Gamers tend to be leery of wireless mice and keyboards, but maybe they've had the right idea all along. A newly discovered vulnerability in many wireless peripherals, dubbed MouseJack by its discoverers, can be used to hijack a wide variety of devices with nothing more than a $15 radio transceiver and a minimum of engineering knowledge.
The information comes from Bastille, an aptly named Internet of Things security company based in San Francisco. The company produced a page containing all the technical details on MouseJack, as well as a dedicated Mousejack website explaining the vulnerability's basic risks.
Here's how it works: If a wireless mouse or keyboard doesn't use Bluetooth, it probably needs a dedicated USB dongle to plug into a laptop or desktop. These dongles contain radio transceivers that relay signals to and from the mice or keyboards to connected computers. Keyboard data transmissions are generally encrypted, but mouse data transmissions are not, which leaves the door open for an inventive hack.
After purchasing a cheap USB dongle and circuit board, a hacker can flash them with a clever Python script that Bastille made available on Github. Using this system, he or she can transmit a fake signal to a target computer's wireless-mouse USB dongle, then send unauthorized keystroke commands. Other vulnerabilities include taking advantage of unencrypted keyboard dongles, or forcing a dongle to pair with an attacker's keyboard or mouse.
The downside of these attacks is that they can take place only within about 100 feet or so of the target, but the upside is that they can be both sneaky and highly efficient. Besides tracking keystrokes, an attacker could install malware on, or steal sensitive files from, the target machine. An alert user might notice these actions, but a nearby attacker might simply wait until the user is not actively using the target machine.
Bastille listed more than 30 devices with the potential to be hijacked, including models from HP, Lenovo, Logitech and Microsoft. The good news is that if you have Logitech peripherals, that company has apparently already patched its firmware against the Mousejack vulnerability. Open up the Logitech software, then follow instructions to update the dongle.
The bad news is that other developers' mice and keyboard dongles are generally not capable of updating their firmware. Bastille's recommendation is to disconnect them right away, and either push the developer to update the firmware, or simply buy from another vendor in the future.
This vulnerability is probably not worth panicking about if you use a wireless mouse or keyboard for a PC at home, since being hacked from inside your own house is a bit of a stretch (unless you've made a very, very dire enemy). Those who travel frequently, though, may want to invest in some wired peripherals.