Researchers at Bastille Networks have revealed what they’re calling mousejack attacks in certain USB dongles manufactured by Dell, Lenovo, Logitech and four other manufactures. A vulnerability in the USB dongle firmware could allow an attacker to install malware into the host machine if they’re just 100 meters away. Logitech has already responded to the situation and has also issued a firmware update to address the issue, pretty swift reaction indeed.
“Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue,” Asif Ahsan, Senior Director, Engineering, Logitech. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated. … They should also ensure their Logitech Options software is up to date.”
The problem with the USB dongles and why they’re vulnerable to these mousejack attacks is pretty simple, the communication between mouse and host computer was not being encrypted. Researchers did say that the communication between tested keyboards and dongles was encrypted but the companies failed to do the same with their mice (explains the term mousejack attacks).
“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.
“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”
Researchers found that the mousejack attacks could work on Windows, Linux, or Mac and they could take full control of the machine using the exploit. This means there’s an awful lot of vulnerable machines currently in use. This could have big consequences on business users who are working in an area easily accessible by the public. Logitech is the only company who has issued a firmware fix and you can find that download and instructions to install on their website.
What do you think of this story? Let us know in the comments below or on Twitter, Facebook and Google+.