issue false movement and click commands to the adapter. Depending on the mouse’s adapter, an attacker might also be able to send keystrokes to the attached computer. In order to ascertain if devices are vulnerable to MouseJack, it’s essential to determine if wireless connections are encrypted and how the adapter listens for, receives, and processes device commands.

MouseJack from start to finish

Originally researched and disclosed by Bastille Networks in 2016, MouseJack is a class of vulnerabilities that affects a number of different wireless mice and keyboards across several vendors. While some vendors have remediated the vulnerabilities in their devices, other devices remain vulnerable. In fact, these vulnerabilities have been identified in new devices, all of which demonstrates that MouseJack is still relevant.

Because MouseJack is a local wireless attack, users with wireless keyboard or mouse dongles plugged into their computers can be exposed to MouseJack wherever they are working. The attack begins with an actor using a common (and inexpensive) wireless radio loaded with specific software for discovering and connecting to vulnerable devices. Once a vulnerable device is identified, the attacker attempts to transmit keystroke data in order to execute commands on the victim’s computer.

MouseJack generally relies on three methods (out of 16 identified vulnerabilities) for compromising the wireless adapter paired with the mouse or keyboard and injecting mouse movements or keystrokes to exploit the vulnerability. These methods include:

  • Injecting keystrokes as a spoofed mouse. In this case, the vulnerable adapter does not use an encrypted connection with the user’s mouse, so the attacker is able to send data directly to the adapter spoofing the user’s mouse. Additionally, the adapter does not validate that the mouse will send only mouse actions; instead, it accepts keyboard actions from the spoofed mouse and processes them as if they came from a keyboard. This action enables the attacker to execute commands on the computer while acting as the user’s mouse.
  • Injecting keystrokes as a spoofed keyboard. Unlike mice, keyboards generally use an encrypted connection that prevents spoofing data from the valid keyboard. However, a vulnerable adapter still accepts unencrypted keyboard communication, enabling the attacker to imitate the user’s keyboard and execute commands on the user’s computer.
  • Force pairing an illegitimate mouse or keyboard. Wireless keyboards and mice allow users to pair their devices in the event one gets lost and needs to be replaced. A vulnerable adapter does not properly restrict devices from being paired (which normally is initiated by the user with a physical button), and it allows the attacker to emulate a keyboard or mouse, sending commands to the user’s computer.

Ethical hackers respond

In light of Bastille’s MouseJack research, ethical hackers developed JackIt, which is software that automates the process of discovering vulnerable devices and attempting to exploit them with user-defined scripts. JackIt allows hackers, ethical or not, to script keystrokes to send to a vulnerable adapter. For example, they can inject keystrokes by using a shortcut key to open a command prompt and typing out a command. JackIt also adds the ability to sniff keystrokes from a vulnerable keyboard.

JackIt speeds up the process of compromising the victim’s system and allowing customization of the type of actions attackers would like to take once they have access. If the user isn’t paying attention or proper host-based detection is not in place, the exploit can go completely unnoticed, and attackers can gain remote access to the system. Once into the system, bad actors might lie in wait until they can pivot to other systems or gather information or credentials to begin a separate line of attack.

Pest control

The MouseJack vulnerabilities show that even trusted products are vulnerable to unexpected security flaws. The attack paths demonstrated via JackIt should encourage organizations to consider the creative avenues that motivated adversaries might take to compromise a network. Additionally, other attacks on physical security should be evaluated as the threat landscape evolves and the workforce moves from traditional office environments to home offices.

Organizations should perform their due diligence to make sure that wireless peripherals they have issued to employees are not vulnerable to MouseJack. IT departments can also check against the up-to-date list of vulnerable devices that Bastille maintains. In some cases, vendors have issued firmware updates to vulnerable devices that should be applied where appropriate. In all other cases, affected devices should be discarded and replaced with nonvulnerable (or wired) alternatives.

To further bolster the organization’s security posture in light of physical security threats, several other actions can be taken. A thorough device inventory can help organizations keep track of their assets, tracking end-of-life systems or vulnerable devices like those affected by MouseJack. Organizations can also improve their employee security awareness programs by including operational security practices such as employees locking computers when they step away from the screen and practicing diligence in recognizing irregular activity on their workstations. 

Securing your peripherals

Not all wireless devices are designed with full regard to security, and the sacrifice made for convenience is a less-than-certain level of security. Unique vulnerabilities such as MouseJack might not present risks to all organizations. However, understanding them can help organizations better secure their environments and improve their cybersecurity processes and policies.